README_FOR_DECRYPT.txtt

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
PeterAslund
New here
Posts: 2
Joined: Mon Jun 14, 2021 2:45 pm

Re: README_FOR_DECRYPT.txtt

Post by PeterAslund »

Anyone that has a super computer and that is willing to try to find my decryption-key? :D

I have tried running the ECh0raix Decoder (v1.0.5) and selecting the info.txt.encrypted and info.txt with the exhaustive search
Now it has run for about 10+ days with 14 threads. Still nothing...
Last edited by OneCD on Tue Jun 15, 2021 12:19 pm, edited 1 time in total.
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: README_FOR_DECRYPT.txtt

Post by Mousetick »

PeterAslund wrote: Mon Jun 14, 2021 3:47 pm I have tried running the ECh0raix Decoder (v1.0.5) and selecting the info.txt.encrypted and info.txt with the exhaustive search
Now it has run for about 10+ days with 14 threads. Still nothing...
You're wasting energy and your time. This ECh0raix Decoder was intended to be used with the early ECh0raix ransomware (2018-2019) which used weak encryption that could be broken with brute force.

What makes you think you can manage to decrypt your files without a key when no one else can? Baffling...
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: README_FOR_DECRYPT.txtt

Post by OneCD »

PeterAslund wrote: Mon Jun 14, 2021 3:47 pm Anyone that has a super computer and that is willing to try to find my decryption-key? :D
As @Mousetick said, you're wasting your time.

Also, I had to remove your attachment to prevent copyright issues with the content publisher. And because I'd rather your first post here isn't used as an opportunity for "marketing". ;)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
PeterAslund
New here
Posts: 2
Joined: Mon Jun 14, 2021 2:45 pm

Re: README_FOR_DECRYPT.txtt

Post by PeterAslund »

Ok, so the solution for now is to just wait and see. If someone cracks the encryption or reverse engineers the algorithm?
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: README_FOR_DECRYPT.txtt

Post by Mousetick »

PeterAslund wrote: Tue Jun 15, 2021 1:59 pm Ok, so the solution for now is to just wait and see. If someone cracks the encryption or reverse engineers the algorithm?
No, rather if law enforcement finds the cybercrooks and seizes their servers and databases, so the decryptor and encryption keys can be recovered and given to the victims. Or if the cybercrooks decide to close up shop and publish the decryptor and encryption keys before disappearing. Either scenario is unlikely but not impossible. Each has happened in the past with other ransomware operations.

So hang on to your encrypted files and to the ransomware notice, which contains your unique identifier, just in case. Your unique identifier is the link to the encryption key held by the cybercrooks - without it you won't be able to retrieve the encryption key if either scenario occurs.

The encryption algorithm is already known. No one is trying to crack it because it's not possible using brute force, without a super computer and a lot of time to waste. The only affordable and quick way to decrypt the ransomware is to use the encryption key (akin to a password). A different unique key is used for each victim and is held by the cybercrooks. When a victim pays the ransom, the victim provides their unique identifier, in return the cybercrooks provide the unique key corresponding to that unique victim identifier.

Edit: The web sites you can find online that recommend using ECh0raix Decoder are either a) outdated, b) ignorant or in many cases c) sham advertising commercial products at the same time.
User avatar
Guapo81
Know my way around
Posts: 159
Joined: Tue Jun 21, 2011 4:22 pm
Location: Netherlands

Re: README_FOR_DECRYPT.txtt

Post by Guapo81 »

PeterAslund wrote: Tue Jun 15, 2021 1:59 pm Ok, so the solution for now is to just wait and see. If someone cracks the encryption or reverse engineers the algorithm?
Have you already contacted QNAP support regarding their newly launched Qrescue program for Qlocker victims?

https://www.qnap.com/static/landing/202 ... rescue/en/
QNAP TS-h886-64G 2x Samsung 970PRO NVMe SSD (RAID1, System), 2x Samsung 860 PRO SSD (RAID1, VM) 4x Seagate EXOS X16 16TB (RAID5, Data) - FW: QuTS-hero
QNAP TVS-682-i3-32G 4x HGST HUH728060ALN600 (RAID5, Backup) - FW: QTS
QNAP TVS-463 4x Seagate ST2000VN000 (RAID5, Surveillance, Backup) - FW: QTS
Former units: TS-469Pro, TS-459ProII, TS-269Pro, Qgenie
bj4qn
New here
Posts: 3
Joined: Sat Jan 06, 2018 12:47 pm

Re: README_FOR_DECRYPT.txtt

Post by bj4qn »

I have to admit I'm now among the ranks of those who have been hammered by ransomware ...

This has left me with questions:

1. Will this "thing:" just keep encrypting anything I put on my NAS drive (assuming what I put on the drive is a of a file format it encrypts)?

2. Is there any way to stop this encrypting process, short of a completely rebuilding everything?

3. Does this "thing" have the ability to jump onto attached clients - like a MacBook accessing the QNAP NAS via the local network?

4. What is the simplest way to check what ports are open and close the ones not needed?

5. Since I have updated my password to something far more robust, can I assume a greater degree of safety from these attacks in the future?

Thanks for any assistance anyone can offer.
User avatar
dolbyman
Guru
Posts: 35013
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

1. Maybe, you have no idea what is hidden in your system still best to do a complete kill (all drives) and start from scratch
2. No
3. No, but you never know if it can reload any extra code
4. All ports and upnp should be closed, why are any open ?
5. No, passwords get circumvented via exploits, so does 2FA
zephilix
First post
Posts: 1
Joined: Sat Jul 02, 2016 8:43 pm

Re: README_FOR_DECRYPT.txtt

Post by zephilix »

groundhogrdg wrote: Mon Apr 05, 2021 3:40 am
groundhogrdg wrote: Sun Apr 04, 2021 9:08 am Mine has been infected too on March 28th
Seems all documents, archives and images have been encrypted.
MP4, MP3s have not been touched.
Seems to have gone through all shared folders nothing listed in connection logs.
A few more details.
TS-451+ running 4.3.4 Build 20180830
A user account "wasthere" had been created ‎28 ‎March ‎2021, ‏‎22:39:02
This account had RW permissions to a share that was not previously visible with system files labelled "9cd00ccc-d02f-11ea-87d0-..."

Two log entries were created:
Information 28/03/2021 19:45:49 System 127.0.0.1 localhost [App Center] Installed System 0.1 in /share/CACHEDEV1_DATA/.qpkg/System.
Information 28/03/2021 21:17:49 System 127.0.0.1 localhost [App Center] Enabled System.
after I disable the System 0.1 App and disable the account wasthere and kill the /tmp/386 process, I can not access my NAS from web interface, any one can help on manually cleaning the infected machine.
My machine: TS-453Bmini
User avatar
dolbyman
Guru
Posts: 35013
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

remove all drives and format them

do a firmware update via qfinder without disks

start the NAS with the erased disks from scratch
reese06
First post
Posts: 1
Joined: Fri Dec 10, 2021 3:22 am

Re: README_FOR_DECRYPT.txtt

Post by reese06 »

dolbyman wrote: Wed Jun 30, 2021 12:13 am remove all drives and format them

do a firmware update via qfinder without disks

start the NAS with the erased disks from scratch
How do I do a firmware update? mine is already on the newest firmware and rolling back the firmware keeps failing

I don't mind to erase everything and start from scratch, but I do want to make sure I actually get everything sanitized and can prevent this from happening again once I get it set up
User avatar
dolbyman
Guru
Posts: 35013
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: README_FOR_DECRYPT.txtt

Post by dolbyman »

just read my quote and do exactly what I write
Locked

Return to “Miscellaneous”