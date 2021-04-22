Geekzone: technology news, blogs, forums
Internet-exposed QNAP NAS devices currently being hit with ransomware
#284446 22-Apr-2021 13:28
We have had a casual client** hit with ransomware just after lunch yesterday, though unfortunately all staff of this small firm were out of the office so nobody noticed until this morning.  I hunted extensively for the compromised computer which encrypted the files on their NAS, but could not find anything.  Googling the symptoms (files now have a 7z extension, !!!read_me.txt files show in folders) lead me to this 5 hour old article:

 

https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/ 

 

If you have a QNAP NAS that that *may* be exposed to the internet, check it now and block all external access until you are sure the firmware and the apps have been updated.  Even then, I'd not recommend allowing external access again.  I have little doubt that others will start probing the QNAP ecosystem for vulnerabilities.

 

We are currently restoring this client's files from an effectively-air-gapped backup system, so they have lost very little information.  I am a little concerned that the perpetrators of the crime may still have a remote shell to the NAS, so its going to get a factory reset very soon.

 

 

 

**someone we see professionally once or twice a year for issues they can't sort themselves.  We don't "look after their IT" as such, but give them advise or help when they hit limits with their self-management.  Sometimes they follow this advice.  Sometimes they don't.

 

 

 

 

 

Instructions in the file begin with the following text:

 

!!! All your files have been encrypted !!!

 

All your files were encrypted using a private and unique key generated for the computer. This key is stored in our server and the only way to receive your key and decrypt your files is making a Bitcoin payment.

 

To purchase your key and decrypt your files, please follow these steps:




nitro
  #2696681 22-Apr-2021 13:46
corporate client that has a NAS open to the internet?

 

almost cause for saying you deserve it. but i know from work (different entry point) the terrible impact of ransomware, i just hope they get their systems back up soon. and make the necessary changes to protect themselves.

 

 

Varkk
  #2696957 23-Apr-2021 09:38
Unfortunately things like this happen, often it is a small client, the office manager or similar position knows just enough about computers to be dangerous. They keep things running mostly and call you for anything complicated or to buy kit. But then one day they get hit by something that highlights just how dangerous a bit of knowledge is. You can't just come in and do things the right ways unless invited in by the person responsible for the bills.

1101
  #2696964 23-Apr-2021 09:58
nitro:

 

corporate client that has a NAS open to the internet?

 

 

It happens
They buy a cheap Home Use NAS .
" I want easy out of office access to the NAS, make that work " . "use the NAS's built in apps for remote access " "cloud this, cloud that"
Sometimes you cannot say NO , you can only advise . Ive been able to say its doesnt work through their Firewall .   :-)

 

 



nitro
  #2696968 23-Apr-2021 10:04
1101:

 

It happens
They buy a cheap Home Use NAS .
" I want easy out of office access to the NAS, make that work " . "use the NAS's built in apps for remote access " "cloud this, cloud that"
Sometimes you cannot say NO , you can only advise . Ive been able to say its doesnt work through their Firewall .   :-)

 

 

sadly, that is true.

 

sometimes, it's hard to explain why proper solutions cost more. and that it actually ends up cheaper than recovering from something like this, and then implementing a proper solution anyway.

 

 

 

 

Amosnz
  #2697242 23-Apr-2021 15:36
We have a QNAP NAS in Vietnam that's pinholed (one port only) to allow a Sync job to replicate data from Head Office overnight. 

 

Thanks for the heads up, I've referred this to our IT to look into.




nztim
  #2697363 23-Apr-2021 19:31
we only use QNAP as iSCSi targets on a dedicated storage network but all the same will take this advice and update the firmware




freitasm
  #2699499 29-Apr-2021 12:12
CERTNZ sent out an email linking to their advisory this morning this morning:

 

QNAP NAS vulnerabilities exploited to deploy ransomware | CERT NZ

 

 

Vulnerabilities in QNAP Network Attached Storage (NAS) devices are being actively exploited to deploy ransomware. The encrypted files have a ‘.7z’ extension and require a password to decrypt.

 

QNAP has released updates to affected software, as well as its malware scanning tool to detect this activity. CERT NZ advises all organisations with QNAP NAS devices to update and run the malware scanner immediately, and then apply all other software updates.

 




MadEngineer
  #2699840 29-Apr-2021 20:36
Amosnz:

We have a QNAP NAS in Vietnam that's pinholed (one port only) to allow a Sync job to replicate data from Head Office overnight. 


Thanks for the heads up, I've referred this to our IT to look into.

and you can’t VPN this connection?




You're not on Atlantis anymore, Duncan Idaho.

hio77
  #2699870 29-Apr-2021 21:53
MadEngineer:
Amosnz:

 

We have a QNAP NAS in Vietnam that's pinholed (one port only) to allow a Sync job to replicate data from Head Office overnight. 

 

 

 

Thanks for the heads up, I've referred this to our IT to look into.

 

and you can’t VPN this connection?

 

sometimes folk just don't want the overhead, hassle or whatever else.

 

 

 

The number of these devices that i see on a daily basis baffles me from a security point of view. I wouldn't allow a customer to attempt to use one as a managed service without a firewall I control with very tight rulesets at the very least.... Tunnel terminating on that firewall preferred. 




Amosnz
  #2699880 29-Apr-2021 22:22
MadEngineer:
Amosnz:

 

We have a QNAP NAS in Vietnam that's pinholed (one port only) to allow a Sync job to replicate data from Head Office overnight. 

 

Thanks for the heads up, I've referred this to our IT to look into.

 

and you can’t VPN this connection?

 

I believe they have been looking at that for a while for other reasons, this type of event may hasten it.




