README_FOR_DECRYPT.txtt

[groundhogrdg]

2 1/2 year old firmware and exposed NAS ?...a miracle it hasn't happened sooner

It is cleat that you are just here to troll.

The system is set to check for updates at each log in - no updates have been identified.

[dolbyman]

sure a troll....check what the latest firmware is for your nas and be amazed

https://www.qnap.com/en/download?model= ... y=firmware

shocking isnt it?...smh

[Krismede]

read the previous posts....no need to ask again

Thank you! I read through the comments. I read somewhere there was similar one few years ago and someone made a decrypter it. so wondering if there is anything similar? Since you seem to be a guru of somesort, why don't you enlighten me?

[Krismede]

Mine has been infected too on March 28th
Seems all documents, archives and images have been encrypted.
MP4, MP3s have not been touched.
Seems to have gone through all shared folders nothing listed in connection logs.

A few more details.
TS-451+ running 4.3.4 Build 20180830
A user account "wasthere" had been created ‎28 ‎March ‎2021, ‏‎22:39:02
This account had RW permissions to a share that was not previously visible with system files labelled "9cd00ccc-d02f-11ea-87d0-..."

Two log entries were created:
Information 28/03/2021 19:45:49 System 127.0.0.1 localhost [App Center] Installed System 0.1 in /share/CACHEDEV1_DATA/.qpkg/System.
Information 28/03/2021 21:17:49 System 127.0.0.1 localhost [App Center] Enabled System.

I had the same user account "wasthere" in mine too. Though there is nothing in that account folder. I am still trying to understand how to get these files decrypted. I am hoping Qnap releases something for this.

[OneCD]

Can someone who has these readme files confirm if any are located outside the shared folders?

SSH into your NAS and run the following command string exactly as shown:

Code: Select all

/usr/bin/find / -iname "*.txtt" 2>/dev/null | grep -v '^/share/'

If any files are listed, please post them back here.

[OneCD]

I had the same user account "wasthere" in mine too. Though there is nothing in that account folder. I am still trying to understand how to get these files decrypted. I am hoping Qnap releases something for this.

Your NAS is definitely infected. Forget trying to find a decrypter: re-init your NAS and restore all data from your external backups.

BTW: for those looking for a decryption program: viewtopic.php?f=45&t=155358

[Krismede]

I had the same user account "wasthere" in mine too. Though there is nothing in that account folder. I am still trying to understand how to get these files decrypted. I am hoping Qnap releases something for this.

Your NAS is definitely infected. Forget trying to find a decrypter: re-init your NAS and restore all data from your external backups.

BTW: for those looking for a decryption program: viewtopic.php?f=45&t=155358

unfortunately, there is not back up for some of the files. its ironic that a backup storage device needs a backup too. have you or someone tried emisoft decrypter ?

[dolbyman]

if there is no backup..then the qnap is no backup, but PRIMARY storage. If the QNAP was a backup you would still have the files on another device

hard lesson to learn

[OneCD]

unfortunately, there is not back up for some of the files. its ironic that a backup storage device needs a backup too.

Why?

• If you were using the NAS as a backup device, then you still have the original files.

• If the NAS has files that are not located anywhere else, it's no-longer a backup device.

You should have multiple copies of your data. Don't put it all in one fragile (and easily hackable) box and expect it to be safe forever.

have you or someone tried emisoft decrypter ?

Never used it - probably because I've never been infected.

edit: @dm beat me to-it again.

[rmigliac1961]

sure upnp is noy active ? exposing your nas without knowlage

Yep, that might have been it. Now, uPnP is off, and no access except for a range of internal IP addresses. And periodic backups to a flash drive stored off-site!

[Krismede]

I read in bleeping computer that there was a software that could take the encrypted file and a copy of the original file to recover. Has anyone used it ?

[dolbyman]

if you have a copy of the original file..why would you need to decrypt it ?

[Krismede]

if you have a copy of the original file..why would you need to decrypt it ?

LOL, of course if we have copies, no one will go for decrypting it. I think the idea here is - some file may have been downloaded from the NAS and you can potentially use that 1 file to decrypt.
anyways, if someone has experience using it, please share.

[dolbyman]

I guess you mean this?:
https://www.quora.com/Can-we-extract-en ... ginal-file

[Krismede]

something like this- https://www.bleepingcomputer.com/news/s ... looddolly/