[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
saturdaynightyay
Starting out
Posts: 19
Joined: Thu Apr 22, 2021 6:22 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by saturdaynightyay »

jonezed7 wrote: Fri Apr 23, 2021 3:57 am Any way to get the process to run again to pull the log file? I tried reversing everything I did after the restart.
i doubt it mate, things like that are a 1 time thing. Its like a dos prompt, I dont think it gets stored.
Fly100
Getting the hang of things
Posts: 89
Joined: Fri Dec 26, 2008 4:07 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Fly100 »

saturdaynightyay wrote: Fri Apr 23, 2021 3:41 am
Fly100 wrote: Fri Apr 23, 2021 3:22 am dir /s /b *.7z > allzips.txt
for /F "delims=" %%x in (allzips.txt) do ("C:\Program Files\7-Zip\7z.exe" e -pXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -o"%%~dpx" "%%x")
for /F "delims=" %%x in (allzips.txt) do del "%%x"

A guy earlier in the the thread wrote this Gem, Thank you Sir :-) well played. Could anyone offer advise on it please I can only get it to work if I put the Bat file in the same DIR as the the 7z files, it wont then do any of the sub Dir's in the main dir.

Thank you again to the gent that wrote it.

Hero.

FLY
Yes It would be good to get a script that will do everything. Also if you could specify which folder to run the script from?

Cheers
Well, i have no idea why but its now working. Must be my end. Doh.
saturdaynightyay
Starting out
Posts: 19
Joined: Thu Apr 22, 2021 6:22 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by saturdaynightyay »

fly100, so you log on to ssh and type those 3 commands (1 for each line) in order ?

after entering line 1 i get:

-sh: dir: command not found :ashamed:

Ah it looks like its a dos command, I should try it from PC

Cheers
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jaysona »

McBride wrote: Fri Apr 23, 2021 3:30 am That’s called gross negligence and can have legal consequences.


Austria est imperare orbi universo
You would think so, but that is not the case. Read the software license and usage agreement you accept when you use the NAS. You effectively agree to an as-is use of the software and QNAP provides no guarantees about its software.

I have had numerous "discussions" with "software engineers" that I know and have told more than a few that if they were civil engineers, they would be in jail for gross negligence. The issue is that software people (aside from certain Aerospace applications) have absolutely no legal obligations whatsoever when it comes to software code robustness.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
Felgenklarlack
First post
Posts: 1
Joined: Wed Mar 12, 2014 6:03 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Felgenklarlack »

Same Problem here :-(
jonezed7
New here
Posts: 5
Joined: Fri Apr 23, 2021 3:25 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jonezed7 »

saturdaynightyay wrote: Fri Apr 23, 2021 4:03 am
jonezed7 wrote: Fri Apr 23, 2021 3:57 am Any way to get the process to run again to pull the log file? I tried reversing everything I did after the restart.
i doubt it mate, things like that are a 1 time thing. Its like a dos prompt, I dont think it gets stored.
I'm still getting login attempts every 5 minutes. I never saw a successful login that wasn't my IP though. Was it back doored through the qsync or whatever? I'm just confused.
saturdaynightyay
Starting out
Posts: 19
Joined: Thu Apr 22, 2021 6:22 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by saturdaynightyay »

in control panel then security you can set it to block them after X number of failed login attempts.
phr34k
Starting out
Posts: 26
Joined: Wed Dec 09, 2015 2:59 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by phr34k »

So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jaysona »

jonezed7 wrote: Fri Apr 23, 2021 4:34 am
I'm still getting login attempts every 5 minutes. I never saw a successful login that wasn't my IP though. Was it back doored through the qsync or whatever? I'm just confused.
Time to disable port forwarding to the QTS admin webpage your NAS, it will eventually get compromised.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
saturdaynightyay
Starting out
Posts: 19
Joined: Thu Apr 22, 2021 6:22 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by saturdaynightyay »

phr34k wrote: Fri Apr 23, 2021 4:37 am So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(
password is 32 characters. I am guessing brute force would take forever.

Try this (from another website - i have not tried it):
Hey guys,

unfortunately, my NAS was also affected. But don't worry, I have a solution. ;)

You can use the following software to restore your data from the disks.

https://www.cgsecurity.org/wiki/TestDisk_Download

First you have to connect via ssh to your NAS and you have to install the tool from the link, it's called PhotoRec. Then you have to mount a local disk from your machine, you can use Samba to mount a disk from Windows to the NAS.

Supported file systems:
FAT, NTFS, exFAT, ext, HFS+

How it works?
The tool can restore deleted files from the disk. All deleted files are still present, but the location of the first data block is removed. The tool can scan all sectors of the disk and can restore a lot of files. With a little bit luck the tool can restore all files.

My program is still running since one hour, and I restored 18k files already. :) A lot of my vacation pictures are already back.

If you have any technical questions you can contact me here in the forum or also via mail at security@received.eu.

It is not the best soultion, but with luck you can restore your files and you have to pay nothing.

Regards and good luck,
MAI2VIN
Last edited by saturdaynightyay on Fri Apr 23, 2021 4:50 am, edited 1 time in total.
User avatar
dolbyman
Guru
Posts: 35013
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

phr34k wrote: Fri Apr 23, 2021 4:37 am So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(
For a bruteforce attack you looking at some very bleak numbers
time_calc .png
You can either wait for an exploit attack or if anyone captures the key server.. if the server gets taken down and passwords are not made public you go back to the above calculation chart
You do not have the required permissions to view the files attached to this post.
phr34k
Starting out
Posts: 26
Joined: Wed Dec 09, 2015 2:59 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by phr34k »

saturdaynightyay wrote: Fri Apr 23, 2021 4:47 am
phr34k wrote: Fri Apr 23, 2021 4:37 am So what should we do now? Wait? Is help coming or is this a lost case? Should we try to pay the ransome?
Is it possible to brute force the 7z file or is that lost cause? I mean does it take weeks or are we talking years? I have all my pictures of my daughter from being borned til now :(
if process has finished then just pay the ransom, password is 32 characters. I am guessing brute force would take forever.
Im defintly thinking about paying but i dont know wich Bitcoin service to use so i can "send" them their money. I have never delt with BTC and i tried Revolut but they dont allow me to send money to an adress
User avatar
McBride
Know my way around
Posts: 107
Joined: Fri Jun 07, 2013 3:00 pm
Location: Vienna

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by McBride »

jaysona wrote: Fri Apr 23, 2021 4:29 am
McBride wrote: Fri Apr 23, 2021 3:30 am That’s called gross negligence and can have legal consequences.


Austria est imperare orbi universo
You would think so, but that is not the case. Read the software license and usage agreement you accept when you use the NAS. You effectively agree to an as-is use of the software and QNAP provides no guarantees about its software.

I have had numerous "discussions" with "software engineers" that I know and have told more than a few that if they were civil engineers, they would be in jail for gross negligence. The issue is that software people (aside from certain Aerospace applications) have absolutely no legal obligations whatsoever when it comes to software code robustness.
There is a difference between software bugs and gross negligence. Therefore I think this will not fly, at least not in Europe. The first time in my life I am seriously thinking about letting a (my) lawyer looking into something like this. Why? because I am angry.
saturdaynightyay
Starting out
Posts: 19
Joined: Thu Apr 22, 2021 6:22 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by saturdaynightyay »

phr34 i have used paxful in the past for bicoin, it seemed straight forward enough
User avatar
dolbyman
Guru
Posts: 35013
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman »

McBride wrote: Fri Apr 23, 2021 4:50 am There is a difference between software bugs and gross negligence. Therefore I think this will not fly, at least not in Europe. The first time in my life I am seriously thinking about letting a (my) lawyer looking into something like this. Why? because I am angry.
Good luck.. that is not QNAPs first crypto malware attack rodeo ... and they are still around

https://www.zdnet.com/article/cisa-says ... h-malware/
https://www.bleepingcomputer.com/news/s ... s-devices/
etc
Post Reply

Return to “Users' Corner”