QNAP malware

I got hit by malware called Qlocker the other day. It basically zips every file and asks you to pay bitcoin to unlock.

There is a recovery tool called Rescue, but according to reports it’s very cumbersome.

As I had everything backed up, I had the option to wipe the discs and start again. This turned out to be quite beneficial as when I first set up the machine I did it very badly with a single thin volume, the current QTS operating system now has a dramatically better and very easy set-up wizard and I set it as two thick volumes.

Lots of people have been hit by this, worth checking your backups and security.

2 Likes

Ouch.

Any idea how they gained access?

Have you been on the old pre 5.0 QTS until then? It was known to be vulnerable to those blackmail trojans. Constantly upgrading firmware on routers and operating systems is essential.

You now just have to take real care (by scanning) you didn’t infect your backup drives or other equipment in your network before the trojan got active.

Also check if you have configured other open doors on your router like automatic port release.
It would be important to have a guess how it happened.

The new QTS also has a firewall on board you can activate and a security check to see what you should disable to make it safe.

I guess the disc spinners here now say, that’s why they spin discs…there’s a lot of IT involved in streaming. I’d be interested how music servers like those on the market or the upcoming PSA one are protected.

No idea!

Just an FYI - Qlocker does NOT require the victim to download/open something. The attacker scans the internet for vulnerable QNAP devices and exploites an existing QNAP vulnerability.

1 Like

This is a similar flaw that Western Digital NAS had a little while ago, although remote attackers just wiped drives.

Really hope you get it protected, NAS drives are quite an investment, they really need to have good software backing them up.

Apparently there was a big attack last year and a new one started middle of this month. I think it is limited to QNAPs. Bitdefender did not get it, which is worrying.

I was up to date on 5.0.

There is good guidance here.

For a music library, the best thing is to attach an external usb and create a backup job in HBS3 using this tool.

Set for manual backup and if totally paranoid you can eject the disc by clicking on Actions in Storage & Snapshots.

The best thing is to limit any external access. Go into the myqnapcloud app and disable upnp here:

Install these apps (McAfee is paid, all the others free):

Go to the App Store and require digital signatures for all app installations:

If possible, don’t use Admin as your user. Go into Control Panel, set up a new user with full access to all areas and disable Admin:

Set QuFirewall to Subnets only.

I’m no expert, but there is a lot of good guidance online, most from QNAP themselves.

1 Like

It’s more the shock and indignation. Once I got over that, I was quite pleased to have to do a reinstall.

The only faff was that I’d set SED encryption and had to physically remove the drives to get a code on the drive label to wipe them. That involved taking out 3 screws per disk (as they are SSD) and copying in a 50-character password, then screwing back in. In the new set-up I’ve not used SED.

For me the main use is having data in separate locations, now less relevant given I now work from home.

For music libraries, the disc spinners will say “I told you so”, but if set up effectively so it can only be accessed on the home network, like mine is now, there should not be a problem.

1 Like

Yes exactly that’s the instructions. Bit defender is a windows scanner…I guess you mean the one on the QNAP. If you were on 5.0 I guess you must have had upnp activated, as QNAP says everything over 4.5.2 was safe…strange.

They also wrote Qlocker is no malware, it affects a weakness in pre 5.0 QTS, that’s why it’s so strange you got it with 5.0.

UPNP disabled on my router, and no manual ports open to the internet, hopefully I should be safe from such tomfoolery (I have Synology, which of course has similar malware associated with it, I think it was Synology’s turn a couple of years ago).

Does seem to be a general weakness in NAS OS’s, or attackers are just getting more clever at finding the weaknesses.

I’m not sure its the OSes that are at necessarily at risk, most of them run homegrown linux builds. The real problem comes from all the apps they throw on there. The Qlocker ransomware gets in from a bug in Hybrid Backup which is installed by default. If you use something else for backups, get rid of that app. I have a QNAP and got rid of everything I dont need… and it was a lot.

1 Like

Not really special,to NAS drives, other than that people usually care less to patch them than their PC.
Such attract usually aim for non patched systems, no matter what they are. In case of a NAS it certainly makes sense for blackmailing, as there’s usually some storage behind it and they are used in companies with need for their data and money to pay for it, too.

1 Like

Thanks - done

1 Like