back to article If you have a QNAP NAS, stop what you're doing right now and install latest updates. Do it before Qlocker gets you

QNAP has urged its customers to install and run its latest firmware and malware removal tools on their NAS boxes amid a surge in ransomware infections. Two file-scrambling nasties, Qlocker and eCh0raix, are said to be tearing through vulnerable QNAP storage equipment, encrypting data and demanding ransoms to restore the …

  1. Mark 65


    ...if you don't expose your NAS to the internet you're not so much at risk?

    I never saw the point in their "link through us to your NAS" functionality - seemed to provide two avenues of attack, an open port and a global aggregator of devices. A secure VPN is a much better idea.

    1. diodesign (Written by Reg staff) Silver badge

      Infection vector

      I've asked QNAP how exactly are vulnerable boxes being found by the ransomware. Presumably it's by scanning the internet for public-facing NAS machines, though I hate to assume that's the only way in.


      1. big_D Silver badge

        Re: Infection vector

        I would assume it is the main way.

        Malware on other devices that scan the internal network is another, but probably less profitable than searching for unpatched and unsecured boxes on the Internet - you only need to buy/program one set of malware to attack the QNAP, as opposed to having to use 2 chains of malware; although if you are already locking PCs and servers in a company, scanning for QNAPs as well doesn't hurt...

        1. Anonymous Coward
          Anonymous Coward

          Re: Infection vector

          People say security by obscurity does not work but bots scan the net for known vulns all day everyday.

          I run ssh on a nonstandard port behind sslh and nobody bothers me.

          In theory I am vulnerable to every openssl bug but in practice I am left in peace.

          I have weak passwors but nobody tries them. I have a nonstandard login which expects a client side env variable that thwarts you if you do guess the password.

          If you get in you get a uninspiring arm based nginx container with little storage or compute.

          A human would notice the wol scripts that turn on the nas, but humans ain't involved.

          re intrusion detection: If my server wakes up it sings a little song with beep and sends me an SMS.

          If I want to log in from anywhere in the world I ssh with an easy to remember username and password using rc4 for perf and tunnel proper ssl.

          The company I work for runs Pulse vpn on And employ staff round the clock to keep people out. Doh!

          1. nintendoeats Silver badge

            Re: Infection vector

            That only works because you have the knowledge and time to set up that whole rats nest. By definition, not everybody can do something like that.

          2. fobobob

            Re: Infection vector

            Only time (that i'm aware of) that i've had a device get comped - I forwarded SSH(22) to a machine that I had forgotten had a users/pass combo test/test lying around. Several weeks later, the computer suddenly began DoS'ing... log analysis suggested it was entirely automated, and took around 8 hours (and many thousands of tries) to guess test/test after it was found (with maybe a few dozen entries from the weeks prior, almost entirely from myself) .

    2. Version 1.0 Silver badge

      Re: Presumably...

      And don't just use one NAS, you need a second one to backup the first one.

      1. Mark 65

        Re: Presumably...

        Yeah, I've got the 3-2-1 approach covered but the pain could be tracking back when data went bad. My guess is that I'd see it in a large change-set sent to the cloud.

        1. Peter-Waterman1

          Re: Presumably...

          I back mine up to AWS S3 Glacier which seems to be extremely cost-effective and provides an offsite backup. It's $0.004 per GB / Month. I can then restore to any point in time.

          1. Len
            Paris Hilton

            Re: Presumably...

            Isn't the problem with many of the online backup solutions that they are very cheap to upload to but very expensive to download from? Presumably because people want their backups to cost nothing but are willing to pay through the nose when disaster has struck.

            How is that with AWS S3 Glacier?

          2. tip pc Silver badge

            Re: Presumably...

            "It's $0.004 per GB / Month. I can then restore to any point in time."

            $192 for ~4TB per year.

            probably not bad if you have fast up and down internet connection, but far more expensive than 2 4TB disks backed up to locally.

            1. Anonymous Coward
              Anonymous Coward

              Re: Presumably...

              That last backup is for covering you for DR purposes. What happens if your house burns down? Power surge frying everything? Water pipe springing a leak all over your kit?

              If not cloud then your last backup destination should at least be at a different location.

              1. The Basis of everything is...

                Re: Presumably...

                As I have mentioned previously, an RPi 2B or later running Bacula and using USB hard drives makes a great little backup server.

                While one USB drive is in use, the other is kept in a box in the garage (which in my case is not attached to the house) so that if the worst happens I still have data. And if something is able to take out my house and garage at the same time then I'm probably not going to be caring too much about getting any data back.

                And I believe that Bacula is also available for the QNAP, it can even run the server component on there.

            2. katrinab Silver badge

              Re: Presumably...

              Sure, but if there is a fire, it will take out both your NAS and your backup disks.

    3. Plest Silver badge

      Re: Presumably...

      Backups are all well and good provided they're versioned. No point in backing all that data up...only to find there's only a single version and it's AFTER the nasty has encrypted everything.

      If I was coding some ransomware I'd make one thing look innocent and unaffected, the victim's ability to backup so they think they're safe. Then I'd get an extra kick out of watching them try to restore only to find they're right back where they started and still need to pay me. Not nice but when dealing the vile pond scum that do this sort of thing to make a living, you have to have some empathy and think like one of them.

      1. Fred Daggy Silver badge

        Re: Presumably...

        That's exactly what they do. One of the first things targeted is the backup infrastructure. Own that, then move on.

        Tapes. Lots of lovely tapes. DVDs with key and critical software, keys, lists. Printed lists of keys. Tapes (they are so good, I mention them twice) off-site and secured. Tapes, tested restores.

  2. Pascal Monett Silver badge

    "follow the 3-2-1 rule on backups"

    Interesting. That's the first time I've heard of this rule.

    Up to now, for me the rule had always been a backup a day, a backup a week, a backup a month. 7 tapes for daily, 4 tapes for weekly, 12 tapes for monthly.

    Granted, I'm not a network guy, much less a backup guy, but that seemed reasonable to me.

    For a company, of course. For private individuals you'll be lucky if they have a backup of any sort on optical discs. I have a friend who told me he did his backups on an external HDD. I then proceeded to explain to him in great detail that an external HDD is a magnetic surface, subject to loss of information, and is not certified to be a backup platform in any way. An optical RW disc is.

    I'm still not sure he does his backups on an RW CD or DVD.

    1. FILE_ID.DIZ

      Re: "follow the 3-2-1 rule on backups"

      And your tape setup is reasonable.

      3-2-1 has been Veeam's mantra for years. I don't know if they came up with it or just made it (better) known.

      Unlike your scenario using tape, software in charge of data stored on hard drives are very mutable in most cases. Eg: Laptop, desktop, NAS, traditional SAN LUNs mounted as a drive to a server, iSCSI targets mounted as a drive to a server, even VMware datastores mounted to a vulnerable ESXi (CVE-​2019-5544 and CVE-2020-3992) host.

      Tapes, on the other hand, can't be touched by software, especially if they're not loaded in a drive.

      In a viable Veeam setup, that off-site location better be designed so that it isn't reachable in the same manner that your two local-site storage devices are.

    2. Gotno iShit Wantno iShit

      Re: "follow the 3-2-1 rule on backups"

      That's a good scheme but I would say that as it's the one I used to use. Grandfather, father, son scheme was it called? Too long ago. I do remember it was awfully expensive on tapes at the start as for us each 'tape' was actually 12 DDS3 in a pair of autoloaders. HP were putting vouchers in the tape packs, I and one other at work got a freebie Palm Pilot when that was quite an expensive score.

      We added a twist to avoid age related tape failures. I can't remember exact the sequence now but after the initial setup month we'd open a new set of 12 tapes every 4 weeks. The new set got used in the daily group x times, then y more times in a weekly slot on the rota then when it was written as a monthly it was retired. i.e. all monthly backups kept indefinitely. Sure they'd fail eventually but it improved the chance of that failure being outside the 12 months.

      Backups on external HDDs are fine so long as you don't use them to archive data. All my data at home going back 30 years is kept on live spinning rust on a RAID5. Offsite backups on external HDDs only need to last as long as the cycle time of the three HDDs.

      Archiving to HDD=goodbye data.

    3. big_D Silver badge

      Re: "follow the 3-2-1 rule on backups"

      3-2-1 has been the standard mantra for backups for well over a decade.

      For my home systems, I sync from SSD to HDD, from HDD to NAS and from SSD to a cloud backup, plus sync with OneDrive.

      My daughter uses Backblaze on her Mac, after having been supplied with OneDrive and USB sticks by me, but still having her dissertation only on her MacBook and then putting it in a backpack with an open coffee thermos mug and shaking it up...

      1. katrinab Silver badge

        Re: "follow the 3-2-1 rule on backups"

        Set her up with a timemachine backup. Then it will just do the backup anytime the laptop is connected to the same network as it, without her needing to do anything.

        1. big_D Silver badge

          Re: "follow the 3-2-1 rule on backups"

          Backblaze does the same thing, only on any network she is on and if the house burns down or they get robbed, the data is still there...

          A Timemachine only fulfills part of the requirements for a backup. With OneDrive and Backblaze, you have 3 copies, on 2 different media and 1 offsite (calling a SAN array on the other side of the world a different media to the local SSD).

    4. Adelio

      Re: "follow the 3-2-1 rule on backups"

      Hard to do an optical backup when you have more that a very small amout of data.

      CD 600mb, DVD 4/8gb. My goodness, just my photos take up > 380Gb.

      I used to do Optical backup in the day but i ended up with a LOT of discs (CD)

      1. Binraider Silver badge

        Re: "follow the 3-2-1 rule on backups"

        BD-DL (50GB) and BD-XL(100GB) are available. Not as cost effective as earlier optical media were unfortunately. But when it's otherwise irreplaceable data theres an argument for it.

        I said to hell with it and got what was a 2 generation old LTO drive. 1.5TB uncompressed per tape. The drive itself is expensive, but that qty of storage for not a lot of cost per tape is rather good.

        Irritating that the software is rather finicky to get working on anything other than RHEL 7 or Windows. Quantum removed the source download from their website (but did send me it on raising a tech support query). Not that I ever quite got it working on anything other than RHEL7.

    5. Anonymous Coward Silver badge

      Re: "follow the 3-2-1 rule on backups"

      Backing up to optical media was always cumbersome and thus users simply wouldn't do it. Especially when a backup spanned multiple disks.

      Using an external HDD and some scripting is far more convenient, and it's just as safe as long as you UNPLUG the disk when not actively backing up and have MULTIPLE disks that you cycle through.

  3. Snake Silver badge

    Oh, look!

    Yet another vulnerability discovered on my QNAP NAS box while they work SO hard in giving us additional modules we didn't ask for in the first place.

    Thanks, QNAP!

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh, look!

      Apart from QuTS Hero. They're likely not giving you that on anything but new hardware.

      I still haven't forgiven the woeful issues I had with QTS 4.4 failing to properly support one of their network expansion cards. Links went up and down like a yo-yo. After that was fixed it then went about 7 days before locking up the box. Thery tried to pin it on me or my memory upgrade - not QNAP RAM so it's at fault. Clear memtest, no issues with card on 4.3.6, Ubuntu Live etc. Somehow still my fault. Then the fix came, but stability still did not. There were memory issues but I suspect it was a bug in the driver corrupting an address it shouldn't be playing with. I ripped the card out and no problems since. Card plays fine with Linux.

  4. Korev Silver badge
    Big Brother

    What is it about QNAP NASes that makes them so vulnerable to this kind of attack? Synology and their other rivals don't seem to have the same kind of problems.

    1. Anonymous Coward

      "Synology and their other rivals don't seem to have the same kind of problems."

      I'll put money on it that they do have the same sort of problems. If you are not seeing updates and public announcements about them then run away!

      1. Anonymous Coward
        Anonymous Coward

        All of them do because they make their own tweaks to the OS to provide "usability".

        The reality is you should just buy your own case and run a Debian or BSD NAS distro. The only added step you have is the time to plug the stuff up (can you match shapes like a 2 year old?) and installing the NAS distro (can you read a 10 minute tutorial?). After that the Ui's on all these NAS distro's have similar if not identical learning curves, so most of your time will still be stuck reading anyways.

        As for the article, I'm betting this is because they f***ed up permissions in regards to jails in some manner (or owners should hope it's something that simple).

    2. JWLong

      What is it with QNAP

      Cheap shit without. "secure network deployment to facilitate data management."

  5. Anonymous South African Coward

    The idea of having "cloudy" services in order to provide a better NAS experience is not a good idea, it exposes your NAS directly to the Wild Wild Web.

    I prefer to hide my NAS completely behind a firewall and have users VPN in to access their files.

    That extra step (VPN) is just a safeguard keeping malware and ne'er-do-wells away from my data.

    And, of course, backups.

  6. Trigun Silver badge

    Although I don't have a QNAP (I've got a Synology instead) a short while ago I moved my website and other web related stuff from from my NAS to godaddy (for now). Amongst the reasons for doing this was that directly exposing my NAS to the interwebs on 80/443 made me uncomfortable. I also want to store unrelated web data on the NAS and mixing that and a web server seemed a tad risky for obvious reasons.

    I feel bad for people with a QNAP at the moment.

  7. iGNgnorr

    QNAP going downhill

    My first NAS was a Drobo. After this stuffed itself, I went for a QNAP. It has been much better than the Drobo. Until recently.

    A non-functioning Drobo sometimes recovers by itself if left disconnected in a cool dark place for several months (seriously!) Mine actually did so, and it is now a backup for the QNAP - and powered off 99% of the time.

    A few months ago, QNAP updates started breaking things. Sometimes they'd get fixed, then broken again (broken timestamps on files copied to n SMB connected drive for example.) Their huge failure in putting hard-coded credentials in the Hybrid Sync Backup is just the icing on the cake. QNAP seem to have abandoned any pretence of quality control.

    The aforemention Hybrid Sync Backup arrived unasked for on my QNAP. Luckily for me, I decided to disable it just a few days agao as for me it is completely useless. I also don't actively use any of the internet-facing aspects of the QNAP, although it is well-nigh impossible to have a NAS which has no internet access at all: it is no use whatsoever if it isn't on a network, and unelss you are going to run more than one network, that network is going to be connected to the internet.

    My QNAP is currently off, and to the best of my knowledge unaffected by this malware, but later today I'm going to disconnect my wired LAN from the router, and investigate thoroughly.

  8. chivo243 Silver badge
    Thumb Up


    Just wrote an RFC to update our Qnap yesterday for updating today! I logged into change a setting, and saw the message new firmware available, job done!

  9. 42656e4d203239 Silver badge

    I have a Qnap

    And I don't have the issue - not connected to the internets, not running HBS3 which had the hard coded backdoor.

    Stability - hmmm.

    Had a disk backplane fail (known weakness in components) and a system fan fail (known bug) both replaced under warranty.

    Getting another one (more fool me? perhaps, but they are cheap and do the job for iSCSI backup storage)

    I can't see what the attraction is to running "apps" on a NAS box and can't even begin to work out why you would want it available to all and sundry when trusting a third party to 'secure' it? QnapCloud I am looking in your direction. If I were going to connect it to the wild wild web, it would be through a VPN of my choosing and configuration (Wireguard anyone?).

    1. nintendoeats Silver badge

      Re: I have a Qnap

      The advantage of running programs on a NAS is that it is a small, low-powered, always-on appliance. For example, I run SVN, MySQL, and a UT99 server off my NAS. Otherwise, I would have to run all these things off my PC (which uses more power and is therefore not always-on) or set up yet another box (which uses more power and will need to find a home somewhere in the apartment).

      1. Steve K

        Re: I have a Qnap

        Also ContainerStation is great

        1. nintendoeats Silver badge

          Re: I have a Qnap

          Container station WOULD be great if it didn't remap your NAT ports every time you restarted a container.

    2. Sandtitz Silver badge

      Re: I have a Qnap

      "I can't see what the attraction is to running "apps" on a NAS box"

      The NAS box is usually just a headless Linux server. Some of those apps are in fact quite useful for me as a domestic user:

      Cloud Sync downloads my (and wife's) cloudy images and other stuff directly to the NAS; Radius server for 802.1x authentication on my home network; The surveillance plugin for DVR usage with couple IP cameras.

    3. katrinab Silver badge

      Re: I have a Qnap

      Get a cheap PC, retired ancient desktop is fine. Put FreeBSD or TrueNAS (FreeBSD variant with a nice web interface) on it. Populate it with as many disks as you can fit inside. Use that as your NAS.

      I have a pair of i7-3770s each with 32GB RAM. That is waaaaay more computing power than you need to run a FreeBSD NAS.

      1. nintendoeats Silver badge

        Re: I have a Qnap

        Yes, and therein lies the problem. When it comes to an always-on computing appliance, too much is too much. I keep my NAS in a closet. The power brick is rated for less than my normal computer draws at idle.

        A dual-i7 machine needs to be properly cooled, will make more noise unless you invest a lot of money in big coolers, will draw lots of power, and will be much larger than a toaster (a 4-bay NAS isn't much larger than if you took 4 HDDs and put some thick paint on them). Also, if you don't already have such a machine, it will cost you more than you first expect to buy it.

      2. Down not across

        Re: I have a Qnap

        HP used to have nice cashback offers on their Microservers which made nice little NAS boxes (assuming 4 bays is enough).

        Mine (old NxxL AMD models) are running nas4free and have been (knock on wood) totally trouble free, after adding intel gigabit card (as the onboard one chokes on large transfers).


    Hard-coded login credentials - ouch!

    some may call it a backdoor.

    I for one would never ever buy a NAS off the shelf, not from QNAP nor S...ology nor the rest of the gang.

    After all, there is OpenMediaVault. You can install it on a RasPi an tailor it to exactly your needs. Mission accomplished.

    1. iGNgnorr

      Re: Hard-coded login credentials - ouch!

      "After all, there is OpenMediaVault. You can install it on a RasPi an tailor it to exactly your needs. Mission accomplished."

      Have you actually done this? There's slightly more to a NAS than sticking some software in a Pi. How about getting a SSD cached four disk RAID setup working on it for a start. Or two ethernet connections.

      Is OpenMediaVault actually more secure than a commercial NAS? While QNAP's screw-up here is appalling, there is no guarantee that *anything* else won't have security issues.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hard-coded login credentials - ouch!

        Openmedia vault works pretty well so long as your hardware matches what you want to do with it. I've got it running on three different devices, an old pc with two hard discs, an odroid hc2 with a single disc, and and odroid hc4 with two discs.

        I've got it set up so I end up with a minimum of two recent backups of my main backup, because a few years ago, I had a microwave die and take out a TV and a raspberry pi on the same mains spur at the same time, even though the RCD triggered. I didn't actually lose any data then, but it made me think...

        Speaking for myself, until the pi4, I wouldn't have considered running OMV on a raspberry pi, and even now, I'd go for the odroid hc4 or an old PC instead, so that you can have a "proper" sata controller with at least two channels.

      2. wub

        Re: Hard-coded login credentials - ouch!

        "Have you actually done this? There's slightly more to a NAS than sticking some software in a Pi. How about getting a SSD cached four disk RAID setup working on it for a start. Or two ethernet connections."

        I am constantly amazed at how much functionality is available from Pi-like small systems. I personally prefer ODROID C2s, because they have much better throughput for streaming situations. And if you are thinking of setting any kind of small server system up, give at least a couple of minutes to DietPi.

        Despite the name, they have good coverage of a large variety of small systems, and although I have not tried all of their pre-configured software by any stretch, everything I have tried "Just Works". The Nextcloud installation process consists of selecting it from a list and clicking install. After that, Nextcloud is ready for you to log in as administrator and start setting up users - all the dependencies including a SQL server are taken care of for you.

        I use a C2 for my firewall, using a USB3-ethernet dongle. I don't know where it will top out, but it can keep up with my cable modem at 200 Mbps, which has been good enough so far.

    2. nintendoeats Silver badge

      Re: Hard-coded login credentials - ouch!

      Look into the performance of doing this. To get full disk speed out of a RAID setup, you need to add a RAID card which is neither convenient or economical.

  11. Steve K

    Firmware Update

    Latest QTS (28/04/21) firmware now sets auto update of Firmware and AppCentre Apps by default (so user has to consciously turn off).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon