QNAP-targeted ransomware is now a thing

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
User avatar
OneCD
Guru
Posts: 12038
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

QNAP-targeted ransomware is now a thing

Post by OneCD »

Another first for QNAP. :(
The Hacker News wrote:A new ransomware family has been found targeting Linux-based Network Attached Storage (NAS) devices made by Taiwan-based QNAP Systems and holding users' important data hostage until a ransom is paid, researchers told The Hacker News.

Independently discovered by researchers at two separate security firms, Intezer and Anomali, the new ransomware family targets poorly protected or vulnerable QNAP NAS servers either by brute forcing weak SSH credentials or exploiting known vulnerabilities.

Dubbed "QNAPCrypt" by Intezer and "eCh0raix" by Anomali, the new ransomware is written in the Go programming language and encrypts files with targeted extensions using AES encryption and appends .encrypt extension to each.

However, if a compromised NAS device is located in Belarus, Ukraine, or Russia, the ransomware terminates the file encryption process and exits without doing any harm to the files.

...

As a reminder, we urge users not to, unknowingly or unnecessarily, connect their NAS devices directly to the Internet, and also enable automatic updates to keep firmware up-to-date.
SC wrote:The researchers said the threat actor appears to be scanning the internet for QNAP devices and then compromises those set up with weak passwords. The number of potentially vulnerable QNAP NAS drives is not known, Anomali said, adding the researchers have found samples compiled for ARM and Intel x86, leading us to believe it is present in both enterprise and home devices.

...

The ransomware code itself is very simple, containing just 400 lines and written in the Go programming language.

The ransomware reaches out to the URL http://192.99.206[.]61/d.php?s=started and then tells command and control server sg3dwqfpnr4sl5hh[.]onion via a SOCKS5 Tor proxy at 192.99.206[.]61:65000 it is up and running.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: QNAP-targeted ransomware is now a thing

Post by Moogle Stiltzkin »

time to enable reserved space for snapshots. and also don't portforward qnap to the internet.
Independently discovered by researchers at two separate security firms, Intezer and Anomali, the new ransomware family targets poorly protected or vulnerable QNAP NAS servers either by brute forcing weak SSH credentials or exploiting known vulnerabilities.
these are the users that don't update qts at all, or have generally lax network security practices, like port forwarding the qnap or using upnp qnap+router, and poor passwords :S just a bunch of things that result in your network being compromised and the NAS easily targeted.

also if you're not actively using ssh, disable when not in use.

However, if a compromised NAS device is located in Belarus, Ukraine, or Russia, the ransomware terminates the file encryption process and exits without doing any harm to the files.
:shock:
Image


it's that or hillary or someone trying to frame them :lol:


⠀⠀⠀ ⠀⡠⠔⠒⠉⢉⣉⣙⣒⣠⣀
⠀⠀⠀⢠⠊⠐⡞⢩⣭⣭⣭⣀⡔⣒⡚⠇
⠀⠀⠠⠁⠀⠀⠉⢿⡘⠃⣸⠃⠓⠒⢦⠌⢦⡀
⠀⢀⠇⠀⠀⠀⠀⠠⢍⡉⠁⠐⠦⠤⠞⡀⠀⠀⢣
⠀⠘⠀⠀⠀⠀⠀⠀⠀⠈⠉⠙⠛⠉⠉⢳⠄⠀⠸⡆
⠀⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣐⠁⠀ ⠀⠀
⠀⡇⠀⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠀⠀⠹⡄⠀⠀⠀
⡠⡇⠀⠀⠀⠀⠀⠀⠀⢷⣄⣀⡴⣤⣀⠴⠁⠀⠀⡇
⢣⠘⠢⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀
⠀⠑⣄⠈⠢⢀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡠⠊⡰
⠀⠀⠈⠑⢄⡀⠁⠢⢄⡀⠀⠀⠀⠀⠀⢀⡠⠒⢁⠔
⠀⠀⠀⠀⠀⠈⠒⠤⣀⠀⠉⠒⡂⢤⡰⠫⣄⡰⠃
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠒⠼⠀⠠⡷⡀⠈
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
theincogtion
Starting out
Posts: 27
Joined: Mon Mar 28, 2016 9:56 pm

Re: QNAP-targeted ransomware is now a thing

Post by theincogtion »

Just got a mail pointing to the new security advisory:
https://www.qnap.com/en/security-advisory/NAS-201907-11

My questions are:
To avoid infection, you must:

Update QTS to the latest version.
1. Which QTS version is insecure and which one is secure?
2. How can I find out if I am affected?
3. How does the malware gets on the system? About myqnapcloud?
4. What if my NAS is in a home network (secured by a router firewall)? Am I also affected?


As always the security advisory could give far more information....
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QNAP-targeted ransomware is now a thing

Post by dolbyman »

well there was synolocker a couple of years ago ...now with crypto coins going back up .. it was a matter of time

suprised we havent heard of this yet (via forum posts)
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: QNAP-targeted ransomware is now a thing

Post by Moogle Stiltzkin »

update

what to do
Recommendation
To avoid infection, you must:

Update QTS to the latest version.
Install and update Malware Remover to the latest version.
Use a stronger admin password.
Enable Network Access Protection to protect accounts from brute force attacks.
Disable SSH and Telnet services if you are not using them.
Avoid using default port numbers 443 and 8080.
https://www.qnap.com/en/security-advisory/nas-201907-11
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
User avatar
OneCD
Guru
Posts: 12038
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QNAP-targeted ransomware is now a thing

Post by OneCD »

Moogle Stiltzkin wrote: Thu Jul 11, 2019 2:45 pm time to enable reserved space for snapshots.
Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS. :(

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: QNAP-targeted ransomware is now a thing

Post by Moogle Stiltzkin »

OneCD wrote: Fri Jul 12, 2019 7:58 am
Moogle Stiltzkin wrote: Thu Jul 11, 2019 2:45 pm time to enable reserved space for snapshots.
Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS. :(
:shock: what!
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
User avatar
OneCD
Guru
Posts: 12038
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QNAP-targeted ransomware is now a thing

Post by OneCD »

Yep, party’s over. ;)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QNAP-targeted ransomware is now a thing

Post by dolbyman »

Moogle Stiltzkin wrote: Fri Jul 12, 2019 8:14 am
OneCD wrote: Fri Jul 12, 2019 7:58 am
Moogle Stiltzkin wrote: Thu Jul 11, 2019 2:45 pm time to enable reserved space for snapshots.
Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS. :(

:shock: what!
thats why windows ransomware flushes/disables your shadowcopy service first (simmilar to snapshots)
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: QNAP-targeted ransomware is now a thing

Post by Moogle Stiltzkin »

wow.... if thats the case then it's a waste i did snapshots on the raid1 ssd for my ts-877. next time i have a chance i'll just do a static vol next time.

i still use snapshots for the raid5 4x4tb just for convenience to rollback.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QNAP-targeted ransomware is now a thing

Post by dolbyman »

snapshots DO help if a connected client is causing file changes or deletion..just not if the actual NAS is infected
User avatar
OneCD
Guru
Posts: 12038
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QNAP-targeted ransomware is now a thing

Post by OneCD »

dolbyman wrote: Fri Jul 12, 2019 10:14 am snapshots DO help if a connected client is causing file changes or deletion..just not if the actual NAS is infected
... which I guess I should have made clearer. :geek:

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
umpa
Easy as a breeze
Posts: 359
Joined: Sat Feb 18, 2012 8:04 pm

Re: QNAP-targeted ransomware is now a thing

Post by umpa »

I have just found out about this, I guess I live under a rock - lol. Some one has been trying to log in as administrator and the system added them to the ban list. It's something that happens from time to time - never really worried about it.

I tend to just let my Qnap's just get on with it, bad I know but I was so happy just to get them to work right security was not high on my list. Its been that way for years.

Most of mine are old legacy devices, that only get security updates & one of them is on 4.2.6 which the latest available to me as of today is QTS 4.2.6 build 20190629. The release notes don't say that this particular crypto issue is addressed in this released anyway.

I'm hesitant to install something into my NAS developed by a company who would rather me by a brand new one from them instead. I could be jumping out of the fire in to the frying pan, and I don't think Qnap would give two hoots if it all went pear shaped as a result of installing a new firmware.

That's how I feel about it anyway.
1x TS-412 3x WD2003YYS (Enterprise) 1x WD20EFRX (Green) [Raid 0]
1x TS-412 3x WDC ED30EFRX (Red) 1X ST3000VN007 (IronWolf) [Raid 5]
1x TS-412 2x WD20EZRX (GREEN) & 2x WD20EARS (Green) [Raid 5]
1x TS-859pro 4x WD30EFRX (RED) & 4X ST3000VN007 (IronWolf) [Raid 5]
1x TS-869pro 8X HGST HDS724040ALE640 - (DeskTop) [Raid 5]
1x WDSharespace 4xWDC WD2003YYS (Enterprise) [Raid 0] - The worst NAS I have ever owned.
5x WD MybookWorld White light Edition (Which are fitted with WD Green drives as standard) also rubbish
bapw@comcast.net
Getting the hang of things
Posts: 98
Joined: Tue Apr 25, 2017 2:15 am

Re: QNAP-targeted ransomware is now a thing

Post by bapw@comcast.net »

I have not dealt with ports before so how does one find out about which ones to use. Any info would be so much appreciated. Thank you.
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QNAP-targeted ransomware is now a thing

Post by dolbyman »

best to use no portforwarding at all ... as those opens up the nas to attacks
Locked

Return to “Users' Corner”