Qlocker on TS-451 “solved” – Ransomware Help & Tech Support
I am very new here and I only decided to create an account and this thread because of the help I found on these forums just looking through google.
I got hit by Qlocker, and as far as I can understand it isn’t Qlocker2, so I’ll refer to it as Qlocker1. I am unsure about the exact time. I usually check my server quite often as there are, probably nasty people, trying to brute force my password from various IP’s.
My setup is blocking any IP that has wrong password twice within 5 minutes, so the IP keeps changing, and they likely didn’t get any access through the administrator account. This is the only account with access to do any write so they had to be using the vulnerability.
My sunday here started with full on panic as I woke up, accessed the NAS as the first thing and saw a ransom note. Luckily this only targeted files below I believe 20MB, anything bigger was left alone.
The note was:
!!! ALL YOUR FILES HAVE BEEN ENCRYPTED !!! All your files were encrypted using a private and unique key generated for the computer. This key is stored in our server and the only way to receive your key and decrypt your files is making a Bitcoin payment. To purchase your key and decrypt your files, please follow these steps: 1. Dowload the Tor Browser at "https://www.torproject.org/". If you need help, please Google for "access onion page". 2. Visit the following pages with the Tor Browser: <REMOVED> 3. Enter your Client Key: <REMOVED>
As I also saw some small files not encrypted I figured the culprit was still running on my NAS. I didn’t login for 2 days so it could have happened at any time, but if it was still running I didn’t want to risk it doing more damage so I pulled the power from the NAS as the first response. That might have been the wrong thing to do!
I searched the net and I found a list of passwords, I think it was about 10K passwords most commonly seen used. I ran a program to check these passwords but no luck. I tried to get hashcat running, no luck, I tried crark7z, but I couldn’t get the dictionary function to work. Likely even with my 2080 Super I wouldn’t brute force the password with CUDA anyway so I found eSoftTools 7z password recovery which is free to try and can run a set of passwords against your 7z file. None of them worked obviously, but I had to try SOMETHING.
After that I found something called Dr. Web. With absolutely no hope at all I wrote a ticket saying I was hit by Qlocker, uploaded a few examples of files and the note. They actually answered on a sunday afternoon (at least here in Denmark), I was sure this would lead nowhere, but it made me get some hope.
The response was:
A case of #Qlocker Ransomware
These files are not actually encrypted, but packed into an 7zip archive with a complex password.
If during the packing of the files no additional actions were taken to record 7z.log(with password), then it will not be possible to unpack such files without the key.
If the packing process is still running, you can try (from forum.qnap.com):
use MobaXterm to connect on ssh and run the following command:
cd /usr/local/sbin; printf ‘#!/bin/sh necho $@necho $@>>/mnt/HDA_ROOT/7z.lognsleep 60000’ > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
After that, right click on 7z.log located in mnt/HDA_ROOT/- select download and save the file on your computer.
Now you can open the file from your computer. Use the password without first “p”.
If the process has already ended, then it will not be possible to find out the key and decryption is not possible.
Of course when I ran the command I got an error back that command sh was not found, or something along those lines, I don’t remember much anymore as I was in full panic mode at the time.
And surely there was no 7z.log file in the location.
I searched the command to try and figure out why I got the error, which lead me to this exact forum many times:
Ultimately I found out I wasn’t going to find the password at all. It seems like you can only run the command while the actual ransomware is running and doing it’s nasty stuff to your files, and it didn’t seem like it was active anymore.
In panic (as said earlier full sunday of panic) I searched the web for a cloud storage option. I suddenly have 12TB of maybe insecure data in need of safe storage. I found many cloud options, but most of them offered a program for Windows or Mac, that do a simple search on the local computer for files to back up, and only does that. If you want more than 200GB of space, and posibility to backup servers, a personal account wasn’t enough, and in most cases they wanted me to take contact, but I couldn’t wait until monday, or posibly tuesday. I needed to start transfering files here and now.
After many failed cloud providers that I found around Denmark, I went hunting for a VPS; maybe that could give me the space needed, and with FTP access. No such luck though.
I ultimately remembered after watching der8auer’s youtube channel that he has ads running for hetzner. They offer a storage box with FTP for a reasonable price, and they are located in Germany, my neighbor country. I bought the 10TB storage box and within minutes I saturated my own fibre gigabit connection. Now I could calm down a little bit more.
While uploading stuff to the storage box I came across this website: https://www.ikarussecurity.com/en/security-news-en/qlocker/
There is very little information on this page, but man was that information soooo precious to me. It is here where I learned that the ransomware actually deletes the original files. I got a shot of hope, and my girlfriend looked at me and told me if only I’d look at her like I looked at the screen
The link to the PDF on that website is here: https://www.ikarussecurity.com/wp-content/downloads/qlocker/q-recover-manual-final.pdf
I followed the steps and I got ubuntu running inside Windows on my girlfriends computer pretty quickly. I got an error to begin with where it wouldn’t install after the first time you open ubuntu. Turns out you need to also go to “turn on/off windows features” or whatever it is called. The WSL was deactivated, so I activated it and rebooted, now it worked!
I ran the guide step-by-step otherwise, and everything worked 100% and within minutes I was recovering files, and I almost immidiately started seeing deleted files popping up.
The only problem here is that I was only able to find 2x500GB drives, hoping I could use Windows storage spaces to make it a 1TB drive. The guide clearly states that you need a hard drive with equal size to the NAS, but finding a 12TB hard drive on a whim isn’t exactly easy. Luckily I work with servers and storage as my job, so tomorrow I will bring back a storage solution that should be able to handle any data.
The recovery has now been running for 8 hours in total, and I have been sorting the data as it comes, where most of it is just junk anyway, but some unrecoverable pictures and videos of family has already turned up, and I can move them to the second 500GB drive. The two 500GB drives I have can’t be dynamic disks for some reason, they are old, probably dying too, but as a test and for storing precious data for a few days they should be fine. Also uploaded important data to an off site server.
It recovered probably around 800GB now, but as I sorted it as it came I am down to using 80GB on that 500GB drive, and files stopped coming, so I guess I’ll leave it all night (estimated time for completion is 250+ hours).
Next step is, when all the data has been secured, using the last bit of the PDF I found, to check CRC of the files to restore them, and to upload all of my data to Hetzner, I want to do a full format and factory default on the NAS. Set it up with to sync important files with another NAS to make sure imporant files never get compromised. Also I will get an external enclosure for external backup. I found a dual HDD enclosure that runs RAID 1 and just has a normal USB connection, so backing up there too could prove useful.
I also want to set up snapshots, man if only I had that running with a few snapshots, just taking one each week I wouldn’t have had to do any recovery as nothing new was added whole week anyway.
You live, you fail, you learn.
Now I am sitting here at almost 2 in the morning, and I have to go to work early morning, so monday will be a terrible day for me at work, but I am at peace again, and I feel like I can finally close my eyes. I am very tired and I am just writing all of this to get all my frustation out, but also in the small hope that it could help SOMEONE, SOMEWHERE. Because NO ONE should go through this, and if you aren’t what I’d call pretty damn tech savvy, you would end up paying the ransom, never getting the password and ultimately look all your data.
There was one time in all of this, where I was thinking of paying the ransom, multiple times actually. In some threads in the forum people wrote they had luck with paying, but man that is a HUGE risk, and for my data they wanted 0.02BTC. Not exactly cheap but one of the cheaper ones I have found, where some ransom was almost up to 0.1BTC. Of course I never did pay, and heres to hoping everything will be back just fine!
Thank you for reading, and thank you to all the people who post about this stuff, you are helping people without knowing it, and it does make a difference for people out there!
Thank you for this community, and thank you for getting through my wall of text, I truly hope someone will be helped by it, or at least people have a good read.
Edited by Jelle458, Today, 07:52 PM.