eCh0raix Ransomware - QNAPCrypt/Synology NAS (.encrypt) Support Topic

@ zerocool64
 

Your topic has been merged with the other related topic.

Seems all of us are using QNAP NAS, which version of QTS where you using at the time of the attack? Mine was 4.1.3

I have just upgraded my qnap to 4.2.6 so I don't think it is relevant. 

but the latest is 4.3.6.... maybe the latest fix this security issue?

I have just upgraded my qnap to 4.2.6 so I don't think it is relevant. 

it's an old nas so the last firmware is 4.2.6.

Same problem for me:

I've found a lot of .encrypt files on my RAID 6 in my QNAP TS-459 Pro II with 4.2.6 firmware (this model is discontinued so this is the last firmware I'll ever get!)
In every crypted folder there's a text file named "README_FOR_DECRYPT.txt" with the following content:

All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this TOR website: http://sg3dwqfpnr4sl5hh.onion/order/18C28bVEctVtVbwNytt4Uy6k7wxpysdDLH
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to


Do NOT remove this file and NOT remove last line in this file!
mMumP28CF7+6BIrwYfgijM6zZALnzlnsmjyQ/ICl2OgNV52lxzHeJCpJRQ7g3RtizXhTU1eblptidDyzB/ZNkw==

I've checked on id-ransomware website uploading some crypted files and it said that the ransomware type is "Alpha"

I've tried using Alpha Decrypt tool but all i got were error messages saying "Error decrypting (wrong password?)"

I don't know what to do, those files are important work files ad I need to recover it...

Please help!

UPDATE 1: i manually updated the firmware to the same 4.2.6 number but it is a more recent version (march 2019) and it allowed me to install a new "Anti Malware" app inside the App Center. I ran a scan, it found a malware and i had to change all users passwords and reboot the NAS. In the meanwhile I contacted the QNAP help desk (they didn't answere yet).

Still trying to figure out how to recover my files...

UPDATE 2: I've activated system registry and suddenly there are a lot of attempts to login via HTTP in my myqnapcloud by strange usernames and IPs so i totally disabled it

Edited by alew1s3, 26 June 2019 - 07:21 AM.

Hi,

I have the same problem as You, all files on my QNAP NAS are encrypted (with .encrypt extension) with the same info file "README_FOR_DECRYPT.txt".

If you have any idea of how to decrypt files please share. I lost many important files.

Colbe

Edited by CLBe, 26 June 2019 - 09:55 AM.

 

Ok. Please be patient until Demonslay335 has a chance to review the case SHA1 you provided. He may be able to gather some information by manually inspecting the files. He is inundated with support requests and and it may take some time to get a reply.
 

-------------------------------------------------------------------------------------------------------------------------

OK Thanks a lot ~~~~have a nice day

 

Update 

May be not useful , i tried used GibonDecrypter , this tool say decrypt success , but no luck

 

 

 

 

Guys MAYBE this screenshot helped me

Try using GibonDecrypter (link here: https://www.majorgeeks.com/mg/getmirror/gibondecrypter,1.html )

For me it "decrypted" my files but my programs can't open it...

 

For me it "decrypted" my files but my programs can't open it...

 

Hello,

Welcome to the club "encrypted" . My friend have the same problem as You, all files on my QNAP NAS are encrypted (with .encrypt extension) with the same info file "README_FOR_DECRYPT.txt".

Similiar story - QNAP never updated and thr router witg UPnP so almost all files are enrypted. Encryption date was on the 21th June. It's a pity -  that was very simply configuration without any supervision, as You know on the QNAP you can make storage pool and snapshots any volume. But now..., maybe here we will find any help

Regards,

2Later

Hi All,

Same problem for me

All files on my QNAP NAS are encrypted (with .encrypt extension)

I try GibonDecrypter & AlphaDecrypter but can't decrypt  

My situation is not as bad as I thought. It looks like I have a copy of 95% of the files that have been encrypted. If it would help, I can provide many coded files, their original versions and checksums left behind. These are text files, documents, photos and more.

Colbe

There is nothing that could directly indicate the alleged relationship with previously known ransomwares.

I made a description of this ransomware in article Unnamed Encrypt Ransomware

In the title of article has a link to an English translation. Translation provides technology Google.

Edited by Amigo-A, 27 June 2019 - 01:24 AM.

Did someone have any good news for this ?

or someone used file recovery tool to save the data successful ?