README_FOR_DECRYPT.txtt

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: README_FOR_DECRYPT.txtt

Post by jaysona »

matt@mdesignaz.com wrote: Tue Mar 30, 2021 12:05 am I've got the README_FOR_DECRYPT.txtt files in all of my folders, but my files are not encrypted.
Can I safely delete the README_FOR_DECRYPT.txtt files and run QNAP malware remover?
No idea, and I do not think anyone here can really answer that question. There is some level of malware on your device. This could be a new derivative that is not fully functional which is why your files are not encrypted, or the malware could be in the process of encrypting your files.

In either case, the only sure thing to do is wipe the drives, reinitialize the NAS and restore the data from backup.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: README_FOR_DECRYPT.txtt

Post by OneCD »

Has anyone confirmed this ransomware is actually running on the QNAP? Are the readme files outside the shared folders? :'

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
matt@mdesignaz.com
Starting out
Posts: 12
Joined: Sat Jan 26, 2013 5:50 am

Re: README_FOR_DECRYPT.txtt

Post by matt@mdesignaz.com »

OneCD wrote: Tue Mar 30, 2021 3:37 am Has anyone confirmed this ransomware is actually running on the QNAP? Are the readme files outside the shared folders? :'
Good question, where would they be found?
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: README_FOR_DECRYPT.txtt

Post by OneCD »

matt@mdesignaz.com wrote: Tue Mar 30, 2021 5:50 am Good question, where would they be found?
Any location that doesn't start with [/share] is "outside" the shares. ;)

There are a few that do start with [/share] and are also outside the shares, but let's keep it simple for now.

To access the root filesystem, you'll need to SSH into your NAS, or use something like WinSCP. Don't use QTS File Station, as it doesn't have access to the root filesystem. Same goes for clients attached to shares (naturally, they are restricted to shares-only).

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
VinceH
First post
Posts: 1
Joined: Thu Apr 01, 2021 3:54 pm

Re: README_FOR_DECRYPT.txtt

Post by VinceH »

Files on my QNAP251+ were encrypted (same message .txtt file) on 30th March. Similar as a previous post, I believe it occurred when I looked at photos.

Have posted for visibility, as maybe this variant is new.
rmigliac1961
New here
Posts: 2
Joined: Fri Apr 02, 2021 3:43 am

Re: README_FOR_DECRYPT.txtt

Post by rmigliac1961 »

My TS-219P+ was compromised on 3/28 and all my folders have been encypted with the README_FOR_DECRYPT.txtt files in each locaation. Very interesting observation is that my system log shows an unknown program being installed shortly before this. The program is called System V0.1. See attached.

Luckily I backed up everything onto flash drives a few weeks ago, but still the question remains, how did they do this?
You do not have the required permissions to view the files attached to this post.
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

is your NAS WAN exposed ? .. then you know how
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: README_FOR_DECRYPT.txtt

Post by Skwor »

rmigliac1961 wrote: Fri Apr 02, 2021 3:56 am My TS-219P+ was compromised on 3/28 and all my folders have been encypted with the README_FOR_DECRYPT.txtt files in each locaation. Very interesting observation is that my system log shows an unknown program being installed shortly before this. The program is called System V0.1. See attached.

Luckily I backed up everything onto flash drives a few weeks ago, but still the question remains, how did they do this?
Check your logs for admin access from an IP outside of your lan/wan. I am guessing someone used your generic admin account to log in and install the package.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
Duckman33
New here
Posts: 5
Joined: Thu Dec 06, 2012 12:43 pm

Re: README_FOR_DECRYPT.txtt

Post by Duckman33 »

Just found out I have gotten hacked too. Same xxx.txtt files in all folders. But only seems to have encrypted picture, txt/doc and zip files. None of my movies or TV shows got encrypted. No executables got encrypted. Also found that System V0.1 file was installed by the system via app center. No clue how they got in because my NAS is not exposed to the internet. Happened on the 23rd of March.
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

sure upnp is noy active ? exposing your nas without knowlage
groundhogrdg
New here
Posts: 3
Joined: Fri Dec 14, 2012 3:46 pm

Re: README_FOR_DECRYPT.txtt

Post by groundhogrdg »

Mine has been infected too on March 28th
Seems all documents, archives and images have been encrypted.
MP4, MP3s have not been touched.
Seems to have gone through all shared folders nothing listed in connection logs.
Krismede
New here
Posts: 7
Joined: Mon Apr 05, 2021 1:03 am

Re: README_FOR_DECRYPT.txtt

Post by Krismede »

My t-251 got hacked too. Is there a way to decrypt the locked files ? Any patch or software that we can use ? Does qnap provide any fixes or firmware updates for it? Thanks in advance.
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

read the previous posts....no need to ask again
groundhogrdg
New here
Posts: 3
Joined: Fri Dec 14, 2012 3:46 pm

Re: README_FOR_DECRYPT.txtt

Post by groundhogrdg »

groundhogrdg wrote: Sun Apr 04, 2021 9:08 am Mine has been infected too on March 28th
Seems all documents, archives and images have been encrypted.
MP4, MP3s have not been touched.
Seems to have gone through all shared folders nothing listed in connection logs.
A few more details.
TS-451+ running 4.3.4 Build 20180830
A user account "wasthere" had been created ‎28 ‎March ‎2021, ‏‎22:39:02
This account had RW permissions to a share that was not previously visible with system files labelled "9cd00ccc-d02f-11ea-87d0-..."

Two log entries were created:
Information 28/03/2021 19:45:49 System 127.0.0.1 localhost [App Center] Installed System 0.1 in /share/CACHEDEV1_DATA/.qpkg/System.
Information 28/03/2021 21:17:49 System 127.0.0.1 localhost [App Center] Enabled System.
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

2 1/2 year old firmware and exposed NAS ?...a miracle it hasn't happened sooner
Locked

Return to “Miscellaneous”