QRescue    Response to Qlocker    Q&A

 

 

Q & A

 

 

Q  Which vulnerability is used by the malware to gain access to my NAS?

A  https://www.qnap.com/go/security-news/con_show.php?cid=975

Our currently observed attacks include weak passwords and exploited vulnerabilities.
The administrator is recommended to:

  1. Check system logs regularly to ensure there are no abnormal failed login attempts.
  2. Update the OS and all apps to the latest versions.
  3. Don’t expose NAS to the Internet. If it has to be, avoid enabling port forwarding on default port. Instead, use VPN or myQNAPcloud Link.
  4. Disable the "admin" account.
  5. Enable a firewall.
  6. Refer to the best practice: https://www.qnap.com/en/how-to/faq/article/what-is-the-best-practice-for-enhancing-nas-security

 

Q  Why is my NAS affected by the Qlocker?

A   NAS directly exposed on the Internet or with port forwarding/UPnP enabled on default ports would likely be affected. To prevent from Qlocker, users should update HBS3 to the latest version. Keeping the OS and apps update-to-date is recommended. Follow the best practices to enhance NAS security. https://www.qnap.com/go/how-to/faq/con_show.php?cid=1061

 

Q  Why are snapshots unable to provide the expected protection level?

A  The ransomware obtained illegal privileges and executed commands to remove the snapshots. The snapshots are helpful, when PC is attacked by malware/ransomware. To protect NAS attacked by malware/ransomware, we stronly recommend users to follow the 3-2-1 backup strategy and use snapshot replica to protect data.

 

Q  How do I know if the NAS has been affected by Qlocker?

A  https://www.qnap.com/go/how-to/faq/con_show.php?cid=1349
If you suspect your NAS has been under the influence of Qlocker, you would notice the following symptons:

  • All encrypted files have a 7z extension
  • There is a !!!READ_ME_txt file in every folder
  • QNAP Resource Monitor displays numerous '7z' processes which are the 7zip command-line executable

 

Q  How can I determine if I am under the influence of Qlocker?

A  

  1. Install Malware Remover on NAS.
  2. Perform manual Malware Remover scan and check if there is any malware detected.
  3. Go to Resource Monitor and check if there are 7z processes with high resource usage.

 

Q   If I'm already affected by the ransomware, will it help to install app updates right away?

A   It is recommended to install Malware Remover first and perform a manual malware scan. After that, contact QNAP Technical Support.
https://www.qnap.com/go/how-to/faq/con_show.php?cid=1348

 

Q  My files are encrypted and I do not have any backups. Is it possible to unlock my files?

A  In case of the Qlocker attack for QNAP NAS, it depends on the precondition of the NAS. If Malware Remover is installed, there's a chance that the data can be recovered. Please contact QNAP Technical Support to further analyze individual cases. https://service.qnap.com/

 

Q   What should I do if my files are currently being encrypted?

A   https://www.qnap.com/go/how-to/faq/con_show.php?cid=1348

 

Q   How can I enable auto updates?

A  OS: Control Panel > System > Firmware Update > Auto Update
App: App Center > Settings > Update
Since QTS 4.5.3, a new feature to make required app auto-update is available in App Center.

 

Q  I have the backup file for restoring / I got the encryption key for restoring. Do I need to reinstall the system?

A  Malware Remover can delete all known Qlocker related files. If you have any concerns, you can still back up your data, reinitialize the NAS, and then restore data to the NAS.

 

Q  How can I receive QNAP security advisories once they're released?

A  Users can log in to https://account.qnap.com with their QNAP ID, click “my subscription”, turn on the “Subscribed” feature, chose “security advisory” and then save the settings. By doing this, users will receive the security advisories by the QNAP ID registered email.