Ransomware attack

Scott · February 5, 2025, 12:22am

Have a TS653A QNAP NAS in Raid 6. Have a Windows 10 PC that I access from. Firmware QTS 5.2.3.3006, just upgraded today.

I have not been accessing my NAS for a LONG time and just restarted it as I was going to begin using it for security cameras and explore uses beyond just backing up home pics and videos. I began the process of updating firmware and software. Discovered that 2 of the 4 4TB WDRed drives have some SMART issues, so I have now ordered 4 new 8 TB Seagate drives to replace them.

Went into File Station and noticed all pics were zip files. TXT doc says all my files have been encrypted. “Dowload the Tor Browser at “https://www.torproject.org/”. If you need help, please Google for “access onion page”.”
From what I can tell this is Qlocker? I see instructions by QNAP using another drive to attempt recovery. I am starting to look through what is encrypted and honestly I may not have a problem. I suspect much of this is still on my PC. My video files might have been a bigger issue, but looks like they did not encrypt them.

Question is, how successful is the QRescue process? Can it be done within the NAS (as in plug in one of the Seagate drives when I get them to recover the files) or would I need to attach that drive to my PC? Are the new updates plugging holes that allowed this to happen? I was going to contact QNAP, as I saw some reference to tech support being able to help, but would they offer anything remotely, or just direct me to the Knowledge Base to do it with QRescue myself?

Looked at the date of the TXT file and was 4/21/2021. Yes, I have not been using my NAS for a while. Was excited to get this thing going again, and exploring using it more to its potential, then found this crap. Possible I will bail on decryption attempts if I find I have it all on my main PC still

dolbyman · February 5, 2025, 4:36pm

File rescue depends on free space at the time of encryption and if the NAS was used afterwards (deleted files were overwritten)

Scott · February 5, 2025, 8:03pm

Okay. Looks like I will not need to try to recover my data. Most of my picture files that were on the nas we’re also on my desktop but there were quite a number of them that were missing from the desktop. Turns out I had copied them over to the nas from my last desktop computer without putting them on the new desktop. I still had that old hard drive and hooked it up today and everything that I was missing seems to be there.

Given that, and the fact that two of my hard drives are showing some warnings regarding the smart function, I think I’m just going to pull out all four hard drives and start fresh with the four new eight terabyte hard drives that I have ordered. The 2 4 TB hard drives that still work will be useful as I can just wipe them and put them in the nas, and use them for recording security video as I am in the midst of setting up my own security system. Thanks for your reply. Fortunately I got very lucky.

Toxic · February 5, 2025, 9:25pm

before you do that, make sure your NAS is not exposed to the internet. otherwise you’ll end up with ransomware on it again. no port forwarding from router to NAS. disable Upnp on your router and NAS. I would strongly advise NOT to use myqnapcloud or any other NAS sharing feature.

use a dedicated VPN server either on your router or a raspberry pi on your network to get any remote access to your NAS if required to do so.