Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware attack on my QNAP


  • Please log in to reply
4 replies to this topic

#1 tando

tando

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 07 January 2017 - 09:56 PM

HI,

 

Ive been hit by a ransomware attack on my QNAP filer..  both volumes..

 

Ive tried a couple of different files on the ID tool to try and ID without luck

 

details are here

Please reference this case SHA1: 024580bbda687295830edcf098e27f39d92658cb

 

If you can help that would be great, otherwise im going to have to try and recreate as much of the information encrypted as I can..

 

all the attached computers are Mac  Mini, iMac and MacBook

 

regards

 

Tony



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:36 AM

Posted 08 January 2017 - 09:34 AM

The case SHA1 will help Demonslay335 since he maintains ID Ransomware but you will need to wait until he logs in to Bleeping Computer.

Are there any obvious file extensions appended to or with your encrypted data files (i.e. several random hexadecimal characters, words or email addresses)? If so, is the extension the same for each encrypted file or is it different?

Did you find any ransom notes and if so, what is it's actual name?

The best way to identify the different ransomwares is the ransom note (including it's name), the malware file itself, any obvious extensions appended to the encrypted files, samples of those encrypted files and information related to the email address used by the cyber-criminals.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:36 AM

Posted 08 January 2017 - 11:43 AM

Ah, I've seen this note come through a few times and haven't been able to find info on it myself.

Here's the contents of the ransom note "zip-password.txt".

--------------------------------
!!!Warning Message!!!

We are sorry to say that your computer and         
but wait, don't worry. There is a way that you can restore your computer and all of your files

To get your files fast, please transfer 0.22 Bitcoin
to our wallet address 123vgUFtPmUUAqGHm9Eksk4vU1xwmAWqMN and click "Check Wallet and Decrypt files" button.
Payment should be confirmed in about 2 hours after payment made.

How to buy Bitcoins?
Please check this website https://coinatmradar.com/ where you can find Bitcoin ATM all over the world.
---------------------------------
After payment, write write on e-mail and get your password martin_travian@onet.pl
Since it mentions pressing a button, is there a window open on a PC? We will need the malware itself to analyze since it is new.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 tando

tando
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 08 January 2017 - 03:15 PM

Hi 

 

the button mentioned is the wallet address, is it not?  I thought was something to do with payment through a bitcoin ATM?

 

There is no window, the affected file systems are on a QNAP TS451 and only have Mac OSX devices attached

 

there are two ransomware notes - both same txt..

 

one is above  "zip-password.txt" and the other "how-to-decrypt.txt"



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:36 AM

Posted 08 January 2017 - 03:25 PM

It wouldn't say "Check Wallet and Decrypt files" on a site that just sells BitCoins, that sounds like it would be on the malware.

 

Are you sure there isn't a single Windows system even on the network at all? Also, does the QNAP have the latest available firmware for that model? I've heard of hacking NAS' directly before if their firmware isn't patched.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users