README_FOR_DECRYPT.txtt
- jaysona
- Been there, done that
- Posts: 846
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: README_FOR_DECRYPT.txtt
Malware of 2020/21 is orders of magnitude more resilient, robust and sophisticated compared to malware circa 2015/16.
You have not stated which malware type and strain you are asking about decrypting, so no one can suggest a tool (if one even exists) to try.
You have not stated which malware type and strain you are asking about decrypting, so no one can suggest a tool (if one even exists) to try.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
- First post
- Posts: 1
- Joined: Fri May 07, 2021 4:07 am
Re: README_FOR_DECRYPT.txtt
If you got to this thread by googling "readme for decrypt qnas" or some such thing, make sure you read the notice that is pinned to the top of the message board. Qnap claims that you can retrieve the decryption key as long as the nas is not shut down or rebooted.
viewtopic.php?f=45&t=160886
viewtopic.php?f=45&t=160886
-
- Getting the hang of things
- Posts: 50
- Joined: Tue Jan 12, 2016 5:09 pm
Re: README_FOR_DECRYPT.txtt
As an IT professional you're the kind of customer that makes me wanna make your kind pass a course before coming close to any computer.
You remind me of that customer that came one day "this **, i opened internet explorer and there was this thing saying that i was the customer 1.000.000 and that i just won a limo with prostitutes, so i clicked to receive my gift and now you're saying that it is my fault????"
Best antivirus mate, is no antivirus and know what you're actually doing.
Any nas is an advanced piece of IT equipment, so if you don't have advanced sysadmin knowledge you risk ** up big time, i have had my qnap exposed to the internet since 2015 and so far so good, and i could even increase its security... but who cares, i don't even use it as last resort.
Cheerios o/
-
- Starting out
- Posts: 12
- Joined: Sat Jun 11, 2016 2:53 am
Re: README_FOR_DECRYPT.txtt
Dues anyone know if the solution provided in this article works?
https://www.pcrisk.com/removal-guides/1 ... ransomware
https://www.pcrisk.com/removal-guides/1 ... ransomware
- jaysona
- Been there, done that
- Posts: 846
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: README_FOR_DECRYPT.txtt
As a digital mercenary and security professional, you're the type of person that makes my work so easy perform.Jooki wrote: ↑Fri May 07, 2021 10:20 pm As an IT professional you're the kind of customer that makes me wanna make your kind pass a course before coming close to any computer.
You remind me of that customer that came one day "this **, i opened internet explorer and there was this thing saying that i was the customer 1.000.000 and that i just won a limo with **, so i clicked to receive my gift and now you're saying that it is my fault????"
Best antivirus mate, is no antivirus and know what you're actually doing.
Any nas is an advanced piece of IT equipment, so if you don't have advanced sysadmin knowledge you risk ** up big time, i have had my qnap exposed to the internet since 2015 and so far so good, and i could even increase its security... but who cares, i don't even use it as last resort.
Cheerios o/
Use of computers, NASes, etc should not require any sort of complex training to use, they should require about as much training to use and be as secure as using a microwave oven. If our civil infrastructure were designed, engineered and built the same way software is, we would need a lot more cemeteries.
Software is designed to be functional, not secure - and that is the core of them problem. Secure systems are pretty much impossible to access using any practical means, but writing code for a secure system takes more time, which means more expense.
Standards exists all over the world for design safety of pretty much everything that is physical - there are no standards for secure software design, aside from specific uses such as aerospace and Nuclear applications.
The cybersecurity industry is a multi-billion dollar (~175 billion at my last check) industry and even though it is an industry that has provided me opportunities to make massive bank in over the past 30-ish years, I firmly believe it is an industry that should not even exist as it does in its current form.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
- jaysona
- Been there, done that
- Posts: 846
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: README_FOR_DECRYPT.txtt
Which malware variant are you asking about? The article you linked to was initially written about two years ago. Malware variants are updated all the time and with each variant update, procedures that may have worked with an earlier variant will not work on subsequent variants.T-Phunk wrote: ↑Thu May 20, 2021 10:59 pm Dues anyone know if the solution provided in this article works?
https://www.pcrisk.com/removal-guides/1 ... ransomware
The most recent QLocker malware was updated mid campaign, so something that worked early in the QLocker campaign was rendered useless as the campaign progressed.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
- New here
- Posts: 3
- Joined: Fri Mar 26, 2021 3:39 am
Re: README_FOR_DECRYPT.txtt
Has anyone successfully restored their infected NAS to a clean firmware and wiped drives so they are comfortable using them again? If so would you be wiling to please post the steps you took or PM me? I hate staring at this expensive hunk of junk and not knowing what to do with it because I'm not sure how to go about wiping it properly.
Thank you!
Thank you!
-
- Starting out
- Posts: 28
- Joined: Wed Nov 28, 2012 7:42 pm
Re: README_FOR_DECRYPT.txtt
Hi all....I have just discovered I've been a victim of these hack.
it seems like my QNap had been hacked on the 8th May...However i had just noticed today when looking for some photos and noticed "README_FOR_DECRYPT.txtt" in every folder.
Is there anything else i can do to try and dycrypt these files besides paying up...does any one also know how my IP would have got in to the hand with hackers?
it seems like my QNap had been hacked on the 8th May...However i had just noticed today when looking for some photos and noticed "README_FOR_DECRYPT.txtt" in every folder.
Is there anything else i can do to try and dycrypt these files besides paying up...does any one also know how my IP would have got in to the hand with hackers?
- dolbyman
- Guru
- Posts: 35009
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: README_FOR_DECRYPT.txtt
Just read the topic .. this is a broad attack based on portscans or existing lists sold by 3rd parties (e.g. shodan.io)
Without malware remover catching the process in the act (saving the encryption key) or external backups or paying the ransom, there is nothing that can currently be done.
Without malware remover catching the process in the act (saving the encryption key) or external backups or paying the ransom, there is nothing that can currently be done.
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: README_FOR_DECRYPT.txtt
Looks like you're confusing with QLocker. This thread is about another ransomware: eCh0raix which is still active and gets in by brute-forcing the admin password.OneCD wrote: ↑Sat May 22, 2021 7:00 am Also note the ability to pay the ransom was recently removed. So don’t bother. https://www.bleepingcomputer.com/news/s ... qnap-users
No decryption possible. Your IP was found because your NAS is accessible from the internet (via port(s) forwarded on your router, automatically with UPnP + myQNAPcloud or manually) and the NAS was breached because you used a weak admin password.
More info:
https://www.qnap.com/en/security-advisory/qsa-21-18
https://www.bleepingcomputer.com/forums ... ort-topic/
- OneCD
- Guru
- Posts: 12037
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
-
- Starting out
- Posts: 28
- Joined: Wed Nov 28, 2012 7:42 pm
Re: README_FOR_DECRYPT.txtt
I never enabled myqnapcloud...that why I was asking how it was found....I'm assuming there bots just hitting up addresses to see what ports are open...to be honest I thought my password was quite secured..it .was a mixture of upper and lower case with numbers and was 12 character in length..Mousetick wrote: ↑Sat May 22, 2021 7:44 amLooks like you're confusing with QLocker. This thread is about another ransomware: eCh0raix which is still active and gets in by brute-forcing the admin password.OneCD wrote: ↑Sat May 22, 2021 7:00 am Also note the ability to pay the ransom was recently removed. So don’t bother. https://www.bleepingcomputer.com/news/s ... qnap-users
No decryption possible. Your IP was found because your NAS is accessible from the internet (via port(s) forwarded on your router, automatically with UPnP + myQNAPcloud or manually) and the NAS was breached because you used a weak admin password.
More info:
https://www.qnap.com/en/security-advisory/qsa-21-18
https://www.bleepingcomputer.com/forums ... ort-topic/
Yea I thought as much....first time I've been done like that or anyone I know....do they generally give you back the key or do they just take the money? Hence why I'm a bit reluctant to pay updolbyman wrote: ↑Sat May 22, 2021 5:02 am Just read the topic .. this is a broad attack based on portscans or existing lists sold by 3rd parties (e.g. shodan.io)
Without malware remover catching the process in the act (saving the encryption key) or external backups or paying the ransom, there is nothing that can currently be done.
-
- New here
- Posts: 2
- Joined: Sun Nov 20, 2016 11:09 pm
Re: README_FOR_DECRYPT.txtt
I just realized I have this issue.
.encrypt and not the .7z ransomeware
Is there any solution known? It's affecting my photo backups and MP3. Is there any other known issue?
.encrypt and not the .7z ransomeware
Is there any solution known? It's affecting my photo backups and MP3. Is there any other known issue?
-
- New here
- Posts: 2
- Joined: Sun Nov 20, 2016 11:09 pm
Re: README_FOR_DECRYPT.txtt
Actually it's affecting much more... .pdf .exe .psd ... Basically years of work...
Weirdly the MP3 were fine despite the randsomeware note in the MP3 folders too
Weirdly the MP3 were fine despite the randsomeware note in the MP3 folders too
-
- Starting out
- Posts: 14
- Joined: Sun Jan 11, 2015 8:41 am
Re: README_FOR_DECRYPT.txtt
does Qlocker Data Recovery Service (QDRS) https://service.qnap.com/en/user/create-qdrs-ticket
work on all ransomware on the QNAP TS-251 devices?
https://www.qnap.com/en/security-news/2 ... e-qnap-nas
https://www.bleepingcomputer.com/news/s ... /#cid18909
https://youtu.be/qv9mri_xHg0
https://youtu.be/aq_cIdY_ksQ
https://youtu.be/UvKqmrCAJ8I
work on all ransomware on the QNAP TS-251 devices?
https://www.qnap.com/en/security-news/2 ... e-qnap-nas
https://www.bleepingcomputer.com/news/s ... /#cid18909
https://youtu.be/qv9mri_xHg0
https://youtu.be/aq_cIdY_ksQ
https://youtu.be/UvKqmrCAJ8I