Star letter
I got caught by the Qlocker Qnap ransomware, which used 7-Zip to encrypt NAS files. Why am I owning up when I should know better? Because sharing might just help others in the future.
I use a Qnap TS-231P two-disk NAS at home for “non-essential” files. It would be an inconvenience if I lost them, but they aren’t business related/ mission-critical. The NAS is online so that my family across the world can access photos.
I had what I thought was solid security: 1) regular updates of user passwords, 2) daily backups with Qnap’s Hybrid Backup Sync (HBS), 3) malwareremoval software, 4) antivirus software, 5) forced logon protection, blocking IP addresses forever on two failed login attempts. But I was wrong. The ransomware came in through a backdoor in HBS.
When the ransomware was injected, it was “unfortunate” that it was between malware scans, between backups and just after I’d uploaded a healthy amount of images, rescued after many months of rescue utilities and fiddling with my deceased father’s USB drive.
I did have offline backup syncs, which meant the damage incurred was reduced – it was just a timing issue that meant the recently rescued images (and several other uploaded folders) were encrypted and locked. So, in all, about 5% was lost and 95% was locked and had to be removed and reset – a workload and an admin inconvenience. It was annoying, but luckily on the whole it was covered.
But, of course, the lovingly restored photos of my late father were locked. Murphy’s law. Can I rebuild from the dead USB drive? Probably. My biggest mistake? After rebuilding the images from my father’s USB drive, I didn’t immediately take a backup. I copied them to the NAS drive, blew a sigh of relief but they immediately got locked and the fragile USB, on its last legs, fell over and died.
So who’s at fault? Me because I didn’t have minute-by-minute backups in place? Qnap because it was its product and, while it recognised the issue and implemented a fix, I didn’t get a notification and by the time I’d seen the media coverage online it was too late? Or the Qlocker ransomware team?
We discovered that Qlocker had shut down the dark web option to buy the encryption code with Bitcoin (an option I didn’t consider – although, due to the photos involved, I must admit to being tempted). As a friend said, “the Irish NHS has had its encryption code supplied ( see p118) – perhaps the Qlocker team will do the same? Isn’t it unethical to lock your data and then remove any chance of retrieving it?” Yes, and that’s why they’re in the ransomware game.
Hopefully, this will help other readers to check their security, but for me, the NAS is offline and I’ll go back to emailing photos to my family or loading them to OneDrive and sharing folders.