[RANSOMWARE] 4/20/2021 - QLOCKER

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
Bob Zelin
Experience counts
Posts: 1068
Joined: Mon Nov 21, 2016 12:55 am
Location: Orlando, FL.
Contact:

[RANSOMWARE] 4/20/2021 - QLOCKER

Post by Bob Zelin » Wed Apr 21, 2021 6:20 am

Just saw this (client called me).
Client was using RTRR to customer in Washington DC. Port 8899 on router opened. I know nothing about the clients security.

Anyone see this yet (in every folder)?

Bob Zelin (and yes - this is what having Snapshots is all about) -

-
!!! All your files have been encrypted !!!

All your files were encrypted using a private and unique key generated for the computer. This key is stored in our server and the only way to receive your key and decrypt your files is making a Bitcoin payment.

To purchase your key and decrypt your files, please follow these steps:

1. Dowload the Tor Browser at "https://www.torproject.org/". If you need help, please Google for "access onion page".

2. Visit the following pages with the Tor Browser:

gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion

3. Enter your Client Key:

eaXHuUpkr+h4Z3oeHWVb/BEJfjEPckMEVJHYBp6+XYmtQaghA3xfQm9cpvdCLS1IWQhAXAMuiSyqc7+RyDACGWPVa2qJnHNjaFSNpzP7hrdHwqd5tcCBRjca1MSv907XaJtpPW5uZjBCSERfTKkL+ZhJjn5Tv6cj/VqUKAoOa6W9QrW8osEil7rMhSU0FGHD/nOocqPNqwrufBnh/qcRl0JgHpBTwA+OZE7Q/p99X8vA9iS8A1zTYkCzQ6GQk9Eo7rEdFdOCoNiof3xEly29qRgwHffQbrI1P4NPXZyDHue8MeGu6ZvHic66mTr0FVHbojBLulzA+Yp0ZYAApeIrSA==
Last edited by Toxic17 on Thu Apr 22, 2021 5:46 am, edited 2 times in total.
Reason: topic title adding qlocker name.
Bob Zelin / Rescue 1, Inc.
http://www.bobzelin.com

User avatar
OneCD
Ask me anything
Posts: 9051
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: 4/20/2021 - new virus ?

Post by OneCD » Wed Apr 21, 2021 6:33 am

It got a mention here too: https://www.bleepingcomputer.com/forums ... ension-7z/

Seems it's called Qlocker.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

Bob Zelin
Experience counts
Posts: 1068
Joined: Mon Nov 21, 2016 12:55 am
Location: Orlando, FL.
Contact:

Re: 4/20/2021 - new virus ?

Post by Bob Zelin » Wed Apr 21, 2021 7:26 am

here we go again ......
bob
Bob Zelin / Rescue 1, Inc.
http://www.bobzelin.com

User avatar
jaysona
Been there, done that
Posts: 682
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: 4/20/2021 - Qlocker in the wild.

Post by jaysona » Wed Apr 21, 2021 11:13 am

The .onion site calls it Qlocker, and apparently the encrypted blob (appears to be 256 bytes base64 = RSA-2048) in the note is the password for the files.


qlocker.png
You do not have the required permissions to view the files attached to this post.
H/W: Asustor AS6604T (8Gig) / Asustor AS7010T (16Gig)
H/W: TS-219 Pro / TS-509 Pro x2 / TS-569 Pro (being decommissioned)
H/W: TS-670 Pro (i7-3770S 16Gig) / TVS-EC1080 (32Gig) TVS-871 (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.12
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2021.2

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8Gig) / TS-853 Pro (8Gig) / TS-670 Pro (i7-3770S 16Gig)

netpol
First post
Posts: 1
Joined: Wed Apr 21, 2021 2:24 pm

Re: 4/20/2021 - new virus ?

Post by netpol » Wed Apr 21, 2021 2:47 pm

The Question is WHAT NOW ? How can i get back my files !!!!

User avatar
OneCD
Ask me anything
Posts: 9051
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: 4/20/2021 - new virus ?

Post by OneCD » Wed Apr 21, 2021 2:58 pm

netpol wrote:
Wed Apr 21, 2021 2:47 pm
How can i get back my files !!!!
Restore them from your external backups. Simple.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

User avatar
peelos
Been there, done that
Posts: 521
Joined: Sun Jun 26, 2016 9:28 pm

Re: 4/20/2021 - new virus ?

Post by peelos » Wed Apr 21, 2021 3:12 pm

netpol wrote:The Question is WHAT NOW ? How can i get back my files !!!!
Which ports did you have open on the NAS / or which services were connected to the Internet?
NAS: TVS-1282-i7K-40G / 4 x 500GB SSD 2.5" / 2 x 500GB M.2 SSD / 8 x 12TB WD Whites 3.5" / Corsair H5-SF Watercooling / 3 x 80mm PWM Noctua fans / Corsair 600W PSU / Asus Turbo GTX 1060 6GB GPU
Software: Plex Media Server / QTransmission / Sonarr / Radarr / Bazarr / Jackett / QMono / Tautulli / OpenHAB / Resilio Sync / QPython / QJDK 8 / NetData / Qapache / SortMyQPKGs
pfSense Firewall / OpenVPN Server: QOTOM Fanless Mini PC / Core i5 / 8GB RAM / 128GB SSD / 4 Gigabit NICs / AES-NI
Wireless Routers: 2 x Netgear AC1900 R7000 Nighthawk / Advanced Tomato Firmware

User avatar
Toxic17
Ask me anything
Posts: 5702
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: 4/20/2021 - new virus ?

Post by Toxic17 » Wed Apr 21, 2021 7:13 pm

Whoever is affected by this QLocker please submit your findings to the security team ASAP.

https://www.qnap.com/en-uk/security-adv ... #sa-report

if this is not addressed by QNAP soon, more will be vulnerable!
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.5.3.1652 • TVS-463-16GB 4.5.3.1652 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1624 • APC Back-UPS ES 700G
Network: VM Hub3 • UniFi UDM Pro 1.10-0.9 • Controller: 6.2.23 • UniFi US-16-150W/US-8-60W 5.60.3 • USW Mini Flex 1.8.4 • UniFi G3-Flex • AP: AC Pro 5.60.3 • U6-LR 5.60.3

Eternic
Starting out
Posts: 16
Joined: Sat Mar 16, 2019 9:53 pm

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by Eternic » Wed Apr 21, 2021 10:30 pm

Same thing's happened to me. On my router I had ports 8080 opened (no idea why. I didn't realise this until I just checked) and also run RTorrent on the Nas and had port 3690 open for that. Unfortunately while I don't have much on there that's super important and unrecoverable, we do have a lot of family photos we'd just recently put on the nas and we don't have backups for a lot of those. Unfortunately I'll probably just pay the ransom.

I'm not an expert on security for nas devices. Is it likely that port 8080 being open was the issue? I don't want to go pay and spend the time recovering the files only for it to possibly happen again. I'd also prefer not to have to stop using rtorrent on the nas, but I can't see myself trusting the nas going forward so I'll probably have to have it be entirely offline and switch anything that needs internet access over to a PC.

jacobite1
Easy as a breeze
Posts: 377
Joined: Fri Aug 07, 2015 7:02 pm
Location: London, England

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by jacobite1 » Wed Apr 21, 2021 10:46 pm

No one has any idea what the vector is right now. I've actually opted to shut my unit down because I don't need it for a few days (and haven't been affected so far). Hopefully there will be a better idea what the problem is by then!

Edit: some are suspecting qnapcloud/qnapcloudlink - a few victims had 'publish services' switched on so they were actually searchable through qnapcloud.
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!

Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!

yugiohnl
New here
Posts: 2
Joined: Wed Apr 21, 2021 11:09 pm

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by yugiohnl » Wed Apr 21, 2021 11:14 pm

if you are suffering from the encryption and the proces is still running you can still get the encryption key by running this command:

cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
the encryption key would be stored in /mnt/HDA_ROOT/7z.log which you can then use to decrypt

hopes this helps !!!

User avatar
jaysona
Been there, done that
Posts: 682
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by jaysona » Wed Apr 21, 2021 11:16 pm

Eternic wrote:
Wed Apr 21, 2021 10:30 pm
...
I'm not an expert on security for nas devices. Is it likely that port 8080 being open was the issue? I don't want to go pay and spend the time recovering the files only for it to possibly happen again. I'd also prefer not to have to stop using rtorrent on the nas, but I can't see myself trusting the nas going forward so I'll probably have to have it be entirely offline and switch anything that needs internet access over to a PC.
QNAP has been shown to be extremely insecure numerous times when it comes t making the NAS Web admin page and thew various applications (Music Station, Video Station, Photo Station, File Station, etc) accessible from the Internet via port 8080/443.

There have been several QTS 0-day exploits in the past, and there will be more in the future. QTS is just a cluster-eff of a mess of PHP coding that have more holes in it than Swiss Cheese.

Just do not make the QTS Web Admin page and associated QTS applications accessible from the Internet.
H/W: Asustor AS6604T (8Gig) / Asustor AS7010T (16Gig)
H/W: TS-219 Pro / TS-509 Pro x2 / TS-569 Pro (being decommissioned)
H/W: TS-670 Pro (i7-3770S 16Gig) / TVS-EC1080 (32Gig) TVS-871 (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.12
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2021.2

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8Gig) / TS-853 Pro (8Gig) / TS-670 Pro (i7-3770S 16Gig)

jacobite1
Easy as a breeze
Posts: 377
Joined: Fri Aug 07, 2015 7:02 pm
Location: London, England

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by jacobite1 » Wed Apr 21, 2021 11:24 pm

jaysona wrote:
Wed Apr 21, 2021 11:16 pm
There have been several QTS 0-day exploits in the past, and there will be more in the future. QTS is just a cluster-eff of a mess of PHP coding that have more holes in it than Swiss Cheese.

Just do not make the QTS Web Admin page and associated QTS applications accessible from the Internet.
Completely agree with you, and this is very good advice.

The issue is that in this case there are people on other forums swearing blindly that nothing was port forwarded or externally accessible. I guess it's possible nothing was port forwarded but they did, unknowingly have qnapcloudlink enabled?
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!

Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!

Skwor
Know my way around
Posts: 159
Joined: Thu Feb 27, 2020 1:38 am

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by Skwor » Wed Apr 21, 2021 11:29 pm

jacobite1 wrote:
Wed Apr 21, 2021 11:24 pm
jaysona wrote:
Wed Apr 21, 2021 11:16 pm
There have been several QTS 0-day exploits in the past, and there will be more in the future. QTS is just a cluster-eff of a mess of PHP coding that have more holes in it than Swiss Cheese.

Just do not make the QTS Web Admin page and associated QTS applications accessible from the Internet.
Completely agree with you, and this is very good advice.

The issue is that in this case there are people on other forums swearing blindly that nothing was port forwarded or externally accessible. I guess it's possible nothing was port forwarded but they did, unknowingly have qnapcloudlink enabled?
Ya, right now the reports of this are conflicting, they are not making sense as far as possible vectors.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos

User avatar
jaysona
Been there, done that
Posts: 682
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] 4/20/2021 - new virus ?

Post by jaysona » Wed Apr 21, 2021 11:41 pm

Many (if not most) people seem to forget that the HelpDesk app was used as a vector in the past, and QNAP very quietly plugged that hole, could be another one was found again.

About a year ago, I had a fresh QTS install on a TS-853 Pro get compromised overnight, I have no port forwards on the particular LAN segment (I have four different ISP connections) I use for new machine builds, and the LAN segment only had the TS-853 Pro and a LiveCD laptop connected to it. The only QTS app the QNAP had was the HelpDesk, it was getting close to 4am, and I decided to pause the NAS build (it is now my seedbox) until the next day. When I picked up and continued the build, I noticed that the network activity was completely of of whack for what should be happening. The NAS had malware, and the only vector I can think of is HelpDesk, and I know that (at the time) the HelpDesk app (as well as others) does make outbound calls.

In any case, I always presume that QTS and its associated apps are just about as insecure as they possible can be, and manage the NAS accordingly.
H/W: Asustor AS6604T (8Gig) / Asustor AS7010T (16Gig)
H/W: TS-219 Pro / TS-509 Pro x2 / TS-569 Pro (being decommissioned)
H/W: TS-670 Pro (i7-3770S 16Gig) / TVS-EC1080 (32Gig) TVS-871 (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.12
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2021.2

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8Gig) / TS-853 Pro (8Gig) / TS-670 Pro (i7-3770S 16Gig)

Post Reply

Return to “Users' Corner”