• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

QNAP NAS Affected by Qlocker Ransomware, Company Advises Immediate Action to Secure Your Data

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,164 (7.57/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
QNAP Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, today issued a statement in response to recent user reports and media coverage that two types of ransomware (Qlocker and eCh0raix) are targeting QNAP NAS and encrypting users' data for ransom. QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices.

QNAP has released an updated version of Malware Remover for operating systems such as QTS and QuTS hero to address the ransomware attack. If user data is encrypted or being encrypted, the NAS must not be shut down. Users should run a malware scan with the latest Malware Remover version immediately, and then contact QNAP Technical Support at this page.



For unaffected users, it's recommended to immediately install the latest Malware Remover version and run a malware scan as a precautionary measure. All user should update their passwords to stronger ones, and the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version. Additionally, users are advised to modify the default network port 8080 for accessing the NAS operating interface. Steps to perform the operation can be found in the information security best practice offered by QNAP (https://qnap.to/3daz2n). The data stored on NAS should be backed up or backed up again utilizing the 3-2-1 backup rule, to further ensure data integrity and security.

For details, please refer to the QNAP security advisory QSA-21-11 (this page) and QSA-21-13 (this page).

QNAP Product Security Incident Response Team (PSIRT) constantly monitors the latest intelligence to deliver up-to-date information and software updates, ensuring data security for users. Once again, QNAP urges users to take the above-mentioned actions and periodically check/install product software updates to keep their devices away from malicious influences. QNAP also provides the best practice for improving personal and organizational information security. By working together to fight against cybersecurity threats, we make the Internet a safer place for everyone.

View at TechPowerUp Main Site
 
Joined
Mar 20, 2019
Messages
556 (0.27/day)
Processor 9600k
Motherboard MSI Z390I Gaming EDGE AC
Cooling Scythe Mugen 5
Memory 32GB of G.Skill Ripjaws V 3600MHz CL16
Video Card(s) MSI 3080 Ventus OC
Storage 2x Intel 660p 1TB
Display(s) Acer CG437KP
Case Streacom BC1 mini
Audio Device(s) Topping MX3
Power Supply Corsair RM750
Mouse R.A.T. DWS
Keyboard HAVIT KB487L / AKKO 3098 / Logitech G19
VR HMD HTC Vive
Benchmark Scores What's a "benchmark"?
I understand that convenience is an important factor, but why would anyone think that exposing your data storage to the Internet is a smart thing? Firewall your damn NAS, update manually from an offline source or at least have a cold storage system with a reasonably frequent backup schedule.
 
Joined
Jul 16, 2014
Messages
8,194 (2.18/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
I understand that convenience is an important factor, but why would anyone think that exposing your data storage to the Internet is a smart thing? Firewall your damn NAS, update manually from an offline source or at least have a cold storage system with a reasonably frequent backup schedule.
There are several ports intentionally left open by m$'s firewall that cant be closed. Why? IDK, but lets call it telemetry ports just to be silly. I can only guess why users are not using passwords for their pirated movieDATA storage, sharing with friends and neighbors maybe?

But this reads as if the malware was pre-installed and shipped.
 

FreedomEclipse

~Technological Technocrat~
Joined
Apr 20, 2007
Messages
23,985 (3.74/day)
Location
London,UK
System Name DarnGosh Edition
Processor AMD 7800X3D
Motherboard MSI X670E GAMING PLUS
Cooling Thermalright AM5 Contact Frame + Phantom Spirit 120SE
Memory G.Skill Trident Z5 NEO DDR5 6000 CL32-38-38-96
Video Card(s) Asus Dual Radeon™ RX 6700 XT OC Edition
Storage WD SN770 1TB (Boot)| 2x 2TB WD SN770 (Gaming)| 2x 2TB Crucial BX500| 2x 3TB Toshiba DT01ACA300
Display(s) LG GP850-B
Case Corsair 760T (White) {1xCorsair ML120 Pro|5xML140 Pro}
Audio Device(s) Yamaha RX-V573|Speakers: JBL Control One|Auna 300-CN|Wharfedale Diamond SW150
Power Supply Seasonic Focus GX-850 80+ GOLD
Mouse Logitech G502 X
Keyboard Duckyshine Dead LED(s) III
Software Windows 11 Home
Benchmark Scores ლ(ಠ益ಠ)ლ
Qnap also suggested disabling the default admin user account. I have done this but this has caused all sorts of issues to do with user access rights and privileges even if i have the new admin account given full privileges and access to some folders and files.

NAS wont let new admin account access certain shared folders even though access privileges has been set up to include new admin account.
NAS wont let new admin delete files remotely when accessed remotely from an android device.
NAS wont let me cut/copy or paste data from NAS to my desktop with new admin account from within windows unless i disable Windows ACL

Ive checked the user priviledges loads of times and played around. I got shared folder access back but i still cant delete files if im using my tablet to access the NAS and i got my cut/copy paste back by disabling ACL

Ive been told that the Windows ACL function/feature is bugged and from what i read on their forums, It has been bugged for a long time.
 
Joined
Mar 6, 2017
Messages
3,319 (1.19/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
There are several ports intentionally left open by m$'s firewall that cant be closed. Why? IDK, but lets call it telemetry ports just to be silly.
Where's your proof on that? Because last time I checked and yes, I actually did check, this isn't true at all. The port scans prove it. Stop spreading FUD.
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
26,845 (3.83/day)
Location
Alabama
System Name RogueOne
Processor Xeon W9-3495x
Motherboard ASUS w790E Sage SE
Cooling SilverStone XE360-4677
Memory 128gb Gskill Zeta R5 DDR5 RDIMMs
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 2TB WD SN850X | 2x 8TB GAMMIX S70
Display(s) Odyssey OLED G9 (G95SC)
Case Thermaltake Core P3 Pro Snow
Audio Device(s) Moondrop S8's on schitt Modi+ & Valhalla 2
Power Supply Seasonic Prime TX-1600
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11 Pro Workstation
Benchmark Scores I dont have time for that.
Storage appliances facing the web has always confused me.
 

newtekie1

Semi-Retired Folder
Joined
Nov 22, 2005
Messages
28,473 (4.12/day)
Location
Indiana, USA
Processor Intel Core i7 10850K@5.2GHz
Motherboard AsRock Z470 Taichi
Cooling Corsair H115i Pro w/ Noctua NF-A14 Fans
Memory 32GB DDR4-3600
Video Card(s) RTX 2070 Super
Storage 500GB SX8200 Pro + 8TB with 1TB SSD Cache
Display(s) Acer Nitro VG280K 4K 28"
Case Fractal Design Define S
Audio Device(s) Onboard is good enough for me
Power Supply eVGA SuperNOVA 1000w G3
Software Windows 10 Pro x64
There are several ports intentionally left open by m$'s firewall that cant be closed. Why? IDK, but lets call it telemetry ports just to be silly.
What does that have to do with anything? If there isn't a service listening on those ports, it doesn't matter if they are open. And if you are behind a NAT firewall anyway, and your Windows PC doesn't have a public IP(by the way those ports are all closed by default if your network connection is set to public), then those open ports aren't accessible by the internet anyway.

I can only guess why users are not using passwords for their pirated movieDATA storage, sharing with friends and neighbors maybe?
Windows doesn't allow this by default either. You have to have a password to share data.
 
Joined
Dec 31, 2020
Messages
36 (0.03/day)
I have a QNAP TS-231P but nothing on it is vital - being able to access media anywhere on my laptop or phone is a good boredom alleviator. That still hasn't stopped ~skript kiddiez~ from probing it with brute force password attacks.

All the data I can't afford or don't want to lose/have compromised is air-gapped.

That being said, my next NAS will be *built*, not *bought*. In addition to this, QNAP's been slowly moving apps over to a micro-transaction model. They think they're being slick about it, but everyone who's paying attention knows what's up.
 
Joined
Jul 16, 2014
Messages
8,194 (2.18/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Windows doesn't allow this by default either. You have to have a password to share data.
Should have been clearer, wasnt thinking default.

What does that have to do with anything? If there isn't a service listening on those ports, it doesn't matter if they are open. And if you are behind a NAT firewall anyway, and your Windows PC doesn't have a public IP(by the way those ports are all closed by default if your network connection is set to public), then those open ports aren't accessible by the internet anyway.
Thats a big IF really.
 
Joined
Jan 30, 2018
Messages
225 (0.09/day)
System Name Dreamstation2
Processor Ryzen 7 3700X
Motherboard MSI X470 Gaming Plus
Cooling Hyper 212 Black Edition
Memory Kingston HyperX 32GB DDR4 3200 CL16
Video Card(s) Aorus 2080 Ti Turbo (sounds like a vaccum cleaner at full load)
Storage 2 x 1TB M.2 NVME + 1TB 2.5" SSD
Display(s) Samsung Odyssey G7 32" 4k
Case NZXT H500i
Audio Device(s) Asus Xonar U3 / Audio-Technica ATH-M50x / Edifier R1855DB
Power Supply Corsair TX650M
Mouse Corsair Scimitar Pro RGB
Keyboard Cooler Master Masterkeys Lite L
QNAP is a joke. Same thing happened 2 years ago. They just shrugged off and told the users it's their own problem. I know 2 people that were affected by that and lost everything.

Link from 2019 and they still haven't fixed it:
https://www.bankinfosecurity.com/report-new-ransomware-targets-qnap-storage-devices-a-12774
"A new ransomware strain called eCh0raix is targeting enterprise storage devices sold by QNAP Network by exploiting vulnerabilities in the gear and bypassing weak credentials using brute-force techniques, according to the security firm Anomali." Article from July 11, 2019

[insert facepalm meme here]
 

newtekie1

Semi-Retired Folder
Joined
Nov 22, 2005
Messages
28,473 (4.12/day)
Location
Indiana, USA
Processor Intel Core i7 10850K@5.2GHz
Motherboard AsRock Z470 Taichi
Cooling Corsair H115i Pro w/ Noctua NF-A14 Fans
Memory 32GB DDR4-3600
Video Card(s) RTX 2070 Super
Storage 500GB SX8200 Pro + 8TB with 1TB SSD Cache
Display(s) Acer Nitro VG280K 4K 28"
Case Fractal Design Define S
Audio Device(s) Onboard is good enough for me
Power Supply eVGA SuperNOVA 1000w G3
Software Windows 10 Pro x64
Joined
Mar 7, 2011
Messages
4,501 (0.90/day)
QNAP is a joke. Same thing happened 2 years ago. They just shrugged off and told the users it's their own problem. I know 2 people that were affected by that and lost everything.

Link from 2019 and they still haven't fixed it:
https://www.bankinfosecurity.com/report-new-ransomware-targets-qnap-storage-devices-a-12774
"A new ransomware strain called eCh0raix is targeting enterprise storage devices sold by QNAP Network by exploiting vulnerabilities in the gear and bypassing weak credentials using brute-force techniques, according to the security firm Anomali." Article from July 11, 2019

[insert facepalm meme here]
So they should drop Q from their brand name on urgent basis.
 
Joined
Aug 20, 2007
Messages
21,400 (3.41/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Joined
Jul 16, 2014
Messages
8,194 (2.18/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Not really. I'd say a very large majority of computers don't have public IPs.
I agree but that doesnt mean some hacker will visit your negihborhood looking for available connections. And we're back to learn2secure your network and devices.

But don't worry, IPv6 will fix this. :p
IPv6, I heard of that before, where.... :rolleyes:
 
Joined
Mar 6, 2017
Messages
3,319 (1.19/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
But don't worry, IPv6 will fix this. :p
And on my router, I actually have to enable a rule firewall rule to pass IPv6 packets from the WAN side to the LAN side. Otherwise, the router stops incoming IPv6 packets for the LAN side and doesn't allow them through unless the LAN side device requested it.
 
Joined
Aug 20, 2007
Messages
21,400 (3.41/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
And on my router, I actually have to enable a rule firewall rule to pass IPv6 packets from the WAN side to the LAN side. Otherwise, the router stops incoming IPv6 packets for the LAN side and doesn't allow them through unless the LAN side device requested it.
A good router will do this. I was sarcastically referring to the designers "dream spec" of ipv6, which essentially is an IoT world where every device has a public IP.

Yeah, that's a bad idea, just like it sounds.

IPv6, I heard of that before, where....
Most ISPs provide it now actually. Even Verizon and Comcast do.
 

newtekie1

Semi-Retired Folder
Joined
Nov 22, 2005
Messages
28,473 (4.12/day)
Location
Indiana, USA
Processor Intel Core i7 10850K@5.2GHz
Motherboard AsRock Z470 Taichi
Cooling Corsair H115i Pro w/ Noctua NF-A14 Fans
Memory 32GB DDR4-3600
Video Card(s) RTX 2070 Super
Storage 500GB SX8200 Pro + 8TB with 1TB SSD Cache
Display(s) Acer Nitro VG280K 4K 28"
Case Fractal Design Define S
Audio Device(s) Onboard is good enough for me
Power Supply eVGA SuperNOVA 1000w G3
Software Windows 10 Pro x64
I agree but that doesnt mean some hacker will visit your negihborhood looking for available connections. And we're back to learn2secure your network and devices.
Sure, that was a valid argument back when routers shipped with no WiFi password and WEP was the default security method. But not now.
 
Joined
Mar 6, 2017
Messages
3,319 (1.19/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
designers "dream spec" of ipv6, which essentially is an IoT world where every device has a public IP.
Scared Courage The Cowardly Dog GIF


Reminds me of the bad old days of the first cable modems, your Network Neighborhood was literally your neighborhood. With everything having a public IP your Network Neighborhood would be the whole damn planet. How they thought that was a good idea, I'll never know.
 
Top