QNAP Qlocker Ransomware

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

RMerlin

Asuswrt-Merlin dev
A ransomware has been infecting QNAP NASes this week. I've personally had to deal with two of my customers who got affected, and tomorrow I'll have to contact all my other customers with QNAP products to ensure they are secure.


Make sure you update your firmware, as well as Hybrid Backup:


I can cut some slack for software bugs, as these happen. Hardcoded credentials however is a sin.

This isn't the first time I have to personally handle ransomware and malware that specifically targeted QNAP NAS. I might seriously have to consider moving to Synology for my future customer needs, as they don't seem to get affected as easily, and they don't require people to install nearly bi-weekly firmware updates like QNAP does. There IS such a thing as "update fatigue", where if you have too frequent updates, at some point your customers will say "yeah, whatever, I don't have the time right now to update".
 

sentinelvdx

Very Senior Member
A ransomware has been infecting QNAP NASes this week. I've personally had to deal with two of my customers who got affected, and tomorrow I'll have to contact all my other customers with QNAP products to ensure they are secure.


Make sure you update your firmware, as well as Hybrid Backup:


I can cut some slack for software bugs, as these happen. Hardcoded credentials however is a sin.

This isn't the first time I have to personally handle ransomware and malware that specifically targeted QNAP NAS. I might seriously have to consider moving to Synology for my future customer needs, as they don't seem to get affected as easily, and they don't require people to install nearly bi-weekly firmware updates like QNAP does. There IS such a thing as "update fatigue", where if you have too frequent updates, at some point your customers will say "yeah, whatever, I don't have the time right now to update".
I totally agree, I have 2 NASes and both with auto update of apps and firmware. I have like 1 firmware update per week, and weekly security updates for apps.
It interrupts me all the time and also worries me about how secure is my data (although I have separate backups).
Next upgrade I'll go for synology unless research suggest different.
QNAP has great products, but security.....
 

RMerlin

Asuswrt-Merlin dev
I totally agree, I have 2 NASes and both with auto update of apps and firmware. I have like 1 firmware update per week, and weekly security updates for apps.
Auto updates might be an option at home (assuming you can schedule it in the night), but not in the business space. Some of my customers have 24/7 employees, also employees don`t always close down all their documents before leaving for the day. And you don't want to have everyone come into the office at 9am to find the NAS crashed due to a failed update, or some update requires reconfiguration (I've seen backup jobs disappearing after an update in the past).

And requiring a complete reboot for the majority of updates is also an issue. QTS has become the Windows of Linux platforms, where the software is very monolithic, with only a few components moved to separate applications that can be updated without requiring a reboot. They should look at something more similar to cPanel as an example of a Linux-based product where updates can be done without downtime, except for the usual kernel/glibc/etc... updates.
 

sentinelvdx

Very Senior Member
Auto updates might be an option at home (assuming you can schedule it in the night), but not in the business space. Some of my customers have 24/7 employees, also employees don`t always close down all their documents before leaving for the day. And you don't want to have everyone come into the office at 9am to find the NAS crashed due to a failed update, or some update requires reconfiguration (I've seen backup jobs disappearing after an update in the past).

And requiring a complete reboot for the majority of updates is also an issue. QTS has become the Windows of Linux platforms, where the software is very monolithic, with only a few components moved to separate applications that can be updated without requiring a reboot. They should look at something more similar to cPanel as an example of a Linux-based product where updates can be done without downtime, except for the usual kernel/glibc/etc... updates.
No, of course... in a business space I have to plan it, schedule a maintenance window, get approvals, etc. It's insane having updates every week... even if we have redundancy for everything
 

dosborne

Very Senior Member
Having used qnap for a numbers of years, I would not enable auto update. I like the product in general, but the number of really bad updates is too high. I carefully evaluate each update and give it a few weeks of reviews before updating (and I've skipped quite a few). I disagree with the "weekly" statement, at best monthly for releases, and in fact look at a frequent release cycle as a GOOD thing in general, although with qnap it is usually to add a "feature" few people want as opposed to bug fixes.

Funny, I had avoided the majority of extraneous options until last month when I thought I'd give the hybrid backup a try. LoL. I guess I'll go back to my old method. Fortunately I guess, my main data is on another brand nas (not internet facing) and the qnap is a backup with only the HBS open.
 

dosborne

Very Senior Member
Also, sadly reading about the various vulnerabilities, although not configured in my case, there is no way to "stop" the multimedia console app (at least in the gui). Most of the built in apps can be stopped or removed even, but not MMC. This has bothered me for a while as I like to run as minimalistic as I can and try to completely remove features I don't use. Potential vulnerability is just another reason to be able to stop unused services.
 

RMerlin

Asuswrt-Merlin dev
and in fact look at a frequent release cycle as a GOOD thing in general,
If you need so frequent releases, then your QA is garbage, or you are doing a very bad job at prioritizing fixes.
 

dosborne

Very Senior Member
If you need so frequent releases, then your QA is garbage, or you are doing a very bad job at prioritizing fixes.
I agree with you to some extent, but I'd rather pick through available updates and do my own research on its viability than have nothing to pick through at all.

I am no way saying qnap releases are good quality, not that their release cycle is appropriate, but in general, a company that issues updates is better than one that drops a product the day after it reaches its quota of sales.

In a perfect world, I'd prefer the old "patch" model where you could take security fixes for example, and not feature updates that you didn't care about. Obviously, the all-in-one approach is simpler from a support perspective but there are too many companies that use production clients as unknowing beta testers. QA is not what it used to be, and I've been in software product management for 30 years so I've seen it all.
 

sentinelvdx

Very Senior Member
Ok, this morning my QNAP detected it... and I'm always up to date on Firmware & Apps... so I'm really worried how this malware got in...
I ran a second scan with malware remover from QNAP and with an A.V. from my computer. Hopefully my files were not encrypted....

It got detected as MR2102: "Removed vulnerable files or folders. MalwareID: MR2102"
It does not give you any detail about what was removed, or any additional information.

Update I: Apparently after some research it's a false positive, because what malware remover did was
"renaming 7z to 7z.orig, then placing a presumably safer/filtering 7z there. (But the 7z.orig still works, and it wouldn't take much for the hackers to change to using it instead of 7z.)
It also moves the 7z.log to a safe place, where you can look at it (to perhaps recover the unzip password if you've been hacked)."

So the scary MR2102 message this morning was a side-effect of its renaming 7z

Reddit is a great help... bad from QNAP not providing any information....

Update II: Response from QNAP support after claiming no detail about what that log means

Code:
This is a notification that informs the removal of vulnerable old HBS files.
No files of your files should have been removed.
Nothing to worry about.

Update III: They have just released a new firmware 4.5.3.xxxx fixing some other vulnerabilities...
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top