How to recover data recovery from QNAP QLOCKER
A guide to a simple method to resolve QLOCKER attack on QNAP.
Download ChallengerOS
In April 2021, a lot of QNAP NAS suffered a massive ransomware attack that caused the modification of all files contained in the storage in .7z format with password.
This vulnerability is known as CVE-2020-36195 and it concerns the Multimedia Console and Media Streaming features.
The ransomware compresses all the original files in the NAS folders by creating a compressed copy with a password-locked 7zip archive.
The attack is produced using the SQL injection and is related to the following versions of QNAP:
At the end of the file encryption operations, the ransomware takes care of executing secure deletion commands to prevent data recovery programs such as Recuva from recovering the data deleted in the attack process.
More information: https://www.qnap.com/de-de/security-advisory/qsa-21-11
The objective of this guide is to recover the password used by the ransomware to encrypt all the data contained in the qnap and then unlock all the encrypted files.
The proposed system provides for the search of the password forensically used by the Ransomware and completely offline, taking into consideration that while the key is still available in the NAS sectors, any hot use could cause the loss of this essential information..
Even if you are used to turning off the qnap from the ACPI signal (by pressing the power button for a few seconds) or from the web control interface, in this case, the shutdown must be brutal by disconnecting the power connector.
This is because we must freeze the internal data scenario (if possible) and prevent the ransomware from deleting traces of the files used during the attack process.
Extract the disks from the qnap by numbering them, and noting their position and slot in order to be able to reposition them in the original bay later on.
The original QNAP disk cloning process is an essential activity to safeguard the original binary data scenario.
Although it may seem pointless and you believe that the disks are in perfect working order, it is necessary as any data recovery and analysis, performed professionally, must ALWAYS be performed on a copy of the original data source.
After this, recover disks of the same size or larger than the original ones and proceed to complete cloning of all sectors of the disk on the target drive.
For cloning, we suggest using ChallengerOS, designed for the recovery and acquisition of peripheral hard drives for data storage.
The objective of the analysis is to locate traces of the command used by the ransomware to encrypt files. A virus design error allows the localization on sectors of a small log file used by the QLOCKER ransomware.
It is necessary to wait for the complete process of the whole volume. It may last several hours.
At the end of the analysis and research process, you will be able to locate a fragment of the log where there is still a trace of the command used by the ransomware, and the key applied during the creation of the compressed archives .7zip
Browsing through the localized occurrences it will be possible to view the -p parameter followed by the password used by the virus.
Note: The following operations can be performed on any operating system and with any hexadecimal editor available.
The password used during the attack can be located in the initial partition in RAID1 or as a fragment in raid 5. If the search pattern is not located within a few minutes of starting the search process, the complete logical volume must be rebuilt.
QNAPs often use complex lvm layouts, so specialized software products such as UFS EXPLORER are required to rebuild the LVM volume in RAID rotation.
Side note:
Since the reassembly of a RAID5 LVM2 volume is extremely complex, considering the specific features of QNAP servers, such as THIN PROVISIONING, METADATA, and TIER volumes, it is possible to consider performing the forensic search of the key using every single disk of the raid, analyzing the stripes of the volume RAID.
