[RANSOMWARE] Qlocker

[QNAPDanielFL]

I specifically remove QNAP bloatware such as the MultiMedia Console and its associated programs, yet every so often, upon a system reboot, QNAP automatically re-installs this bloatware, along with HelpDesk, so I have to manually remove these insecure programs again.

QNAP and security are like oil and water - they just do not mix.

I am talking with our security team about what you bring up.

[hellocloud]

I have the same problem. QNAP was hacked and the same text !!!READ_ME.txt is there:

!!! All your files have been encrypted !!!

All your files were encrypted using a private and unique key generated for the computer. This key is stored in our server and the only way to receive your key and decrypt your files is making a Bitcoin payment.

To purchase your key and decrypt your files, please follow these steps:

1. Dowload the Tor Browser at "https://www.torproject.org/". If you need help, please Google for "access onion page".

2. Visit the following pages with the Tor Browser:

gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion

3. Enter your Client Key:

...... (a long sequence of numbers and characters, I guess specific to every hacked user.)

----
Anybody can help ?

[CoastalBird]

Media Streaming add-on appears to be a vector in this attack:
https://www.bleepingcomputer.com/news/s ... p-devices/

[Eternic]

For anyone like me that is in the ** situation of deciding to pay up to get the 7z password, I've done so (luckily I already have a bitcoin wallet with enough) and I'm working through fixing my files now. If you're on Windows and accessing the files through explorer, the following is a batch script that I want it to be clear is not something I think you should use and if you do you should backup the folders before running it just in case. If you use this script correctly or incorrectly and have any data loss please do not blame me. Do not use it if you are going to be this person. If you don't know anything about batch files then don't use it. Also please created some test folders and 7z files and try it there first.

In order for the script to work on a network folder you'll need to map that folder or a parent folder to a drive letter (e.g. Z:). Create a batch file (e.g. FixMyStuff.bat) and place it in the folder you want fixed. It will extract any 7z files in that folder and any child folders and then delete them. You can remove the 3rd line that deletes the 7z files if you choose. The script is:

Code: Select all

dir /s /b *.7z > allzips.txt
for /F "delims=" %%x in (allzips.txt) do ("C:\Program Files\7-Zip\7z.exe" e -pXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -o"%%~dpx" "%%x")
for /F "delims=" %%x in (allzips.txt) do del "%%x"

Note that this creates an allzips.txt that the script does not delete. This is what I want. You can add a line to delete allzips.txt at the end or you can rewrite the for loop to just do the (dir /s /b *.7z) internally. Where "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" is you will insert the password you get from giving the pieces of garbage your hard earned money because you were careless with your security and mistakenly trusted your NAS. You can also add lines to find and delete the !!!READ_ME.txt files, but I'll do that separately afterwards personally. You will also need to change the path to 7z.exe to wherever you have it installed.

Again, please do not use this unless you know what you are doing and take every precaution. I'm only posting it to save people some time in this ** situation and I don't want to make it worse for them if there are any issues with this script. I have not tested it on all my files yet but so far it has worked fine.

EDIT: Also note that if you have legitimate 7z files this will extract and delete them. You can separate the first line into a separate batch file and remove any 7z files you want left untouched from the allzips.txt and then run a second batch file that does the loops. You could probably also write something better that checks file modification times and only extracts files modified after a time you specify relevant to when you were hit.

[QNAPDanielFL]

For anyone like me that is in the ** situation of deciding to pay up to get the 7z password, I've done so (luckily I already have a bitcoin wallet with enough) and I'm working through fixing my files now. If you're on Windows and accessing the files through explorer, the following is a batch script that I want it to be clear is not something I think you should use and if you do you should backup the folders before running it just in case. If you use this script correctly or incorrectly and have any data loss please do not blame me. Do not use it if you are going to be this person. If you don't know anything about batch files then don't use it. Also please created some test folders and 7z files and try it there first.

In order for the script to work on a network folder you'll need to map that folder or a parent folder to a drive letter (e.g. Z:). Create a batch file (e.g. FixMyStuff.bat) and place it in the folder you want fixed. It will extract any 7z files in that folder and any child folders and then delete them. You can remove the 3rd line that deletes the 7z files if you choose. The script is:

Code: Select all

dir /s /b *.7z > allzips.txt
for /F "delims=" %%x in (allzips.txt) do ("C:\Program Files\7-Zip\7z.exe" e -pXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -o"%%~dpx" "%%x")
for /F "delims=" %%x in (allzips.txt) do del "%%x"

Note that this creates an allzips.txt that the script does not delete. This is what I want. You can add a line to delete allzips.txt at the end or you can rewrite the for loop to just do the (dir /s /b *.7z) internally. Where "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" is you will insert the password you get from giving the pieces of garbage your hard earned money because you were careless with your security and mistakenly trusted your NAS. You can also add lines to find and delete the !!!READ_ME.txt files, but I'll do that separately afterwards personally. You will also need to change the path to 7z.exe to wherever you have it installed.

Again, please do not use this unless you know what you are doing and take every precaution. I'm only posting it to save people some time in this ** situation and I don't want to make it worse for them if there are any issues with this script. I have not tested it on all my files yet but so far it has worked fine.

Are you saying this script can get the files back without paying the ransom?

[syncthing]

Are you saying this script can get the files back without paying the ransom?

I understand his posting that way, that he spent some bitcoins to get a password ...

[Eternic]

Are you saying this script can get the files back without paying the ransom?

No, I paid the ransom. This is just a script to automate the process of using the password paid for to unzip the password protected 7z files and delete them as this is a process that would take days on my NAS to do without automation.

[jaysona]

I specifically remove QNAP bloatware such as the MultiMedia Console and its associated programs, yet every so often, upon a system reboot, QNAP automatically re-installs this bloatware, along with HelpDesk, so I have to manually remove these insecure programs again.

QNAP and security are like oil and water - they just do not mix.

I am talking with our security team about what you bring up.

Hopefully at some point in the future QNAP will finally level-up and become a mature company software wise.

Funny enough, as this latest security snafu presented itself, my Asustor AS6604T was delivered. I have had it QNAP and I am now exploring other options - starting off small of course before committing money to the purchase of 10+ bay units.

[syncthing]

I specifically remove QNAP bloatware such as the MultiMedia Console and its associated programs, yet every so often, upon a system reboot, QNAP automatically re-installs this bloatware, along with HelpDesk, so I have to manually remove these insecure programs again.

QNAP and security are like oil and water - they just do not mix.

what is the best way to delete them?

[jaysona]

....
Are you saying this script can get the files back without paying the ransom?

This poster claims it to be possible to find out what the encryption password is without paying - as long as the process of encrypting the files is still active on the NAS.

viewtopic.php?f=45&t=160849#p786812

[jaysona]

....

what is the best way to delete them?

viewtopic.php?t=158593&p=774659

[elvisimprsntr]

Rule #1 Never, ever expose QNAP NAS to WAN

Rule #2 See Rule #1

[jbennett360]

Rule #1 Never, ever expose QNAP NAS to WAN

Rule #2 See Rule #1

Rule #3 Check rule 1&2 again.

Disable UPnP
Disable/Don't use MyQNAPCloud
Don't port forward

Pretty much should be covered with those three!

[elvisimprsntr]

Disable UPnP in your router and reboot router/firewall to close any active UPnP ports.

[jaysona]

.....
Does this mean that there is now no way anyone can remotely access my servers, or are there any other settings I need to check?

*sigh* repost of a repost, of a repost, of a ...

viewtopic.php?f=45&t=160849&start=15#p786840

viewtopic.php?f=45&t=160308#p783870

1. Disable UPnP on the router.
2. Disable UPnP on the NAS.
3. Do not port forwarding 8080/443 from the router to the NAS.
4. Do not change ports 8080/443 to some other obscure port and forward those obscure ports accessible on the Internet - they will eventually be discovered.
5. Disable/remove all QTS apps that are not being actively used.
6. Enable the built-in IP Access Protection.

Use the NAS as a NAS and nothing more, unless you have the technical know-how and have the desire to tinker and accept the risks associated with tinkering.