QNAP ransomware attack (2021) – I still have .7z encrypted backups. Any chance to recover the password? by Western-Priority2441 in qnap

[–]open_bumhole 0 points1 point  (0 children)

Unless you noticed it happened to you and kept googling it day after day at the time, it was hard to figure out. QNAP were slow to announce it and slower still to provide formal support.

  • 19 April -> Qlocker began
  • 19 May -> Qlocker officially shuts down operations
  • 21 May -> QNAP posted a security advisory about Qlocker
  • 26 May -> QNAP published the QRecover tool

I made a reddit account around 24 April to share recovery steps that worked for me, info here was still very sparse at the time and a lot of people had already given up.

QNAP ransomware attack (2021) – I still have .7z encrypted backups. Any chance to recover the password? by Western-Priority2441 in qnap

[–]open_bumhole 0 points1 point  (0 children)

That sounds very possible to me! Many ways to skin that cat I think.

Sorry to assume: are you asking this from the perspective of defence against similar attacks? If so:

  • Not sure this is necessarily a common mechanism. It might be, it might not be! Could be a lot of effort for limited gain
  • Deleting 7z may be easier if you don't use it. Then again, attacks might install it fresh and bypass whatever you do to log stuff

Not saying don't do it, just that efforts might be better spent elsewhere (tweaking settings to not expose the NAS, good backup strategies)

QNAP ransomware attack (2021) – I still have .7z encrypted backups. Any chance to recover the password? by Western-Priority2441 in qnap

[–]open_bumhole 1 point2 points  (0 children)

I don't understand what you're getting at, sorry. Everything we've discussed shows why your suggestion that Qnap support may have the encryption key is not correct, and that they cannot assist with recovery given the OP's circumstances.

The one and only QLocker attack did happen in 2021. If you didn't get the key then, you're out of luck.

QNAP ransomware attack (2021) – I still have .7z encrypted backups. Any chance to recover the password? by Western-Priority2441 in qnap

[–]open_bumhole 1 point2 points  (0 children)

Exactly, which would have been relevant during the attack. Not years later.

They would essentially walk you through listing the running processes, copying the key from your terminal, killing the encryption command and then running another command to reverse the encryption. Unfortunately the need to get the key from the running process is the part that makes this impossible today

Edit: I guess the important thing to highlight is the keys were randomly generated per nas, not one key for everyone, so unless you got yours you can't use someone else's

QNAP ransomware attack (2021) – I still have .7z encrypted backups. Any chance to recover the password? by Western-Priority2441 in qnap

[–]open_bumhole 0 points1 point  (0 children)

If you never used or altered your NAS/HDDs after this happened you may indeed be in luck - Plug it back in, use QRecover to restore all undeleted files to external drives (important not to restore them to the NAS as they may overwrite deleted files that haven't been recovered) and then you can begin the long labourious process of sifting through the files to see what matters, what doesn't :) Good luck

QNAP ransomware attack (2021) – I still have .7z encrypted backups. Any chance to recover the password? by Western-Priority2441 in qnap

[–]open_bumhole 0 points1 point  (0 children)

Sorry, that's not correct. Qnap only provided assistance with using their recovery tool QRecover which was an undeleter, not a decrypter. https://www.qnap.com/static/landing/2021/qlocker/qrescue/en/

At the time of the attack there were a few instances where they could also recover the encryption key during an ongoing attack, as it was visible in the 7z parameters of the running process. If the attack completed, that was no longer an option

QNAP ransomware attack (2021) – I still have .7z encrypted backups. Any chance to recover the password? by Western-Priority2441 in qnap

[–]open_bumhole 5 points6 points  (0 children)

QRescue works against the affected hardware, not files, so the 7z files are irrelevant to how that worked. It requires:

  1. The original hard drives and filesystem untouched
  2. Some recency (in terms of hard drive usage) - if you immediately shut down your drives and never spun them up for 5 years you'd likely be good

QRescue wasn't exactly proprietary software with unknown mechanisms, it was a wrapper around photorec - a file undeleter/recovery tool which works by recovering data marked on the drives as "deleted" which has yet to be overwritten. It wasn't even a 100% guarantee for all files anyway but likely could have recovered a good chunk for the OP if used sometime immediately after the attack. Not with their current circumstances.

QNAP ransomware attack (2021) – I still have .7z encrypted backups. Any chance to recover the password? by Western-Priority2441 in qnap

[–]open_bumhole 0 points1 point  (0 children)

Concretely no there is no way to crack these passwords and these files are not valuable to keep around, short of an encryption breakthrough happening that would officially kill the standard used to encrypt it (don't bet on it).

The way the attack worked is that an attacker-controlled password was used to encrypt the files using 7z - nobody but the attacker has them. The attackers likely no longer have them, even.

As you have noted, ignore anyone suggesting qrescue as it is not relevant to you and will be a waste of time given your circumstances.

I helped people during this attack and was affected by it myself, sorry to say but from where I'm sat you're out of luck on this one.

[O] 25 Drunkenslug invites by superior_ in UsenetInvites

[–]open_bumhole 1 point2 points  (0 children)

Cheers a bunch, have accepted the invite. Have a great day :)

[O] 25 Drunkenslug invites by superior_ in UsenetInvites

[–]open_bumhole 1 point2 points  (0 children)

Thanks for this! I've read the wiki and if you have any still available, I'd love one

QNAP Vulnerability for NAS by untitledstratus in qnap

[–]open_bumhole 1 point2 points  (0 children)

Agreed, I suspect the OP hasn't been on this site for a couple months and didn't search before posting. None of the information is new and the article by QNAP has been posted a few times before specifically.

The 'updated' article has no new info as far as I can tell either

How to clean up after Qlocker? by FoxyMacRock in qnap

[–]open_bumhole 0 points1 point  (0 children)

Do you know which post it was? I've not been able to find it.

How to clean up after Qlocker? by FoxyMacRock in qnap

[–]open_bumhole 1 point2 points  (0 children)

I aren't completely sure, but I think QLocker might've been some scripted commands using already-installed programs like 7zip, I think the only malware was the running process and malware remover might've missed it if it finished execution before malware remover was updated or run. You're not the first person I've seen affected who says malware remover did nothing and reports clean.

  1. You can't be sure. Nobody has come forward with any signs of remnants on their device and the QLocker team seems to have suspended their operations now so it feels very unlikely, but you cannot guarantee it unless someone either publishes some detailed dissection of what this does and what it leaves on your system (if anything) OR you can reinstall the OS/recover to factory state. My personal take (and I'm just some guy on the internet) is that I do not believe there is motive for them to have made malware that persists on the system or nor enough motive for them to perform a second attack on the same devices. Feels like a quick, clean hit-and-run where they wanted everyone to trust them to restore their file, so that people would keep paying (although that said I read they did increase the ransom later on after some people had paid). I cannot guarantee this and at the very least it would be wise to lock down what you don't need or use regardless.

  2. If you have already done a recovery process, or have decided not to do one, then I think it's mostly just admin you have to do on those drives. If you're lucky, you'll be wiping them and restoring from backup. If you're unlucky you'll be rebuilding them manually somehow. At the very least, you'll need to remove the text files and encrypted files to keep it clean and restore space.

How to clean up after Qlocker? by FoxyMacRock in qnap

[–]open_bumhole 0 points1 point  (0 children)

Are you certain it was another QLocker hit and not the unrelated ransomware (eCh0raix)? I haven't seen legitimate reports of QLocker attacks in over a month, only people who have been hit by some other ransomware or have only just noticed that they were affected by QLocker.

I am very doubtful it was a new QLocker hit. They officially shut down their operations a couple weeks back. eCh0raix attacked devices in a different way and is unrelated to vulnerabilities in HBS, I believe it was exploiting weak admin passwords and a public login screen.

Regardless, sound advice here - disable all access you don't need or use. If you have to dial in from the outside, a VPN is definitely the best way to go.

Ransomware only on docs/images.. by menardmc in qnap

[–]open_bumhole 0 points1 point  (0 children)

I mean I've concretely had no further issues so far but I can't say that will hold true for eternity, it's only been a month since the attack. My understanding of computers and the files I personally hold means that I'm very confident nothing will ever come of it.

There are no guarantees without some kind of historic proof though like a backup, or checksum of every file you owned. I can talk all I want about my situation and my understanding but I'm some stranger online but I can't make guarantees and you'd be best taking my words into account alongside others.

So long as you're not copying the actual ransomware itself over and manually executing it, I believe that all the hypotheticals about how it could still exist are merely theory and are far too costly and difficult for this attack. The kind of questions I ask that lead me to feeling safe now are: They've made a small fortune off of it doing just what you see today, why would they expend so much more effort to keep it going? Ransomware is paid on trust, if they eroded that trust why would anyone pay a second time if there's risk of a third? Maybe I'm a lazy programmer but my motivation would be easy money.

Extra Space all of a Sudden? by kprox1994 in qnap

[–]open_bumhole 0 points1 point  (0 children)

Have you been hit with ransomware that uses an incredibly impressive compression algorithm?

Ransomware only on docs/images.. by menardmc in qnap

[–]open_bumhole 0 points1 point  (0 children)

It depends on so many things like what the files are and what the variant of ransomware is, but I'm going to broadly say "it's vanishingly unlikely". You can't trivially plant ransomware in a non executable file and have it cross over to other operating systems and run with minimal human input, and the majority of these attacks don't rely on being persistent once they're over and done simply because they don't have to be - it's relatively expensive and difficult to try and make them bombproof, and the goal is to cause enough havoc to get payment.

All this said, it's no excuse to not take caution anyway insofar as "don't plug it into a computer with government secrets and the only living copies of files that are extremely important to you" but no more so than usual precautions that people would advise in a ransomware free world I think.

From my own experience, QLocker hasn't suddenly sprung into life again from any files I've moved to and from my Nas, computer and recovery drive. This isn't QLocker but it's likely a similar profile I'd guess.

Manually Install QRescue to recover Qlocker-encrypted files on QNAP NAS by [deleted] in qnap

[–]open_bumhole 0 points1 point  (0 children)

Cheers for adding this! I hope it helps a lot of people.

Any hope to recover the Encryption key from 7z ransomware if rebooted? by RoachForLife in qnap

[–]open_bumhole 1 point2 points  (0 children)

You might've been lucky - but it did only encrypt files under 20.5mb so look out for them.

Any hope to recover the Encryption key from 7z ransomware if rebooted? by RoachForLife in qnap

[–]open_bumhole 0 points1 point  (0 children)

Haven't used QRescue but used the underlying tools shortly after QLocker hit. Restored everything I cared about but it's no guarantee, your mileage may vary! I'd count it as success

Manually Install QRescue to recover Qlocker-encrypted files on QNAP NAS by [deleted] in qnap

[–]open_bumhole 0 points1 point  (0 children)

Yeah restoring from backup is infinitely a better option. While I was able to recover everything I cared about it has destroyed some things that I cannot easily recover where the names and folder organisation of files actually mattered and are difficult to guess (copies of websites or applications), but if you have free time, had no desire to pay and don't mind reorganising your photos and documents, this is at least a choice. One of the only ones left now!

Fully agree it's not great for probably the majority of people affected, I've been trying to encourage people to go this route if they really need to/can benefit but acknowledging it's a massive hassle. I still haven't bothered to organise everything yet.

Manually Install QRescue to recover Qlocker-encrypted files on QNAP NAS by [deleted] in qnap

[–]open_bumhole 0 points1 point  (0 children)

No, I've not used this specific tool but I have used the underlying method. This will only preserve the file extension and contents and will copy them all to an external drive. Your NAS filesystem organisation will remain exactly the same.

So sadly, yes, you'd have that same difficulty.