My Qnap NAS has been hacked and most files are now zipped

I think its the Qlocker attack from last year but don’t understand why/how as I had updated when that came out

I can hear my NAS still whirring away so it sounds like it is still zipping files but I can’t stop it.

I’m on a lot of forums right now and I dont really understand what I’m doing.

I’ve changed the port and stopped the Q cloud. I’ve turned off a few things that it says.

I’ve SSH-ed in and tried kill -9 ps |grep sbin/7z|grep -v grep|awk '{ print $1 }' as advised on several places but nothing seems to happen

Any help? I’m on a Mac using terminal with very limited knowledge

Absolutely gutted – all my photos ever are on there

I can hear my NAS still whirring away so it sounds like it is still zipping files but I can’t stop it.

cut the power…

Looks to me like you have to enable and update the Malware remover app.
“ By running a Malware Remover scan on a QNAP NAS with Qlocker active (encryption/compression in progress), the encryption/compression will stop. The scan will also attempt to extract the encryption key used for the attack. If an unpatched version of HBS is detected as well, the HBS code in question will be removed.”

If that’s not possible you need to get on the phone to support so they can talk you through it.

Do you have a backup?

Can you run ‘top’ from the terminal, then try ID the process doing the zipping, and kill that?
(or ‘htop’ is nicer if that’s available, can select a process and press k to kill it from within htop).
But I doubt this will be the answer.

Wipe it install the latest firmware and restore your data from your latest backup.

Wipe it install the latest firmware and restore your data from your latest backup.

Isn’t the NAS the backup?

My NAS is a dual HDD backup system that has all of my data on it. I have however got a single disc NAS mirror in the garage (in case the house burns down) but I imagine most people have a single NAS backup.

My NAS is a dual HDD backup system that has all of my data on it.

The basic rule of data integrity is if there are not at least 3 copies it is not backed up.

I have everything on my main HDD in my workstation and that is backed up to a second HDD also in my workstation and also to a single large NAS drive in another room (RAID etc is generally asking for trouble and unnecessary in these halcyon days of large cheap single drives) and then anything important is also backed up to the cloud.

Isn’t the NAS the backup?

The OP doesn’t mention a backup so to me it sounds like it was being used as a filestore, which is a perfectly normal use for a NAS. It also sounds like it’s the sole copy which is unfortunate.

Not just you OP, it seems https://www.itpro.co.uk/server-storage/network-attached-storage-nas/361938/qnap-warns-ransomware-targeting-nas-devices

Nice update Onewheel. Getting Security Counsellor installed.
They have a new QUFirewall, that’s good.

Yes as some have said, this was my filestore – all my photos of my life and travels from ever. I don’t have backups. I stupidly trusted that Qnap would keep it secure as I’ve followed all their advice and suggestions. Please don’t give me a lecture on backups. Already upset enough as it is 🙁

Security Counsellor is all well and good but I’ve been running Malware Scanner that Qnap suggest with absolutely nothing found and my system was fully updated and they still got in – meaning that the advice from the last attack (last year) wasn’t correct.

I managed to stop the attack and am following a method on Bleeping Computers to try to restore my files but am struggling. I’ve logged a ticket with Qnap and am waiting a reply.

To add, get rid of any QnapCloud accounts and disable UPnP on your NAS

If you have logged something with qnap I would switch off your NAS and and leave it until they call back.  What is have read is they only stand a chance if nothing else happens, eg. other files overwriting what is there.  The longer it is switched on with you trying different things the more chance there is of stuff being damaged

Please don’t give me a lecture on backups.

And yet, here we are. Again. Someone who’s lost all their data, couldn’t be bothered to take backups and unfortunately learned the hard way why this is a really bad idea. So you’re going to get one and you’re all going to keep getting them until this question stops being asked. Backups are cheap and easy. Data recovery is expensive and difficult.

For the benefit of future readers: your “stupidly” here wasn’t in trusting the NAS, that was reasonable. A NAS device is, in the grand scheme of things, relatively trustworthy. Having all your eggs in one basket, that was where you fell down and it’d have been the same problem whether it was a NAS, a USB hard disk, an internal drive, papers in a filing cabinet, brass rubbings or engravings in a stone tablet. If you only have one copy of your data then it’s a question of ‘when’ rather than ‘if.’

Repeat after me:
RAID is not backup.

Soapbox aside,

Does that NAS not do versioning? Can you just roll it back? (I’ve no idea)

Also, what leffeboy said.

Repeat after me:
RAID is not backup.

YES – this x100000000. In fact I would go further and say RAID doesn’t really have a place in the home user/home office environment at all. It was born of a time when large capacity single HDDs were either non-existent or cost the same as a house.

In the days of very cheap multi-TB drives then several back-ups held on multiple single large drives dotted around the house, and preferably an off-site location but for home users this is more tricky – are a more reliable solution than some form of RAID device.

I would also add NAS != RAID 🙂

As a not very competent QNAP NAS drive user, I have a question I hope someone can answer….

In the ‘what to do’ bit of that link above, it says

“The first step to fully protect vulnerable products from the ongoing attacks is to disable the port forwarding function of the router. This can be completed via the management interface of a user’s router. Users should check their settings and disable the port forwarding setting of NAS management service port which is set at port 8080 and 433 by default.”

I have gone into my router dashboard & the port forwarding section doesn’t seem to have anything set-up. I have never set anything up as every time I look into doing it, I have not managed to work it out & give up.

EDIT – to add the actual question!
Does this mean that port forwarding & never been enabled for the NAS and so I don’t need to do this step? I take it that port forwarding is something that is done on the router & has to have been done by myself, as opposed to something that the router (or NAS) would have done itself?

The only way I can access if from outside my house (that I know of) is either directly through the apps on my phone, or through the QNAPCloud account (which from what vanilla83 says up there I should delete/disable.

This must be the third or fourth time there has been some kind of urgent security issue with this NAS since I’ve owned it. Seriously considering getting rid of it now & going back to the old school way of just having all the files on my computer with a second portable drive getting plugged in once a month for a back-up.
My current back-up is a portable drive permanently plugged into the NAS, but I guess if someone gets in, then they also can stuff the back-up??

 In fact I would go further and say RAID doesn’t really have a place in the home user/home office environment at all

Actually I would disagree with that.  I have 4 Synology NAS’s running at work (ok, not a home office) and each of them has had one of their hard drives die over the years.  I just switch them off, replace the dead drive and they are back up and running again.  I do of course also back each of them up to USB drives but for getting the  NAS back up and running again it is fantastic

In the days of very cheap multi-TB drives then several back-ups held on multiple single large drives dotted around the house

That brings it’s own issues though.

1) A HDD left on a shelf will be dead when you need it*.
2) The bigger the drive capacity the more likely it is to fail when you try and create a backup from it. It’s been the case that the variance in life expectancy of drives is less than the time it takes to read/write a 4TB drive. So if you have Raid 1 or Raid 5 (Raid 0 being not redundant anyway, and multiple drives left around the house is just Raid 1 with extra faff) if one drive fails, you’ve probably still lost the lot anyway*.

1 is resolved by using the right tool for the job, tape.
2 is resolved by paying someone else to store it.

* yea yea yea, over lockdown you rescued your retro game/porn stash from a hard drive that had been under your teenage bed since 1999 with no issues, you’ve had plenty of RAID drives rebuild without issues, and your NAS hasn’t been subject to a ransomware attack. But some people have different luck.

Seriously considering getting rid of it now & going back to the old school way of just having all the files on my computer with a second portable drive getting plugged in once a month for a back-up

Don’t.  The nice thing about the NAS is that you don’t need to remember to do the monthly back up thing.  Most people forget until it is too late.  If you have got that backed up as well then all is good

My current back-up is a portable drive permanently plugged into the NAS, but I guess if someone gets in, then they also can stuff the back-up??

Yes.  If someone had got into the NAS then they could also get your backup and are actually very likely to as that is their job.  The paranoid amongst us alternate USB drives so they can leave one plugged in and then swap it with the other one

I have 4 Synology NAS’s running at work (ok, not a home office) and each of them has had one of their hard drives die over the years.

NAS is not RAID though. You can have a single large drive NAS device or you could have a RAID device that is not NAS. NAS is brilliant, RAID is just not necessary at all these days in the vast majority of applications, particularly those relevant to the home user.

The big problem with RAID though is not if one of your drives die. It’s if the RAID controller dies. Each company uses different methods to create the RAID so if your Synology box dies you can’t easily pull the drives from that, stick them say in your PC and read the data off them as the files are not stored in a standard format. You would need an identical RAID device to recreate or read from the array.

You have far more chance pulling the data off a single large drive than you do recreating the data held across 2 or 4 drives in a RAID array accordingly. Plus, if you have your data backed up in a couple of places it is trivial to replace a failed drive in box A and copy the data back across from box B.

As things stand I have my data on three large drives. It is a very quick job to replace any one of those and get it all back up and running and I can do so using any PC around. The same cannot be said when my RAID box died. I basically binned the box, took the drives out, formatted them and put them in single drive NAS enclosures and that is what I run.

“Don’t.  The nice thing about the NAS is that you don’t need to remember to do the monthly back up thing.  Most people forget until it is too late.  If you have got that backed up as well then all is good”

As someone with a very similar setup to the OP (i.e. it should, and already has, protect me from a drive failure), doesn’t leaving the external ‘backup’ HD connected to the NAS 24/7 mean that if the NAS is hacked then the HD will be too and so my backup is useless for that scenario? Obviously if I alternate them or only plug it in for the time that it is backing up then I avoid that, but then you’re back to having to remember to do something, which I won’t!

NAS is not RAID though

No, but on Synology NAS’s I can select RAID, the sort of RAID and which drives it applies to

so if your Synology box dies you can’t easily pull the drives from that, stick them say in your PC and read the data off them as the files are not stored in a standard format. You would need an identical RAID device to recreate or read from the array.

Only partly true.  I had a Synology NAS die and it was no longer available.  I bought a newer device, stuck the drive(s) in and it worked just fine.  It was up and running pretty much the same day the new box arrived.  There is also an app available for PCs to read the drives if you haven’t encrypted them

The Synology stuff is very nice really.

doesn’t leaving the external ‘backup’ HD connected to the NAS 24/7 mean that if the NAS is hacked then the HD will be too and so my backup is useless for that scenario?

Yes, but that is the point that everyone here is trying to make.  The NAS by itself is not sufficient as a backup, you need a copy of the NAS as well.  Even if you only do it every few months you aren’t losing ALL of your data, only the last couple of months and for most people that is ok, in fact if it is your photos then even a year is ok as it will only be this year and they are probably all on facebook now anyway 🙂

It is nice gear but RAID is still unnecessary and introduces more points of failure and costs a lot more than just a couple of nice cheap NAS enclosures each with a nice big drive in 🙂 .

If an enclosure dies it is very cheap to replace and I can access the data on the drive instantly if required…

What does RAID actually give you? As I said above it was designed in a time when large capacity discs simply were not available – that was it’s purpose, large storage arrays and not any form of back up etc. Now we have large single discs there is just no need for them any more outside of data centres where read and write times still matter.

If an enclosure dies it is very cheap to replace and I can access the data on the drive instantly if required…

Unless the drive dies.  I’ve had about 6 spinny drives die and only one NAS

so far…

and sorry to distract from the OP.  It is fairly standard to initially trust the NAS as it is just a copy of the computer but then over time it ends up having the only copy of some old data and becomes a single point of failure without anyone noticing :(.

Unless the drive dies. I’ve had about 6 spinny drives die and only one NAS

so far…

Yes I covered that – I have 3 large drives each with identical data on so recreating the dead drive is a trivial matter 🙂

@vanilla83
Utter crap to potentially have lost all your pics. Pictures/ vids are the most important possessions I have.

Hope you get this sorted. I’d also recommend Google Photos as an extra back up method in the future even if you have to pay for it
later in the day. It’s my primary back up method these days and is so good for other stuff as well as backing up.

Good luck mate.👍

i’ve not had a a qnap for years.

However on Synology I have 2 factor authentication in place to prevent hacks and the admin account disabled.
I also pay under £9 a year for automatic offsite backups to synology plus external usb.

Something to think about once you get sorted.

Likewise, hope you get it sorted.

Personally speaking I have the primary data drive in the main pc then a secondary backup also internally to the pc. Backup scheduled to run every Sunday or sometimes I also trigger that manually if I’ve made a lot of changes.

Then 2 usb HDDs backing up periodically on rotation (when I remember, maybe every month or so)

Then photo and video replicated to Google for a small fee.

I’ve often thought about getting a Nas but never really saw much point.

I flashed Debian onto my QNAP. Nearly bricked it on a couple of occasions but on the whole runs flawlessly! Not recommended unless you like getting you’re hands dirty with the OS. Debian is known for it’s stability. Running a linux distro on it allow you to strip it right back to the basics of being a file server. Mine is basically a windows share and no fancy bells or whistles. SSH access for admin. Also means if the enclosure dies I can just plug drives into my Linux tower until enclosure replaced.

Yes I covered that – I have 3 large drives each with identical data on so recreating the dead drive is a trivial matter 🙂

The trouble is is one dies, you’ve then got two more drives, with similar ammounts and patterns of use, that you now need to trust to offload all their data at once to get your backup back…

The bigger the drives, the longer it takes to copy, and the more chance of the next drive dying before you’ve copied it.

leffeboy

Don’t.  The nice thing about the NAS is that you don’t need to remember to do the monthly back up thing.  Most people forget until it is too late

True, and one of the reasons I got it in the first place.
But I’ve never found it easy to set up and use. I bought the one I did as it was described as an entry level NAS.
I am tempted to swap it for a Synology one.

Regarding the permanently plugged in drive for back-up….maybe it would be wise to buy a second back-up drive and swap them monthly. I’m assuming it would keep the path the same between drives. I’ve had a problem with it before where a qnap firmware update messed up the assigned name to the drive and my automated back ups stopped working as the path was no longer correct.

Danny is wise, listen to his words.

What does RAID actually give you? As I said above it was designed in a time when large capacity discs simply were not available – that was it’s purpose, large storage arrays and not any form of back up etc. Now we have large single discs there is just no need for them any more outside of data centres where read and write times still matter.

Isn’t that ignoring what the R in RAID means?

I’d say it’s more large capacity drives that have made RAID a less reliable way of having some redundancy (due to high chance of an issue during a rebuild operation). As long as you factor that in though there’s still a place for RAID (preferably 6) in a home NAS – individual disk failures are still much more likely than enclosure or controller failures. I wouldn’t be using cheap 4+TB drives for it though (even with RAID 6) and yes if you want to actually protect the data you need off-site backups to.

dannybgoode
What does RAID actually give you? As I said above it was designed in a time when large capacity discs simply were not available – that was it’s purpose, large storage arrays and not any form of back up etc. Now we have large single discs there is just no need for them any more outside of data centres where read and write times still matter.

The main reason RAID is still and will always be used in data centres is resilience, if a drive dies you can carry on using the system without intervention until the drive is replaced.

Your ‘cloned data’ scheme is okay, do you use cron or similar to do a sync alternate days to each drive? That would give you the ability to go back a day if you accidentally delete something. The best thing would be to keep the other drives unmounted except when performing the sync. That would help protect you from ransomware.

The only thing then is bitrot, that’s why IMO Snapraid is a better solution than just copying the data (as it records parity it effectively checksums all your files).

Of course you need an offsite backup like idrive or backblaze behind that, really.

thanks for the nudge, Ive logged in to mine and run the Security counseller, which i hadnt setup properly.
Mines dual drive mirroring each other to provide redundency against drive failiure, but i suppose that doesnt to anything against an attack.
Easiest thing to do for me is going to be to order another drive in an enclosure, mirror the NAS onto it, and then unplug it while its not doing the backup and park it on a shelf.

Whoops, another Qnap vulnerability…

https://www.bitdefender.com/blog/hotforsecurity/take-your-qnap-nas-offline-deadbolt-ransomware-locks-devices-via-alleged-zero-day-flaw/?cid=soc%7Cc%7Ctw%7CH4S&twclid=11487863285034717187