eCh0raix Ransomware - QNAPCrypt/Synology NAS (.encrypt) Support Topic

There is nothing new to report that I am aware of.

In some cases the use of file recovery software such as R-Studio, Recuva or Photorec may be helpful to recover some of your original files but there is no guarantee that will work either...however, it never hurts to try.

Important Note: The more you use your computer after files are deleted, encrypted or corrupted the more difficult it will be for data recovery programs to recover any deleted, unencrypted and uncorrupted data. The less that is done with the hard drive between the time of the data loss and the attempted recovery, the more likely it is that some or all of the files can be successfully recovered. The more the hard drive with the lost data is used, the less chances of recovery. This is because there is a greater risk that new data can be written to the drive, overwriting and destroying deleted files that could have otherwise been recovered. When you delete a file, its content physically remains intact on the media, but the occupied space becomes marked as free. The next file saved to the disk may overwrite the contents of the deleted file. Therefore, the sooner that data recovery is attempted after a loss the greater the possibility that data can be successfully recovered. It is also very important to make sure that no application (including the recovery program) writes to the drive or partition where the deleted file is located since every new file may overwrite the deleted file.

• What Is Data Recovery And How Does It Work?

The chances of success will be greater if the drive is not defragmented and that you install and use a data recovery program on a drive other than the drive you want to recover files from (i.e. second hard drive, separate partition or USB flash drive) otherwise it could overwrite recoverable files. You could also "slave" the original hard drive and install the software on the new drive.
 

Hi from france, i'm in the club too.. 

on my NAS's web folder, i've found the screenLog of whats happen and when it's happen.. i've found other files too (qnappoola and qnapsystem.php ) .

giving my sys log, i think they used myqnapcloud access, if it's true, qnap system has to give up explanations. 

Does someone need to see qnappoola ou the php file ? 

ps: 800Giga encrypted..pictures..work..years of everything encrypted.. it's hurt so bad, but it's ok

Similar story here and looking for help.  Any news?  I logged into my QNAP TS-251+ (4.3.1.0695 Build 20180830) on 7/2/2019 to find almost all of my files encrypted.  It appears the only file type not encrypted are *.mp4 and *.3pg videos, and a very few other miscellaneous documents.  I unfortunately didn't have a backup.  All encrypted files end in ".encrypt".  There is a text file named "README_FOR_DECRYPT.txt" in every folder.  The TOR website URL in the text file brings me to a page where I'm to pay 0.06 Bitcoin to get my files decrypted.

I've used ID Ransomware and if I upload the ransom note it gives 2 results: CryPy or KeRanger.  If I upload an encrypted file it says it's Alpha.

If I put the URL found in the "README_FOR_DECRYPT.txt" into ID Ransomware, it reports back:

Unable to identify, Please reference this case SHA1: 2b77739726674548429355e6dab6d91e1a6551c5

I have a remote session scheduled tomorrow with Proven Data Recovery where they are supposed to provide a free evaluation to determine if they can recover my files.  If they state they can, do you think it's wise to proceed with them?  I am devastated to have lost all my personal and family photos, as well as a good amount of personal documents and records.  More than 20 years of digital photos, encrypted.

Thank you.

Edited by wizdawg, 04 July 2019 - 10:01 PM.

Similar story here and looking for help.  Any news?  I logged into my QNAP TS-251+ (4.3.1.0695 Build 20180830) on 7/2/2019 to find almost all of my files encrypted.  It appears the only file type not encrypted are *.mp4 and *.3pg videos, and a very few other miscellaneous documents.  I unfortunately didn't have a backup.  All encrypted files end in ".encrypt".  There is a text file named "README_FOR_DECRYPT.txt" in every folder.  The TOR website URL in the text file brings me to a page where I'm to pay 0.06 Bitcoin to get my files decrypted.

 

I've used ID Ransomware and if I upload the ransom note it gives 2 results: CryPy or KeRanger.  If I upload an encrypted file it says it's Alpha.

 

If I put the URL found in the "README_FOR_DECRYPT.txt" into ID Ransomware, it reports back:

Unable to identify, Please reference this case SHA1: 2b77739726674548429355e6dab6d91e1a6551c5

 

I have a remote session scheduled tomorrow with Proven Data Recovery where they are supposed to provide a free evaluation to determine if they can recover my files.  If they state they can, do you think it's wise to proceed with them?  I am devastated to have lost all my personal and family photos, as well as a good amount of personal documents and records.  More than 20 years of digital photos, encrypted.

 

Thank you.

I Try to used R-Studio make virtual RAID to scan my disk , but no good luck

Exactly the same problem with a QNAP TS219 NAS - a large proportion of the files are now .encrypt.  That's a hassle I thought but I've got a backup of the NAS on an external USB disk connected to it.  Except I didn't check the backup settings and it has backed up all the files that are now changed to .encrypt and I don't have the originals... Doh!  Any updates if people have managed to resolve this, appreciated...

I am in the middle of speaking with Proven Data Recovery.  Once I hear back from them I will report on whether they state they can recover or not.  I imagine I'd have an answer by Monday or before.

I am in the middle of speaking with Proven Data Recovery.  Once I hear back from them I will report on whether they state they can recover or not.  I imagine I'd have an answer by Monday or before.

That would be great - it would be interested to know if they can decrypt the files or if their approach relies on recovering deleted unencrypted files.

Bleeping Computer cannot vouch for those who claim they can decrypt data or help in other ways. We have have no way of knowing the background, expertise or motives of all companies or individuals who indicate decryption is possible. We can only advise to be cautious with whomever you are dealing with, what services they are able to provide and what claims they make before sending money to anyone.

While the individual or company may be legitimate, our experts have found that some who claim they can decrypt your data actually represent ransomware recovery services which just pay the criminals and pretend they cracked the decryption. In many cases these individuals or companies attempt to charge the victim even more than the ransom demands of the criminal, while others hide the actual ransom cost from victims. A member posted here claiming to be with a company which could decrypt data...when asked to provide specific details as to who they were and how the service worked so we could confirm if the offer was legitimate, never responded to our inquiry.

• Company Pretends to Decrypt Ransomware But Just Pays Ransom
• GandCrab Ransomware Helps Shady Data Recovery Firms Hide Ransom Costs

Others who offer to help may just be scammers who instruct victims to submit one or two limited size files for free decryption as proof they can decrypt the files, collect the victim's money and are never heard from again...many malware developers do the same. In fact some of these criminals even read through and post in our forum topics in an attempt to get victims to pay them. So while there have been some victims who have reported success stories working with and using various data & disaster recovery services, others have not been as fortunate. Again, use caution with whomever you are dealing with.
 

Same problem here: TS 253B, V 4.3.6

All files .encrypt 

2TB family photos and videos from last 30 years.

Anyone has opened a case on qnap support ?

Edited by Guyhaj, 07 July 2019 - 05:58 PM.

Anyone has opened a case on qnap support ?

I called QNAP and spoke to someone following the technical support phone prompts.  I asked if they were aware of an issue and if they could provide any help.  I mentioned this thread and told them there were 10 people as of 6/22 who had experienced the exact same thing; isolated to the QNAP NAS only. They were of no help in resolving the encryption issue.  Just stating this can happen.

The one thing they did help me with was changing the default port on the QNAP from 8080 to something else.  I had tens of thousands fail log-in attempts showing in the Event Notifications.  An attempt every few seconds.  Changing the port resolved that issue.

I'm still expecting a call back from Proven Data.  At their request I was able to provide them with 10 encrypted filed and I found 10 unencrypted original files.  The conversation was sounding very promising up until all malware/virus scans were unable to find the executable virus.  They kept referring to this as the drop file.  Without the drop file, it didn't sound good.

Does anyone know the probability or success rate of paying the ransom and actually getting the decrypter?  As an absolute last resort I will likely try this even if there is the slightest chance of it working.  It is just devastating to lose all these family photos.

I'm in the club and I'm not happy! All pictures/videos of my family encrypted.

QNAP TS-451+

Infection date: 2019-06-26

Same as someone already explained: lot of login failed that day.

On all my 3 PCs I have Kaspersky Total Security installed and also on tablet and phone.

Kaspersky support ticket opened: waiting second replay. File encryoted and not encrypted sent.

QNAP support ticket opened: they ask me to send the log from helpdesk app and I did it. I Informed QNAP that I'm following this forum.

Below my text of README_FOR_DECRYPT.txt

All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this TOR website: http://sg3dwqfpnr4sl5hh.onion/order/1JdTQG7aMHJWJsxFi6bVEr5jGQPAU2sVYc
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to


Do NOT remove this file and NOT remove last line in this file!
sc2dShujuCE1gpxjcpHGx8sI0AnOlaKCq9cu4hw75FzhODVOmKak270IPDc3cZQ8Z3Ky6CnP+5troT+GnpZzXg==

Same Problem as everyone else. 

Model: TS 251 

FW V:  4.3.6

Not sure on the infect date.  Sometime in late June

All files encrypted with .encrypt  with the exception of .mp4 files.  

I also was hit in late June. I was about to pay. ~$650 is what is being asked for in bitcoin. Anyone have any advice or success in paying?