Page 11 of 57

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:03 am
by saturdaynightyay
jonezed7 wrote: Fri Apr 23, 2021 3:57 am Any way to get the process to run again to pull the log file? I tried reversing everything I did after the restart.
i doubt it mate, things like that are a 1 time thing. Its like a dos prompt, I dont think it gets stored.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:04 am
by Fly100
saturdaynightyay wrote: Fri Apr 23, 2021 3:41 am
Fly100 wrote: Fri Apr 23, 2021 3:22 am dir /s /b *.7z > allzips.txt
for /F "delims=" %%x in (allzips.txt) do ("C:\Program Files\7-Zip\7z.exe" e -pXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -o"%%~dpx" "%%x")
for /F "delims=" %%x in (allzips.txt) do del "%%x"

A guy earlier in the the thread wrote this Gem, Thank you Sir :-) well played. Could anyone offer advise on it please I can only get it to work if I put the Bat file in the same DIR as the the 7z files, it wont then do any of the sub Dir's in the main dir.

Thank you again to the gent that wrote it.

Hero.

FLY
Yes It would be good to get a script that will do everything. Also if you could specify which folder to run the script from?

Cheers
Well, i have no idea why but its now working. Must be my end. Doh.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:17 am
by saturdaynightyay
fly100, so you log on to ssh and type those 3 commands (1 for each line) in order ?

after entering line 1 i get:

-sh: dir: command not found :ashamed:

Ah it looks like its a dos command, I should try it from PC

Cheers

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:29 am
by jaysona
McBride wrote: Fri Apr 23, 2021 3:30 am That’s called gross negligence and can have legal consequences.


Austria est imperare orbi universo
You would think so, but that is not the case. Read the software license and usage agreement you accept when you use the NAS. You effectively agree to an as-is use of the software and QNAP provides no guarantees about its software.

I have had numerous "discussions" with "software engineers" that I know and have told more than a few that if they were civil engineers, they would be in jail for gross negligence. The issue is that software people (aside from certain Aerospace applications) have absolutely no legal obligations whatsoever when it comes to software code robustness.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:32 am
by Felgenklarlack
Same Problem here :-(

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:34 am
by jonezed7
saturdaynightyay wrote: Fri Apr 23, 2021 4:03 am
jonezed7 wrote: Fri Apr 23, 2021 3:57 am Any way to get the process to run again to pull the log file? I tried reversing everything I did after the restart.
i doubt it mate, things like that are a 1 time thing. Its like a dos prompt, I dont think it gets stored.
I'm still getting login attempts every 5 minutes. I never saw a successful login that wasn't my IP though. Was it back doored through the qsync or whatever? I'm just confused.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:35 am
by saturdaynightyay
in control panel then security you can set it to block them after X number of failed login attempts.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:37 am
by phr34k
So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:38 am
by jaysona
jonezed7 wrote: Fri Apr 23, 2021 4:34 am
I'm still getting login attempts every 5 minutes. I never saw a successful login that wasn't my IP though. Was it back doored through the qsync or whatever? I'm just confused.
Time to disable port forwarding to the QTS admin webpage your NAS, it will eventually get compromised.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:47 am
by saturdaynightyay
phr34k wrote: Fri Apr 23, 2021 4:37 am So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(
password is 32 characters. I am guessing brute force would take forever.

Try this (from another website - i have not tried it):
Hey guys,

unfortunately, my NAS was also affected. But don't worry, I have a solution. ;)

You can use the following software to restore your data from the disks.

https://www.cgsecurity.org/wiki/TestDisk_Download

First you have to connect via ssh to your NAS and you have to install the tool from the link, it's called PhotoRec. Then you have to mount a local disk from your machine, you can use Samba to mount a disk from Windows to the NAS.

Supported file systems:
FAT, NTFS, exFAT, ext, HFS+

How it works?
The tool can restore deleted files from the disk. All deleted files are still present, but the location of the first data block is removed. The tool can scan all sectors of the disk and can restore a lot of files. With a little bit luck the tool can restore all files.

My program is still running since one hour, and I restored 18k files already. :) A lot of my vacation pictures are already back.

If you have any technical questions you can contact me here in the forum or also via mail at security@received.eu.

It is not the best soultion, but with luck you can restore your files and you have to pay nothing.

Regards and good luck,
MAI2VIN

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:49 am
by dolbyman
phr34k wrote: Fri Apr 23, 2021 4:37 am So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(
For a bruteforce attack you looking at some very bleak numbers
time_calc .png
You can either wait for an exploit attack or if anyone captures the key server.. if the server gets taken down and passwords are not made public you go back to the above calculation chart

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:49 am
by phr34k
saturdaynightyay wrote: Fri Apr 23, 2021 4:47 am
phr34k wrote: Fri Apr 23, 2021 4:37 am So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(
if process has finished then just pay the ransom, password is 32 characters. I am guessing brute force would take forever.
Im defintly thinking about paying but i dont know wich Bitcoin service to use so i can "send" them their money. I have never delt with BTC and i tried Revolut but they dont allow me to send money to an adress

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:50 am
by McBride
jaysona wrote: Fri Apr 23, 2021 4:29 am
McBride wrote: Fri Apr 23, 2021 3:30 am That’s called gross negligence and can have legal consequences.


Austria est imperare orbi universo
You would think so, but that is not the case. Read the software license and usage agreement you accept when you use the NAS. You effectively agree to an as-is use of the software and QNAP provides no guarantees about its software.

I have had numerous "discussions" with "software engineers" that I know and have told more than a few that if they were civil engineers, they would be in jail for gross negligence. The issue is that software people (aside from certain Aerospace applications) have absolutely no legal obligations whatsoever when it comes to software code robustness.
There is a difference between software bugs and gross negligence. Therefore I think this will not fly, at least not in Europe. The first time in my life I am seriously thinking about letting a (my) lawyer looking into something like this. Why? because I am angry.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:51 am
by saturdaynightyay
phr34 i have used paxful in the past for bicoin, it seemed straight forward enough

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 4:58 am
by dolbyman
McBride wrote: Fri Apr 23, 2021 4:50 am There is a difference between software bugs and gross negligence. Therefore I think this will not fly, at least not in Europe. The first time in my life I am seriously thinking about letting a (my) lawyer looking into something like this. Why? because I am angry.
Good luck.. that is not QNAPs first crypto malware attack rodeo ... and they are still around

https://www.zdnet.com/article/cisa-says ... h-malware/
https://www.bleepingcomputer.com/news/s ... s-devices/
etc