Qlocker (QNAP NAS) Ransomware encrypting with extension .7z (!!!READ_ME.txt)

For those affected by this ransomware, you may be able to receive help using this guide:

QLOCKER - FULL GUIDE how to get your Data back, QNAP NAS Hack

 

!!! All your files have been encrypted !!!
 
All your files were encrypted using a private and unique key generated for the computer. This key is stored in our server and the only way to receive your key and decrypt your files is making a Bitcoin payment.
 
To purchase your key and decrypt your files, please follow these steps:
 
1. Dowload the Tor Browser at "https://www.torproject.org/". If you need help, please Google for "access onion page".
 
2. Visit the following pages with the Tor Browser:
 
gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion
 
3. Enter your Client Key:
 
KU1o8mGG4p8moefySdZSI85HX6C2HrkK+bxGuHnuXSbStdiDiGsOyl2BsIZA1x2/d+yiEVnRnJ3TVu1g2C1v8MLKuykVkIhCnCBM/im9MvPs74klClQaL8DxUDLznCwiC0k/0KK3r+usGQXDYarxF34da5kXweU+vv7rS4q9fRUzKW30UDBE9OqpYs3bPENspssr8C2hcEqJxNPtPY2nswVC95tgVlDXdET3w+TIqEIzzQEVxUc7TN55GW8ajyu2d1EO3QVxkTKreoMVED5qDuMXryZe24NfOGuJoNN644JkTChwemiahcdMI77NPa47SDmK8uFiAIHSEXGOR/soqg==

 

 
I tried it with the emsisoft and the id-ransomware detector and both said they are not able to identify the ransomware. id-ransomware gave me the following SHA: 

07aadb320e307e1ac9315b1ad739ac467a71b80a

I unplugged the NAS at 8:45, but it was too late already. The encrypted files already had been QSYNC'ed back to my Computer. What bothers me, is that as soon as the device was unplugged, the encrypting seemed to stop and I was not yet able to find any trace of an intruder in the logs. As of now I am running the NAS cut of from the internet and no more files were incrypted since then... Hopefully someone here may be able to help. I am attaching the READ_ME.
 
Thank you!

Just a thought ~ Maybe way off beam ~ 7z is a Zip File program and that's how its files display

I know what a 7z file is. But I haven't seen a QNAP ransomware that uses it as an actual extension. All files are now encrypted 7z files with a .pdf.7z extension for example.

Like to add that I've seen the exact same ransomware this morning. My qnap nas is now completely hosed. Nothing super irreplaceable but annoying to recover.

Dear all, I have the same situation.

 

I found that only files smaller than 20 MB were encrypted.

 

Any idea about possible method of infection? A compromised service?

It should now identify as a Qlocker.

https://id-ransomware.malwarehunterteam.com/ 

ok, finally I found I am not the only one. 

at least half of my file, almost all pdf, pictures are .7z file now. 

small amount of .exe, mp3 become .7z

mp4 video file looks 100% fine. 

 

from last month I found everyday average 7xx attempt of http login from different countries. enabled firewall now. 

the .7z compression started April 18th until last night I found out. 

My last backup was from last year with the most important data,  better than total loss.

 

If we have enough amount of "victim" can put some expert to put in work to find solution.  

Let me join the party. Client of mine got Hit as well. Of course the external HD backup was failing... and they didnt want to subscribe to online backup.

 

They're asking my client .01 BT which translates to $715 canadian.

Edited by Compushark, 20 April 2021 - 05:54 PM.

Me Too. 

 

Can watch the processes running 7z as we speak. Its frustrating there seems to be no way to stop the encryption. The 7z process is over before you can type a KILL command. Can't determine the 'master' process easily.

 

Seems people getting here entered the README link? That would suggest its generic and every affected PC would have the same decrypt password. If anyone does pay (and I'd be interested how much they're asking) please post the password as it will likely unlock all systems.

 

Just a question. Does this mean that the hackers have actually got my admin password or have they simply managed to install a program that has run without admin privileges?

 

Also, will QNAP be releasing an update to the Malware Remover - is that standard practice? 99% of my files are bigger than 20Mb (so 'safe') and it would be good to just clean out the virus, delete the affected files and try to move on.

I guess QNAP will able to release a fix for this security issue. Maybe they already did.

I found the "check firmware upgrade" in qnap does not give you the latest. To get the latest, you still need to go on their web site to download and manually update your firmware. 

 

On finding solution to get your file back- unknown. Need some profession in this field to release specific "extractor" for this Ransomware.

​

 

 

 

Can watch the processes running 7z as we speak. Its frustrating there seems to be no way to stop the encryption. The 7z process is over before you can type a KILL command. Can't determine the 'master' process easily.

 

I want to ask how to find out if the process has been ended? How to kill? 

I still don't know. Any direction can provide?

1. Has anyone paid the ransome ?

2. Has anyone tried contacting a ransomeware recovery company ?

2. Has anyone tried contacting a ransomeware recovery company ?

Please read my comments in this topic as to what we know about those who claim they can decrypt data. In regards to data recovery services specifically, they typically act as a "middleman", pay the criminals...pretend they cracked the decryption and charge the victim more than the ransom demands, in many cases not telling them that is how they acquired the means of decryption. Other data recovery services hide the actual ransom cost from clients and/or mark the cost up exponentially as noted here. Some data recovery services operate more like scammers while others like Fast Data Recovery have even been reported to make false claims to be able to decrypt data by ransomware which is not decryptable and charge an assessment fee. Experts have identified Proven Data, Red Mosquito, MonsterCloud, Dr. Shifro and Fast Data Recovery as some of the most dishonest and predatory data recovery services.
 
Connecticut-based Coveware CEO Bill Siege refers to such data recovery services as "ransomware payment mills".

Thanks for the info !

 

 

2. Has anyone tried contacting a ransomeware recovery company ?

Please read my comments in this topic as to what we know about those who claim they can decrypt data. In regards to data recovery services specifically, they typically act as a "middleman", pay the criminals...pretend they cracked the decryption and charge the victim more than the ransom demands, in many cases not telling them that is how they acquired the means of decryption. Other data recovery services hide the actual ransom cost from clients and/or mark the cost up exponentially as noted here. Some data recovery services operate more like scammers while others like Fast Data Recovery have even been reported to make false claims to be able to decrypt data by ransomware which is not decryptable and charge an assessment fee. Experts have identified Proven Data, Red Mosquito, MonsterCloud, Dr. Shifro and Fast Data Recovery as some of the most dishonest and predatory data recovery services.
 
Connecticut-based Coveware CEO Bill Siege refers to such data recovery services as "ransomware payment mills".

 

You're welcome.