README_FOR_DECRYPT.txtt

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: README_FOR_DECRYPT.txtt

Post by jaysona »

Malware of 2020/21 is orders of magnitude more resilient, robust and sophisticated compared to malware circa 2015/16.

You have not stated which malware type and strain you are asking about decrypting, so no one can suggest a tool (if one even exists) to try.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
anhedonic
First post
Posts: 1
Joined: Fri May 07, 2021 4:07 am

Re: README_FOR_DECRYPT.txtt

Post by anhedonic »

If you got to this thread by googling "readme for decrypt qnas" or some such thing, make sure you read the notice that is pinned to the top of the message board. Qnap claims that you can retrieve the decryption key as long as the nas is not shut down or rebooted.

viewtopic.php?f=45&t=160886
Jooki
Getting the hang of things
Posts: 50
Joined: Tue Jan 12, 2016 5:09 pm

Re: README_FOR_DECRYPT.txtt

Post by Jooki »

pavelh wrote: Sun Mar 21, 2021 9:25 pm Still, how comes that despite of QNAP Malware Remover is installed and active, 100s of tousands of data files got hacked?
It seems that QNAP is a lot less secure compared to an ordinary PC with antivirus - unbelievable ...!!!!
As an IT professional you're the kind of customer that makes me wanna make your kind pass a course before coming close to any computer.

You remind me of that customer that came one day "this **, i opened internet explorer and there was this thing saying that i was the customer 1.000.000 and that i just won a limo with prostitutes, so i clicked to receive my gift and now you're saying that it is my fault????"

Best antivirus mate, is no antivirus and know what you're actually doing.

Any nas is an advanced piece of IT equipment, so if you don't have advanced sysadmin knowledge you risk ** up big time, i have had my qnap exposed to the internet since 2015 and so far so good, and i could even increase its security... but who cares, i don't even use it as last resort.

Cheerios o/
T-Phunk
Starting out
Posts: 12
Joined: Sat Jun 11, 2016 2:53 am

Re: README_FOR_DECRYPT.txtt

Post by T-Phunk »

Dues anyone know if the solution provided in this article works?

https://www.pcrisk.com/removal-guides/1 ... ransomware
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: README_FOR_DECRYPT.txtt

Post by jaysona »

Jooki wrote: Fri May 07, 2021 10:20 pm As an IT professional you're the kind of customer that makes me wanna make your kind pass a course before coming close to any computer.

You remind me of that customer that came one day "this **, i opened internet explorer and there was this thing saying that i was the customer 1.000.000 and that i just won a limo with **, so i clicked to receive my gift and now you're saying that it is my fault????"

Best antivirus mate, is no antivirus and know what you're actually doing.

Any nas is an advanced piece of IT equipment, so if you don't have advanced sysadmin knowledge you risk ** up big time, i have had my qnap exposed to the internet since 2015 and so far so good, and i could even increase its security... but who cares, i don't even use it as last resort.

Cheerios o/
As a digital mercenary and security professional, you're the type of person that makes my work so easy perform. ;)

Use of computers, NASes, etc should not require any sort of complex training to use, they should require about as much training to use and be as secure as using a microwave oven. If our civil infrastructure were designed, engineered and built the same way software is, we would need a lot more cemeteries.

Software is designed to be functional, not secure - and that is the core of them problem. Secure systems are pretty much impossible to access using any practical means, but writing code for a secure system takes more time, which means more expense.

Standards exists all over the world for design safety of pretty much everything that is physical - there are no standards for secure software design, aside from specific uses such as aerospace and Nuclear applications.

The cybersecurity industry is a multi-billion dollar (~175 billion at my last check) industry and even though it is an industry that has provided me opportunities to make massive bank in over the past 30-ish years, I firmly believe it is an industry that should not even exist as it does in its current form.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: README_FOR_DECRYPT.txtt

Post by jaysona »

T-Phunk wrote: Thu May 20, 2021 10:59 pm Dues anyone know if the solution provided in this article works?

https://www.pcrisk.com/removal-guides/1 ... ransomware
Which malware variant are you asking about? The article you linked to was initially written about two years ago. Malware variants are updated all the time and with each variant update, procedures that may have worked with an earlier variant will not work on subsequent variants.

The most recent QLocker malware was updated mid campaign, so something that worked early in the QLocker campaign was rendered useless as the campaign progressed.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
jeddeth
New here
Posts: 3
Joined: Fri Mar 26, 2021 3:39 am

Re: README_FOR_DECRYPT.txtt

Post by jeddeth »

Has anyone successfully restored their infected NAS to a clean firmware and wiped drives so they are comfortable using them again? If so would you be wiling to please post the steps you took or PM me? I hate staring at this expensive hunk of junk and not knowing what to do with it because I'm not sure how to go about wiping it properly.

Thank you!
shamz84
Starting out
Posts: 28
Joined: Wed Nov 28, 2012 7:42 pm

Re: README_FOR_DECRYPT.txtt

Post by shamz84 »

Hi all....I have just discovered I've been a victim of these hack.

it seems like my QNap had been hacked on the 8th May...However i had just noticed today when looking for some photos and noticed "README_FOR_DECRYPT.txtt" in every folder.

Is there anything else i can do to try and dycrypt these files besides paying up...does any one also know how my IP would have got in to the hand with hackers?
User avatar
dolbyman
Guru
Posts: 35022
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

Just read the topic .. this is a broad attack based on portscans or existing lists sold by 3rd parties (e.g. shodan.io)

Without malware remover catching the process in the act (saving the encryption key) or external backups or paying the ransom, there is nothing that can currently be done.
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: README_FOR_DECRYPT.txtt

Post by Mousetick »

dolbyman wrote: Sat May 22, 2021 5:02 am Without malware remover catching the process in the act (saving the encryption key) or external backups or paying the ransom, there is nothing that can currently be done.
OneCD wrote: Sat May 22, 2021 7:00 am Also note the ability to pay the ransom was recently removed. So don’t bother. https://www.bleepingcomputer.com/news/s ... qnap-users
Looks like you're confusing with QLocker. This thread is about another ransomware: eCh0raix :) which is still active and gets in by brute-forcing the admin password.
shamz84 wrote: Sat May 22, 2021 4:56 am Is there anything else i can do to try and dycrypt these files besides paying up...does any one also know how my IP would have got in to the hand with hackers?
No decryption possible. Your IP was found because your NAS is accessible from the internet (via port(s) forwarded on your router, automatically with UPnP + myQNAPcloud or manually) and the NAS was breached because you used a weak admin password.

More info:
https://www.qnap.com/en/security-advisory/qsa-21-18
https://www.bleepingcomputer.com/forums ... ort-topic/
User avatar
OneCD
Guru
Posts: 12038
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: README_FOR_DECRYPT.txtt

Post by OneCD »

Oh damn, yes I have confused the two. :oops:

Post deleted.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
shamz84
Starting out
Posts: 28
Joined: Wed Nov 28, 2012 7:42 pm

Re: README_FOR_DECRYPT.txtt

Post by shamz84 »

Mousetick wrote: Sat May 22, 2021 7:44 am
dolbyman wrote: Sat May 22, 2021 5:02 am Without malware remover catching the process in the act (saving the encryption key) or external backups or paying the ransom, there is nothing that can currently be done.
OneCD wrote: Sat May 22, 2021 7:00 am Also note the ability to pay the ransom was recently removed. So don’t bother. https://www.bleepingcomputer.com/news/s ... qnap-users
Looks like you're confusing with QLocker. This thread is about another ransomware: eCh0raix :) which is still active and gets in by brute-forcing the admin password.
shamz84 wrote: Sat May 22, 2021 4:56 am Is there anything else i can do to try and dycrypt these files besides paying up...does any one also know how my IP would have got in to the hand with hackers?
No decryption possible. Your IP was found because your NAS is accessible from the internet (via port(s) forwarded on your router, automatically with UPnP + myQNAPcloud or manually) and the NAS was breached because you used a weak admin password.

More info:
https://www.qnap.com/en/security-advisory/qsa-21-18
https://www.bleepingcomputer.com/forums ... ort-topic/
I never enabled myqnapcloud...that why I was asking how it was found....I'm assuming there bots just hitting up addresses to see what ports are open...to be honest I thought my password was quite secured..it .was a mixture of upper and lower case with numbers and was 12 character in length..
dolbyman wrote: Sat May 22, 2021 5:02 am Just read the topic .. this is a broad attack based on portscans or existing lists sold by 3rd parties (e.g. shodan.io)

Without malware remover catching the process in the act (saving the encryption key) or external backups or paying the ransom, there is nothing that can currently be done.
Yea I thought as much....first time I've been done like that or anyone I know....do they generally give you back the key or do they just take the money? Hence why I'm a bit reluctant to pay up
Alireza
New here
Posts: 2
Joined: Sun Nov 20, 2016 11:09 pm

Re: README_FOR_DECRYPT.txtt

Post by Alireza »

I just realized I have this issue.
.encrypt and not the .7z ransomeware

Is there any solution known? It's affecting my photo backups and MP3. Is there any other known issue?
Alireza
New here
Posts: 2
Joined: Sun Nov 20, 2016 11:09 pm

Re: README_FOR_DECRYPT.txtt

Post by Alireza »

Actually it's affecting much more... .pdf .exe .psd ... Basically years of work...
Weirdly the MP3 were fine despite the randsomeware note in the MP3 folders too
Locked

Return to “Miscellaneous”