Ransomware Qlocker: How to restore your data (for the most part)

19. May, 2021

At the end of April thousands of QNAP users were hit by a ransomware attack. The hackers used an exploit to encrypt all the files on the NAS drives with 7-zip using a 32 character long key for an AES encryption. As ransom they wanted 0,01 Bitcoins, about 500 Dollars. Some were lucky, but some of the victims paid the ransom, but got no key to decrypt their files. In the meantime the amount was tripled to 0,03 Bitcoins.

 Qlocker 01Two Austrian security experts analyzed the method the hackers used and found out, that they made the mistake to delete the original files after encryption. So by undeleting the files on the ext4 partition you get most of your files back, but sadly with no meaningful names, without a directory structure and all with the same timestamp. What was needed, was a script that looks for the original names and timestamps. By matching the size and CRC32 of the original and the undeleted files most of the information is recoverable. But be aware that you will not get back all of your files!

Here is the writeup and the basic script to get the files back. In one instance it was able to recover about 90% of the files.

Download PDF

Download shell-script

Source:

https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/

secure online gaming
Security
Cyber Security Awareness
destroy

Wiper-Malware

deepfake

Deepfakes in Cyber attacks

Screen IKARUS mail.security light mode
Screenshot Nozomi Guardian: Threat Intelligence
IoT
smartphone malware
BlackCat Ransomware
IKARUS portal
Hacker

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500

SUPPORT HOTLINE

Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download