QNAP Technical Support has updated the support ticket Q-202104-09706. To check this ticket, go to QNAP Customer Portal . A preview of the updated ticket is shown below:@@@
Dear khun Pinet,
I can’t recover the snapshot, this ransomware deleted the snapshot before encrypted.
Please try to follow this step.
We really apologize for all troubles.
We believe that the attack is related to CVE-2020-36195 and CVE-2021-28799
So we strongly recommended to update Multimedia Console, HBS3 and Media Streaming Add-on to the latest version. As well change the Default web port 8080 (And please do not reboot or shutdown the NAS).
We also released a new Malware Remover policy, which will scan the ransom attack and recover the encryption key if the encryption is still in progress.
If you already had shutdown/reboot the NAS or the encryption has been done, Unfortunately, there is no solution yet. At that moment, the data will only be recoverable, if you have done previously a backup.
If you find that the encryption is still in progress (MUST NOT reboot or shutdown the NAS) just follow these steps below to get the encryption key, while the process is still running.
Method1
Install Malware Remover from APP Center and run it manually;
Connect nas over ssh
Use the command below to find if ransomware is still in progress.
If command back ‘No such file or directory’ means the NAS has been rebooted or encryption process has finished, if that is the case, unfortunately there is nothing that can be done to help;
If command has been executed without issue, you can see 7z.log in NAS at the Public folder, which will include password;
Password will look like bellow:
a -mx=0 -sdel -pmFyBIvp55M46kSxxxxxYv4EIhx7rlTD [FOLDER PATH]
mFyBIvp55M46kSxxxxxYv4EIhx7rlTD is password
You can reboot NAS and use the password to decrypt the files;
If you don’t know how to read the password, please, you may send to QNAP Support the complete message with the NAS diagnostic log.
Use the command below to find out if ransomware is still in progress.
ps | grep 7z
If there is no 7z, it means the NAS has been rebooted or the encryption process has been finished, if that is the case, unfortunately there is nothing that can be done to help;
If 7z is running, copy/paste command below and press enter(1 line)