README_FOR_DECRYPT.txtt

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
pavelh
Starting out
Posts: 34
Joined: Tue Dec 07, 2010 1:57 am
Location: BN, Austria

README_FOR_DECRYPT.txtt

Post by pavelh »

My system got probably hacked and infected by a Ransomware.

Most of the files in all shares and folders were encrypted, file-name extension of those files got extended by ".encrypt" and none of those files can be opened.
Each folder contains file README_FOR_DECRYPT.txtt (yes, with double tt!) with following information
All your data has been locked(crypted).
How to unlock(decrypt) instruction located in this TOR website: http://=long=string=.onion/order/=another=long=string
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to
The QNAP Malware Remover is installed and active.

How comes that despite of QNAP Malware Remover is installed and active, 100s of tousands of data files got hacked?
Can anybody please provide ASAP instructions on how to remove the hack and recover my data.
Thank you.
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: README_FOR_DECRYPT.txtt

Post by OneCD »

pavelh wrote: Sun Mar 21, 2021 9:46 am My system got probably hacked and infected by a Ransomware.
A quick Google suggests this is Windows ransomware (edit: this later turned out to be not-so). If so, one of your client PCs became infected and then encrypted the NAS shared folder data that PC had write access-to. :(

Have you seen any sign of this text file outside of the shared folders?

If not, the good news: your NAS is not infected. The bad news: your data is still toast.
pavelh wrote: Sun Mar 21, 2021 9:46 am How comes that despite of QNAP Malware Remover is installed and active, 100s of tousands of data files got hacked?
Malware Remover does not and cannot prevent malware on client machines from encrypting share data. Responsibility for remaining virus/malware free is up to each client machine.

If the network admin gives a client write-access to a NAS share, they also need to ensure that client cannot become infected with malware.
pavelh wrote: Sun Mar 21, 2021 9:46 am Can anybody please provide ASAP instructions on how to remove the hack and recover my data.
First, find and clean the infected client PC(s).

Then, erase the encrypted shares, and restore your data from your most recent external backups.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
pavelh
Starting out
Posts: 34
Joined: Tue Dec 07, 2010 1:57 am
Location: BN, Austria

Re: README_FOR_DECRYPT.txtt

Post by pavelh »

A quick Google suggests this is Windows ransomware.
My research on internet shows that this is QNAP ransomware, not a Windows ransomware. What is the source of your information?
syncthing
Know my way around
Posts: 136
Joined: Mon Aug 13, 2018 4:58 pm

Re: README_FOR_DECRYPT.txtt

Post by syncthing »

did you expose your NAS to the internet?

if your NAS is infected I think you may need a full factory reset and check if it is malware free
then you can restore from backup
pavelh
Starting out
Posts: 34
Joined: Tue Dec 07, 2010 1:57 am
Location: BN, Austria

Re: README_FOR_DECRYPT.txtt

Post by pavelh »

syncthing wrote: Sun Mar 21, 2021 8:48 pm did you expose your NAS to the internet?

if your NAS is infected I think you may need a full factory reset and check if it is malware free
then you can restore from backup
Yes, my NAS was exposed to internet, as I used it also as a web photo gallery (Gallery 3.0.9).

Thank you syncthing - would you know how to do a real full factory reset that all data incl. the ransomware code gets removed?

Still, how comes that despite of QNAP Malware Remover is installed and active, 100s of tousands of data files got hacked?
It seems that QNAP is a lot less secure compared to an ordinary PC with antivirus - unbelievable ...!!!!
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

Every PC has an antivirus (builtin or 3rd party) still people get all sorts of viruses ..how is this unbelievable?

You need to remove all drives clear them (diskpart clean) in an external computer and then do a diskless firmware update via qfinder

then setup the nas from scratch (check the crontab after for any more leftovers)
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: README_FOR_DECRYPT.txtt

Post by jaysona »

pavelh wrote: Sun Mar 21, 2021 9:25 pm Yes, my NAS was exposed to internet, as I used it also as a web photo gallery (Gallery 3.0.9).
Do not expose the QNAP to the web unless you are technically inclined and know what you are doing.

- QTS and its associated app are written very poorly, are not written secure and are a common vector for infecting a QNAP.
- The QNAP built-in Apache server and PHP versions are also old, which means there are many vulnerabilities to exploit.
Thank you syncthing - would you know how to do a real full factory reset that all data incl. the ransomware code gets removed?
The only way to ensure the NAS is completely malware fee is to perform the following:

1. Do a firmware recovery, this will ensure that no malware was copied to the DOM and gets installed upon NAS reboot.
https://wiki.qnap.com/wiki/Firmware_Recovery
2. Wipe the disk partitions.
3. You will probably need to install an older firmware first after the firmware recovery before installing the latest firmware.
Still, how comes that despite of QNAP Malware Remover is installed and active, 100s of tousands of data files got hacked?
It seems that QNAP is a lot less secure compared to an ordinary PC with antivirus - unbelievable ...!!!!
The QNAP Malware Remover is a pretty dumb program - probably in the area of late 1990's Anit-Virus utility in terms of sophistication. The QNAP Malware Remover can only remove malware which it has a fingerprint for and the malware files need to be in the specific directories that the QNAP Malware Remover expects them to be. Change a file name, location, etc and the QNAP Malware Remover skips right over the malware.

Despite what QNAP marketing tries to make people believe, it as a bad idea to expose the NAS to the Internet if you are not technically inclined.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
kenkau
New here
Posts: 3
Joined: Wed Mar 24, 2021 11:35 pm

Re: README_FOR_DECRYPT.txtt

Post by kenkau »

Other than wipe the whole Nas, are there any solution to decrypt the files? I got 8 years working files on my Nas.
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

go to a rescue service, they need to analyze the disks and/or keep them until there is a decryt exploit

it will cost ya
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: README_FOR_DECRYPT.txtt

Post by jaysona »

There is not much that can be done to decrypt the files other than pay the ransom for the decryption key, or hope that the encryption scheme used by the ransomeware is flawed. There are some flawed ransomware out there than can be decrypted without paying the ransom, but as dolbyman stated, it will cost you.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
jeddeth
New here
Posts: 3
Joined: Fri Mar 26, 2021 3:39 am

Re: README_FOR_DECRYPT.txtt

Post by jeddeth »

This happened to me yesterday too. Naively, I did not even realize my NAS was at risk until it happened. I had no need for my NAS to be exposed to the outside internet. I'm so disappointed in myself for allowing this to happen and in QNAP for having garbage malware security. If anyone can point me to a reputable rescue service or professional who can help me with flashing the QNAp's firmware and hard drive disk partitions I would really be grateful!
jeddeth
New here
Posts: 3
Joined: Fri Mar 26, 2021 3:39 am

Re: README_FOR_DECRYPT.txtt

Post by jeddeth »

I also wanted to ask... is there any chance I can use a backup or snapshot from my qnap raid or system to recover data or is everything on the NAS totally infected and lost forever?
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

if your snapshot space was larger than the used data (most people don't leave enough space)

Any malware directly infecting the QNAP would probably kill snapshots first
ZPerf
First post
Posts: 1
Joined: Fri Jul 31, 2015 2:45 am

Re: README_FOR_DECRYPT.txtt

Post by ZPerf »

This looks a lot like QNAPCrypt (eCh0raix) Ransomware variant. I don't know if there is a vulnerability identified or not, but try to Googling for a decrypter for it.

Check out also:
https://id-ransomware.malwarehunterteam.com/
https://www.nomoreransom.org/en/decryption-tools.html

Sent from my LG-H930 using Tapatalk
matt@mdesignaz.com
Starting out
Posts: 12
Joined: Sat Jan 26, 2013 5:50 am

Re: README_FOR_DECRYPT.txtt

Post by matt@mdesignaz.com »

I've got the README_FOR_DECRYPT.txtt files in all of my folders, but my files are not encrypted.
Can I safely delete the README_FOR_DECRYPT.txtt files and run QNAP malware remover?
Locked

Return to “Miscellaneous”