Qlocker on TS-451 “Solved” – Ransomware Help & Support
I am very new here and only decided to create an account and this thread because of the help I found on these forums just by looking on google.
I have been affected by Qlocker, and as far as I know it is not Qlocker2, so I will call it Qlocker1. I am not sure of the exact time. I usually check my server quite often as there are probably some nasty people out there trying to crack my password from various IP addresses.
My setup blocks any IP address that has the wrong password twice within 5 minutes, so the IP address keeps changing, and they probably didn’t get access through the administrator account. This is the only account with access to write, so they had to use the vulnerability.
My Sunday here started with total panic when I woke up, accessed the NAS first and saw a ransom note. Luckily this only targeted files under 20MB I believe anything bigger was left alone.
The remark was:
!!! ALL YOUR FILES HAVE BEEN ENCRYPTED !!! All your files were encrypted using a private and unique key generated for the computer. This key is stored in our server and the only way to receive your key and decrypt your files is making a Bitcoin payment. To purchase your key and decrypt your files, please follow these steps: 1. Dowload the Tor Browser at "https://www.torproject.org/". If you need help, please Google for "access onion page". 2. Visit the following pages with the Tor Browser:
3. Enter your Client Key:
As I also saw a few small unencrypted files, I figured the culprit was still working on my NAS. I didn’t log in for 2 days so it could have happened anytime but if it still worked I didn’t want to risk it doing more damage so I removed the power from the NAS like first answer. It might not have been the right thing to do!
I searched the net and found a list of passwords, I think it was about 10,000 of the most commonly used passwords. I ran a program to verify these passwords but was unsuccessful. I tried getting hashcat to work, no luck, I tried crark7z, but couldn’t get the dictionary function to work. Chances are that even with my 2080 Super I wouldn’t force the password with CUDA anyway, so I found eSoftTools 7z Password Recovery which is free to try and can run a set of words from pass on your 7z file. None of them worked obviously, but I had to try SOMETHING.
After that I found something called Dr Web. Without any hope, I wrote a ticket saying I had been hit by Qlocker, downloaded some sample files and the note. They actually responded on a Sunday afternoon (at least here in Denmark), I was sure it wouldn’t get anywhere, but it gave me some hope.
The answer was:
A case of #Qlocker Ransomware
These files are not actually encrypted, but packed into a 7zip archive with a complex password.
If when packing the files no further action was taken to save 7z.log (with password), then it will not be possible to unzip these files without the key.
If the wrapping process is still running, you can try (from forum.qnap.com):
use MobaXterm to connect to ssh and run the following command:
cd / usr / local / sbin; printf ‘#! / bin / sh necho $ @ necho $ @ >> / mnt / HDA_ROOT / 7z.log nsleep 60000’> 7z.sh; chmod + x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
After that right click on 7z.log located in mnt / HDA_ROOT / – select download and save the file to your computer.
You can now open the file from your computer. Use the password without the first “p”.
If the process is already completed, it will not be possible to find the key and decryption is not possible.
Of course when I ran the command I got an error stating that the sh command was not found, or something like that, I can’t remember much because I was in panic mode at this moment.
And surely there was no 7z.log file in the location.
I searched for the command to try to figure out why I got the error, which led me to this exact forum several times:
In the end, I found out that I wasn’t going to find the password at all. It seems like you can only run the command while the ransomware is running and doing nasty things in your files, and it doesn’t appear to be active anymore.
In a panic (like full panic Sunday said earlier), I searched the web for a cloud storage option. Suddenly I have 12TB of possibly insecure data that needs secure storage. I found a lot of cloud options, but most of them offered a program for Windows or Mac, which does a simple search on the local computer for files to back up, and does just that. If you want more than 200GB of space and the ability to back up servers, a personal account wasn’t enough, and in most cases they wanted me to make contact, but couldn’t wait until Monday, or possibly Tuesday. . I needed to start transferring files here and now.
After many failed cloud providers that I found in Denmark, I went looking for a VPS; maybe that could give me the necessary space, and with ftp access. No luck though.
I finally remembered after watching der8auer’s youtube channel that he had ads for hetzner. They offer a storage box with FTP for a reasonable price, and they are located in Germany, my neighboring country. I bought the 10TB storage box and within minutes I was full of my own gigabit fiber connection. Now I could calm down a bit more.
While downloading items to the storage box, I came across this website: https://www.ikarussecurity.com/en/security-news-en/qlocker/
There is very little information on this page, but the man was this information so valuable to me. It was here that I learned that the ransomware actually deletes the original files. I had a shot of hope, and my gf looked at me and said if only I looked at her as I stared at the screen
The link to the PDF on this website is here: https://www.ikarussecurity.com/wp-content/downloads/qlocker/q-recover-manual-final.pdf
I followed the steps and got Ubuntu running in Windows on my girlfriend’s computer pretty quickly. I got an error to start where it wouldn’t install after opening ubuntu for the first time. It turns out that you also need to go to “turn on / off Windows features” or whatever its name is. The WSL was off, so I turned it on and restarted, now it worked!
Otherwise I ran the step by step guide, and everything worked 100% and within a few minutes I was recovering files and almost immediately started seeing deleted files appear.
The only problem here is that I was only able to find 2x500GB drives, hoping I could use the Windows storage spaces to make it a 1TB drive. The guide clearly states that you need a hard drive of the same size as the NAS, but finding a 12TB hard drive on a whim isn’t really easy. Fortunately, I work with servers and storage, so tomorrow I’ll bring back a storage solution that should be able to handle all the data.
The recovery has now been going for 8 hours in total, and I have sorted the data as I went, where most of it is just junk anyway, but some unrecoverable family photos and videos have already appeared, and I can do them. move to the second 500gb drive. The two 500gb drives I have cannot be dynamic drives for some reason they are old, probably dying too, but as a test and for storing data precious for a few days, they should go. Also uploaded important data to an offsite server.
It’s probably recovered around 800GB by now, but as I sorted it out as I went, I’m using 80GB on this 500GB drive, and the files have stopped coming, so I guess I will leave it overnight (estimated time for completion is 250+ hours).
The next step is, when all the data has been secured, using the last bit of the PDF I found, check the CRC of the files to restore them and upload all my data to Hetzner, I want to do some formatting full and default on the NAS. Configure it to sync important files with another NAS to ensure that important files are never compromised. Also, I will get an external enclosure for the external backup. I found a dual hard drive enclosure that runs RAID 1 and only has a normal USB connection, so backing up there might come in handy as well.
I also want to set up snapshots, man if only I had this with a few snapshots, just taking one each week, I wouldn’t have had to do any recovery because nothing new was added all week anyway .
You live, you fail, you learn.
Now I’m sitting here at almost 2am and have to go to work early in the morning so Monday will be a terrible day for me at work but I’m at peace again and feel like I can finally close my eyes . I’m very tired and I’m writing this just to get all my frustration out, but also in the little hope that it might help SOMEBODY, SOMEWHERE. Because NOBODY should go through this, and if you’re not what I would call a hell of a techie, you would end up paying the ransom, never getting the password and ultimately looking at all of your data.
There was once in all of this where I thought I would pay the ransom, several times in fact. In some forum threads people wrote that they were lucky to pay, but it’s a HUGE risk, and for my data they wanted 0.02 BTC. Not exactly cheap, but one of the cheapest I found where a ransom was almost 0.1 BTC. Of course, I never paid, and I hope everything is fine!
Thanks for reading, and thanks to everyone posting about this stuff you are helping people without knowing it, and you are. make a difference for the people there!
Thanks for this community, and thanks for browsing my text wall, I really hope someone helps out, or at least people have a good read.
Published by Jelle458, today, 19:52.