HowSoftwareTech

QLOCKER virus – How to decrypt your files on your QNAP NAS

You have a QNAP brand NAS and your files have a weird format in .7z. You are probably a victim of the virus QLOCKER that attacks QNAP NAS.

Fortunately there are manipulations to find the key allowing you to decrypt your data.

Here is the procedure.

QLOCKER what is it?

This is a Virus that affects QNAP brand NAS. There are indeed security vulnerabilities allowing you to connect to the NAS and encrypt your data using 7ZIP.

Your files are thus “zipped” and you can no longer open them without have the decryption key.

QNAP has obviously released updates and it is essential to do them to close the flaws.

If your NAS is not exposed to the outside you shouldn’t be afraid of this type of attack.

Usually lexternal access allows you to share files but in this case you must open port 443 (HTTPS) to access it.

For more security, I strongly recommend that you set up a FAST VPN on your QNAP NAS.

Before carrying out these manipulations do not restart your NAS!

Step 1 – Activate and connect using SSH

To carry out the manipulations you must enable SSH access on the QNAP NAS.

activate ssh qnap
You must enable SSH access on your NAS

Once activated you should be able to connect in SSH (on port 22).

To connect I recommend the application Putty

You must then enter the IP address of your NAS and the port (22 by default)

putty qnap ssh

Enter your login and password (administrator account).

You are connected ? Perfect, we will be able to enter a few commands.

Step 2 – Find the decryption key

We will first check if the crypto virus is still active (i need to find the key) if it is no longer active then it is dead :(.

ps | grep 7z

If you see a 7z running then you may have a chance to find the key we will issue the following command:

cd /usr/local/sbin; printf '#!/bin/sh necho [email protected]necho [email protected]>>/mnt/HDA_ROOT/7z.lognsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;

Wait 5 minutes then enter this command:

cat /mnt/HDA_ROOT/7z.log

You should then obtain this information:

a -mx = 0 -sdel -pYourCryptionKey [FOLDER PATH]

The value after p corresponds to the decryption key.

You can restart the NAS.

Step 3 Decrypt the data with the key

Now that we have the key you have the possibility to test the key on one of the files, if it works then we will go through a script to decrypt everything

find / -name *.7z -exec /usr/local/sbin/7z e -pVotreCleDeDechiffrement {} ; 2>/dev/null

Congratulations you have decrypted your data

Rule number is to have a healthy and viable backup and a copy disconnected from the network. QNAP offers backup applications like Hybrid Backup.

To analyze malware there is the application Malware Remover remember to update it and run a scan.

You must also update your NAS, a search in the “update” panel allows you to check the available version!

qnap update
Remember to check your NAS for updates

The list of firmware can also be downloaded manually at this address: https://www.qnap.com/fr-fr/download

Sources: https://www.forum-nas.fr/viewtopic.php?f=19&t=15987&p=102808

  • WD My Cloud 8TB EX2 Ultra, 2-bay NAS

    Multiple options for RAID configurations and automatic backup to protect your important data. Support for third-party applications to create a custom NAS tailored to your needs. Equipped with WD RED NAS drives designed for 24/7 environments (available as preconfigured models only). Works with My Cloud OS 3 for automatic and personalized functions. WD My Cloud EX2 Ultra NAS Expert Series 8TB – 2 Bays Operating temperature: 5 ° C to 35 ° C. Non-op. temperature: –20 ° C to 65 ° C System requirements: Windows 10, Windows 8, Windows 7 or Windows Vista | MacOS Mojave, High Sierra, Sierra, El Capitan, Yosemite, Mavericks or Mountain Lion

  • SYNOLOGY DS220 + 2-Bay NAS-Case

    DS220 + Plug type: EU (2 pin)

  • Synology DS920 + BT NAS 4 EMP. 3.5 / 2.5p 2.0 / 2.7 GHz QuadCore 64b 4GB 2 LAN GbE USB3 Slot M.2

    DS920 +

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker