Contents

Qlocker QNAP NAS: My Experience with this Ransomware

My Experience

So on the 9th of January I logged onto my computer and went to access my folder that holds this website that you are reading from right now so that I could make some changes to it but lo and behold, all my files were zipped up. Freaky! There was also a new file in most of the folders entitled “!!!READ_ME.txt”. Naturally I opened it and it read the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
!!! ALL YOUR FILES HAVE BEEN ENCRYPTED !!!

All your files were encrypted using a private and unique key generated for the computer. This key is stored in our server and the only way to receive your key and decrypt your files is making a Bitcoin payment.

To purchase your key and decrypt your files, please follow these steps:

1. Dowload the Tor Browser at "https://www.torproject.org/". If you need help, please Google for "access onion page".

2. Visit the following pages with the Tor Browser:

******* // Very Long Keyphrase here

3. Enter your Client Key:

******* // Very Long Keyphrase here

Immediately I was confused because I had never been attacked before and thought that my basic firewall on my simple router would be enough for these things but boy was I wrong aha. It read in the text to pay Bitcoin over a webpage accessed by Tor so I knew it was a proper ransomware.

Anyway, I continued looking looking through my folders and saw that all files that were in each folder were now zipped with a “.7z” extension. I thought maybe I was just seeing things so I tried to run a local server for my website but it failed to run because all my files were now compressed. And now this kinda got me panicking.

The Problem

I googled searched my problem and it just so happened that this was a very common exploit to all QNAP NAS’s though more so in the realm of mid 2020. My immediate thought was that I should’ve gotten a Synology NAS as my facebook marketplace page was recently showing my alot of second hand Synology NAS’s for sale so it was kind of like a sign to get one aha. Though upon further research, the Synology NAS’s also were attacked by a the same sort of malware which put me at ease.

So essentially what happened was that their currently exists a script that searches for exposed devices on the internet and is still roaming around and infecting people. The ransomware that had attacked my NAS is known as QLocker and was apparently made by the “QLocker gang” as well as Ech0raix. Both of these were enforcing the attacks on QNAP devices and getting people to pay roughly $500-600 worth of AUD (at this given time) and had apparently racked up tens of thousands of dollars from people. I for one did not at all think about paying this though I was probably one of the lucky ones as you’ll read later.

Due to this exploit being about 8 months old, a lot of security tech heads and QNAP had been working on patching it and stopping it from attacking devices. I read that QNAP even have their own script running that looks out for attacks on exposed devices and aims to stop the encryption of files at the same time as QLocker tries to encrypt your files. This was very mind blowing but made me happy so I did some more research.

Other People’s Situations

I read situations of people who have only had some files encrypted that are under about 20mb (mainly to target images and photos that you most likely hold dear to you so that you are more inclined to pay the ransom) and some others only have the read me file scattered throughout their directories. This means that QNAP’s script was quickly counteracting the ransomware and stopping it from doing anymore damage but the amount of damage was loosely based on the time the script found QLocker and fought against it.

My Situation

In my situation I was in a weird middle ground. I had most of my files zipped up and the read me files instilled in every directory, though the zipped files were not encrypted and accessible. Lucky me! I could just drag and drop all my files out of the zip files and I still had my data! This made me so happy though worried that it may have left something hiding on my NAS.

Cause

Funnily enough, I was wondering what I had done recently that may have exposed my NAS to the open internet as I have had this NAS for years and especially during the main time that this ransomware hit everyone’s devices so surely it wasn’t exposed originally but then it hit me… recently I wanted to share files with family that didn’t live with me so I thought “Why not see if my QNAP has a smartshare feature that I can share links that are linked directly to my NAS?”. This is most likely what did it.

I wanted to share files that were a surplus of 10gb so this was mostly the easiest method to share them but ultimately lead to being exposed to the internet and infiltrated. So my advice to anyone who has a QNAP NAS is to not use the smartshare feature when sharing files unless you know what you’re doing!

Solution

I followed QNAP’s directions of installing their application called “Malware Remover” and as soon as it was installed, it identified QLocker and removed it from my system. Currently, it says my system is safe so I will trust it for the most part, but if I back up my drives now to another device, it will most likely carry whatever is hiding with it so I will just tread lightly through my files and try and see if there are any outliars within my files.

Another thing I immediately did once I read about it from QNAP was to disable UPnP. Apparently this was a part of the backdoor into my NAS. After this, I updated all apps on my NAS to ensure all new security updates were installed and I will update my NAS’s firmware as soon as I can.

You may be wondering why I don’t update my NAS’s firmware straight away, and you would have a valid point as this will probably increase my security the most. Though as I write this, I am running a custom script to clean up most of my folders. The main task is to unzip all my files and delete the compressed files which would take forever to do manually, so I tried Googling different ways to clean this up in one automated process. Eventually I developed my own batch script that I can run from my Windows computer that once run in a certain directory, will search the current directory and any sub-directories to clean up. It took me some time to test it on smaller folders but once it worked successfully, I let it work through my bigger folders and so far so good.

As the files were compressed with a “.7z” extension, something I usually don’t use as I use “.zip” or “.rar”, I have set the script to only uncompress 7-Zip files and delete them once complete. I don’t have any fancy code to detect which files have been changed recently as I’m not that well versed in DOS but I scrambled this “dumb” code together with the help of my best friends, Google and Stack Overflow.

If you want to see the script for yourself and use it, do use it at your own risk as I am a complete nooby and just mustered up something that worked but it may not work for everybody so be cautious! You can find it here in my git repo here.

I have Terabytes of information stored on here and just one folder alone has taken 2 days to only unzip the files within the folder so this isn’t a quick process but it works for me and I will slowly run this script in every folder until it’s all fixed.

Moving Forward

Moving forward, I will be sure to keep all my apps and devices up to date to avoid this scare again. I will also dive deep into my home network security making sure that I secure everything I possibly can so as to protect myself from digital predators.

Conclusion

So my lesson learned from this is that I should take more care when dealing with the internet as there are some smart people who know how to take advantage of others in the digital world, something I already knew but took too lightly. I will tread carefully when exposing my NAS to the internet and will most likely now only have it accessible to my local network or through a VPN. My next step moving forward is to really stay ontop of my network security and looking into the best methods to do this which I will most likely document in a following series of blog posts :)