Page 12 of 57

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:00 am
by jaysona
McBride wrote: Fri Apr 23, 2021 4:50 am There is a difference between software bugs and gross negligence. Therefore I think this will not fly, at least not in Europe. The first time in my life I am seriously thinking about letting a (my) lawyer looking into something like this. Why? because I am angry.
I'm angry too, and all the power to you to pursue this. I just don't think it'll go anywhere and end up just costing a lot of money and wasting time.

Gross Negligence generally involves the health and safety of an individual. I fail to see how Qlocker has any sort of direct impact to a persons health and safety.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:01 am
by saturdaynightyay
there is another solution you can try to recover the deleted files: https://www.bleepingcomputer.com/forums ... ?p=5171464

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:04 am
by Fly100
I guessing we have asked the question, all the victims dont have the same password do they ???

Happy to share mine.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:06 am
by dolbyman
Was already discussed in the bleepingcomputer thread, password are unique

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:07 am
by Fly100
saturdaynightyay wrote: Fri Apr 23, 2021 4:17 am fly100, so you log on to ssh and type those 3 commands (1 for each line) in order ?

after entering line 1 i get:

-sh: dir: command not found :ashamed:

Ah it looks like its a dos command, I should try it from PC

Cheers
Create a new txt document on you pc, and paste those lines into it. then save it as Fixme.bat . Copy it into the dir with the .7z are and it will unzip them. replace there p******** with you password keeping the p.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:10 am
by syncthing
McBride wrote: Fri Apr 23, 2021 4:50 am There is a difference between software bugs and gross negligence. Therefore I think this will not fly, at least not in Europe. The first time in my life I am seriously thinking about letting a (my) lawyer looking into something like this. Why? because I am angry.
you will face many problems and maybe just lose money
just out of curiosity where can the licence agreement for QTS be found?
but I am pretty sure it is something like you use it at your own risk and there is no liability for anything

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:11 am
by saturdaynightyay
thanks fly but it doesnt really work for me.

Batch file either freezes like its doing something or flashes on and off for a second.

Sometimes it does a few files but didnt really get anywhere.

We need an SSH guru to give us some commands to run on the nas itself (similar to what the hacker did only reversed)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:15 am
by phr34k
Could someone please explain wich bitcoin site i can use to buy bitcoins so i can pay these guys? I have tried 2-3 diffrent bitcoin services but they dont permit me to send the money to an adress

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:16 am
by jbennett360
Someone on Reddit mentioned that they have stuff syncing with OneDrive via HBS and it was OneDrive that flagged they may be victim of ransomware (presumably after a sync that uploaded a load of .7z and readme.txt files) that's how they found out they'd been hit.

I guess it's good in a way that MS are doing that?

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:18 am
by jaysona
syncthing wrote: Fri Apr 23, 2021 5:10 am
you will face many problems and maybe just lose money
just out of curiosity where can the licence agreement for QTS be found?
but I am pretty sure it is something like you use it at your own risk and there is no liability for anything
There is an agreement that is presented upon the first login to the QTS admin webpage, I am not sure how to access it again, but I am sure it can be found on the NAS somewhere, if anyone case to go looking for it.

There is one posted on the website as well, I am just not certain if the two are the same.
https://www.qnap.com/en/before_buy/con_ ... one&cid=14

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:19 am
by Fly100
saturdaynightyay wrote: Fri Apr 23, 2021 5:11 am thanks fly but it doesnt really work for me.

Batch file either freezes like its doing something or flashes on and off for a second.

Sometimes it does a few files but didnt really get anywhere.

We need an SSH guru to give us some commands to run on the nas itself (similar to what the hacker did only reversed)

message me on Skype, i be online for another 20 mins or so

Fly 100 < user name.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:21 am
by syncthing
jaysona wrote: Fri Apr 23, 2021 5:18 am There is an agreement that is presented upon the first login to the QTS admin webpage, I am not sure how to access it again, but I am sure it can be found on the NAS somewhere, if anyone case to go looking for it.

There is one posted on the website as well, I am just not certain if the two are the same.
https://www.qnap.com/en/before_buy/con_ ... one&cid=14
this one I also found by a fast google search, but I think it is for the use of their qnap.com website and services

but searching more for it is for sure just a waste of time ...

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:41 am
by Toxic17
jaysona wrote: Fri Apr 23, 2021 5:18 am
There is an agreement that is presented upon the first login to the QTS admin webpage, I am not sure how to access it again, but I am sure it can be found on the NAS somewhere, if anyone case to go looking for it.

There is one posted on the website as well, I am just not certain if the two are the same.
https://www.qnap.com/en/before_buy/con_ ... one&cid=14
there is an agreement for Hyperbackup too

https://www.qnap.com/en/before_buy/con_ ... one&cid=29

here is their get out of jail free card:
In no event shall QNAP, its affiliates, or any of their respective officers, shareholders, employees, contractors, or the publisher be liable for any special, direct, indirect, consequential, incidental, punitive or other damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, loss of data, loss of use or equipment or facilities, loss of any other economic advantage or loss of other profits) arising out of or in connection with the availability or performance of this Software Product.
however stating this means they will loose customers by the 1000's as they have lost the trust of their software.

QNAP need to be more transparent, NOW.

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 5:55 am
by MaxSh4doW
Can someone share me his 7z bin file or explain me how to find the original ?
Whithout the original i cant update app nor firmware :(

because i've launch this command 2 times:

Code: Select all

cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
Thx in advance

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Posted: Fri Apr 23, 2021 6:00 am
by Razorblade
Face reality, there's no hope for a solution. The password is 32 chars long so no bruteforce is possible.
If you're lucky and a 7zip process is still running, you can get the password from it, but chances are small.

Jack Cable found out that by paying for one, several passwords could be retrieved because of a bug on the criminals' onion webpage (messing with the Bitcoin transaction ID and upper/lower case chars). But it was fixed real quick.

The only thing to be tried is the PhotoRec application. But in my case photos were not the main file sets.

I can sadly say that paying to the Bitcoin address works, the onion webpage shows your password. :(

Also, two suspicious files exist in the filesystem:

Code: Select all

/root/re.sh
/mnt/ext/opt/apps/backup.php
They seem to be a snapshot remover and a PHP exploit.

Regards.