You are here: / / / / Ransomware Qlocker: How to restore your data (for the most part)

Ransomware Qlocker: How to restore your data (for the most part)

19. May, 2021

At the end of April thousands of QNAP users were hit by a ransomware attack. The hackers used an exploit to encrypt all the files on the NAS drives with 7-zip using a 32 character long key for an AES encryption. As ransom they wanted 0,01 Bitcoins, about 500 Dollars. Some were lucky, but some of the victims paid the ransom, but got no key to decrypt their files. In the meantime the amount was tripled to 0,03 Bitcoins.

Qlocker 01Two Austrian security experts analyzed the method the hackers used and found out, that they made the mistake to delete the original files after encryption. So by undeleting the files on the ext4 partition you get most of your files back, but sadly with no meaningful names, without a directory structure and all with the same timestamp. What was needed, was a script that looks for the original names and timestamps. By matching the size and CRC32 of the original and the undeleted files most of the information is recoverable. But be aware that you will not get back all of your files!

Here is the writeup and the basic script to get the files back. In one instance it was able to recover about 90% of the files.

Download PDF

Download shell-script

Source:

https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/

Security tips conveniently in your inbox: Subscribe to IKARUS News now
Account Management

Account management: The underestimated risk of forgotten user accounts

Bedrohung

Threat Modelling: Guidelines for creating practical threat models

Indicators of Attack

IoC and IoA: definition, examples, benefits

Gefahren durch vertrauenswürdige Services

Living off Trusted Sites: cyber attackers abuse legal services

Threat Intelligence

Effective integration of threat intelligence with cyber defence

SQL Injection

SQL Injection: Attacks by malicious code in website requests

SMTP Smuggling

IKARUS mail.security detects SMTP smuggling

Cyber-Risiken in der Ferienzeit

Cyber risks in the holiday season

passkey

Passkeys as a secure alternative to passwords

Dynamische Cybersicherheit

5 top IT security strategies for dynamic cyber security

NIS2

NIS2 Directive successfully implemented

Harmony Mobile by Check Point

Harmony Mobile new in the IKARUS portfolio

EU Machinery Regulation

EU Machinery Regulation 2023

Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest
NIS2

Cyber Security Schecks 2023: Funding for NIS2-affected SMEs

Infostealer

Recognise, understand and defend against info stealers

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500

SUPPORT HOTLINE

Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download

MORE INFORMATION

Webshop
Legal notice
GTC
EULA
Privacy Policy
Fax not (any longer) compliant with data protection?FaxprivateSecure communication: How to encrypt and sign your emails