So you can recover Qlocker 7z key that affects QNAP NAS

All the clients of the NAS servers of the manufacturer QNAP, have suffered during the past week a ransomware attack directed specifically to their servers, exploiting different vulnerabilities that were present in different software of the company. Currently these vulnerabilities have already been solved, but it is necessary that you update both the QuTS operating system to the latest version, as well as all the applications installed on your NAS through the App Center. Today in RedesZone we are going to teach you how to recover the decryption key, as long as you are currently a victim of ransomware. 

Unfortunately, it is still not known how to get the decryption key for this ransomware that has affected QNAP NAS if they have already been fully encrypted, except to follow the instructions and pay 0.01 bitcoin to the cybercriminals who have done this. If you are currently being a victim of file encryption, you may have the possibility of recovering this used encryption / decryption key. 

How does Qlocker file encryption work?

The encryption of the files on the NAS server has been done through the 7z utility that is installed by default on the QNAP NAS server, a popularly known software that allows us to compress and decompress both files and folders, this software also allows us to encrypt the contents of the files with a passcode, as with any Linux or Windows based operating system. What cybercriminals have done is scan all the volumes on the NAS and encrypt the files that are inside the different folders. 

They have also been in charge of deleting the Snapshots or "Snapshots" that we had configured, the snapshots are still there, but they are completely empty. Currently it is not yet known how the information could be recovered using these "Snapshots", it is possible that certain data and metadata can be recovered from these deleted snapshots as they are block based and should be recoverable. 

If you have not been affected by this ransomware, our recommendation is that you update the NAS to the latest version of the operating system, update all applications, and follow this 

Recover decryption key from Qlocker files

There are currently two methods to recover the decryption key, but it only works if the ransomware is acting right away. If you have already been affected by ransomware, these methods will not help you.

Method 1

  1. We connect by SSH to the NAS server as administrator, we click on "Q" and then on "Y" to enter the console without the wizard.
  2. We execute the command «ps | grep 7z ». If there is no process running, or we have rebooted the NAS, bad news, we will not be able to recover the key.
  3. If the 7z is currently running, we must execute the following command: cd / usr / local / sbin; printf '#! / bin / sh necho $ @ necho $ @ >> / mnt / HDA_ROOT / 7z.lognsleep 60000'> 7z.sh; chmod + x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
  4. Once executed, we wait a few minutes and execute the following command: cat /mnt/HDA_ROOT/7z.log
  5. In this log we can see a content similar to this: a -mx = 0 -sdel -p mFyBIvp55M46kSxxxxxYv4EIhx7rlTD [PATH]
  6. This key in bold is the password with which the information is being encrypted, and also with which the key must be decrypted.

Method 2

  1. We install the Malware Remover program from the App Center and scan our computer.
  2. We connect by SSH to the NAS server as administrator, we click on "Q" and then on "Y" to enter the console without the wizard.
  3. We execute the following command: cp `getcfg MalwareRemover Install_Path -f /etc/config/qpkg.conf`/7z.log / share / Public
  4. If the console returns a "No such file or directory" message, it means that we cannot do anything, the NAS has rebooted or the data encryption process has finished.
  5. If it doesn't return an error, we run: cat /share/Public/7z.log. And we will get the key in the same format as before: a -mx = 0 -sdel -p mFyBIvp55M46kSxxxxxYv4EIhx7rlTD [PATH]

We insist that these two methods only work if the ransomware is working, and if we have not rebooted the NAS in the process, otherwise it is not yet known how to recover the affected files. Surely if you had snapshots or snapshots configured, the information can be recovered, but this ransomware has also "emptied" these created snapshots.