Ето какво да направите, ако хакери са криптирали вашия NAS сървър

"Our QNAP NAS server was hacked and encrypted. Please help! Can we recover our data?"

or

"Our ASUSTOR NAS server was attacked by ransomware. Please help! Can we recover our data?"

Ето как можете да възстановите файлове от хакнат и криптиран NAS сървър. It doesn't necessarily need to be QNAP – but that brand was hit particularly badly in June 2020. Моля, обърнете внимание – сървърът е място на престъпление, точно както сте виждали по телевизията. You should take caution when 'touching' it as every move you make in and around the hacked machine is tampering with:

1. Доказателствата могат да покажат как е станало, защо и как можете да го предотвратите в бъдеще
2. Шансовете за възстановяване на файловете от този сървър

Ето как обикновено се случват тези хакове и как NAS сървърите се криптират от хакери

Хакването и криптирането на NAS сървъри е невероятно печелившо за престъпниците по целия свят. The risks are low, and the chances of a financial reward when the victim pays the ransom are high. If they encrypted some poor bloke's home computer, chances are it will simply get reinstalled. But if they encrypt a company's NAS storage, the data in it is vital to the company operations and, if not restored, could even mean the business going bankrupt. As hackers operate with Bitcoin or other cryptocurrencies, it is incredibly difficult (but not impossible) to trace the money back to them.

Те търсят уязвими NAS сървъри по целия свят, използвайки автоматизирани скенери за уязвимости и опитвайки се да отгатнат паролите им. Once a vulnerability is found, or a password is guessed, they log in and run an encryption program.

[Image: NAS encrypted by ransomware attack pattern — source: attack.mitre.org]

The image above is a technical diagram of how hackers attack a NAS server before encrypting all the data on it. What you should be looking at as the initial vector of compromise is the first column: "Initial Access." If you ask "how it happened" – the answer usually lies there.

NAS рансъмуерът се превърна в самостоятелна индустрия

What started as opportunistic attacks has matured into well-organized ransomware campaigns specifically engineered to target NAS devices. The QLocker campaign of April 2021 compromised tens of thousands of QNAP devices within days, using the 7-Zip utility to archive files into password-protected containers — a technique deliberately chosen to evade traditional ransomware detection tools. DeadBolt, which emerged in early 2022, went a step further: it targeted both QNAP and ASUSTOR devices, operated without a command-and-control server to reduce the attackers' exposure, and displayed a ransom note directly on the NAS login page. The eCh0raix family (also known as QNAPCrypt) has been active since 2019 and is updated regularly to exploit newly disclosed vulnerabilities. These are not amateur operations — they have customer support portals, payment tracking systems, and in some cases, volume discounts for organizations with multiple encrypted devices. Knowing this context changes how you should approach the incident: you are not dealing with a script kiddie; you are dealing with a professional criminal business.

Хакерите обикновено имат повече цели от криптирането на вашия NAS.

Кои са те?

1. Правене на пари
2. Задържане на контрола над сървъра, докато направят пари
3. If the victim refuses to pay, they must 'convince' the victim to do it. How?
   1. They take a copy of all data before encrypting it and download it to their computers.
   2. This data is then analyzed for blackmail opportunities. They could blackmail the victim company and/or its clients. So you see how quickly their monetization opportunities grow.
   3. We have also seen cases when the hackers start blackmailing the company's employees and management with personal data stored in the data stolen.
4. If you change all passwords on that NAS server, it's still not secure. Hackers usually install hidden backdoors in the server. Those backdoors or rootkits then monitor every login, see every new password entered, and can regain control of the server any time they want.
5. If they don't make money by ransom, they can still utilize the server for 'mining' cryptocurrency, in other words, use its computing resources. We have also seen cases where compromised NAS storage servers were used to distribute adult pornography or pirated content for which the victim company could be liable.

Ексфилтрацията на данни означава, че имате и правен проблем

If the NAS server held any personal data — employee records, client information, contracts, payment details, or health records — the data theft component of the attack is not just a business problem. It is a regulatory one. Under the GDPR, and equivalent legislation across many jurisdictions, organizations are required to report a personal data breach to their supervisory authority within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals directly. Failing to report — or reporting late — can result in fines that compound the financial damage of the attack itself. Before you focus entirely on recovery, assign someone to assess what categories of personal data were stored on the server and whether your regulatory notification clock has already started. This is often overlooked in the chaos of an incident, and it is one of the most expensive mistakes you can make.

Всяка секунда, в която сървърът работи, рискувате следното:

1. The Operating System, the applications installed, and services running произвеждат хиляди операции на запис в секунда. Every write operation overwrites recoverable files, this is how operating systems and applications work. Всяка секунда, в която компрометираният NAS сървър е включен, губите все повече и повече от възстановимите данни. Изключете го!
2. Направете криминалистично копие на дисковете. If it is a virtual machine, you are in luck – just copy (a full copy, no snapshots!) the virtual machine. Then make a bit-by-bit copy of the virtual machine disk file. Use FTK Imager to make a forensic copy of any disks, files, or virtual machines. Use regular copy only if using forensic imaging software is impossible.
3. If possible, do all of the above while making sure the network is disconnected. Even if you changed all passwords for accessing the server, if there is a rootkit or a backdoor installed, the hackers are with you there and can continue causing damage, leaking data, encrypting files again.
4. Start the recovery process by powering on a new server with a copy of the copy of the disks. Alternatively, power on a copy of the copy of the virtual machine. Never touch the original copy of the infected server's drives! It is your only chance of having untampered evidence and untampered data to work with for the file recovery.
5. Никога повече не се доверявайте на първоначално заразения или компрометиран NAS сървър. Hackers are incredibly good at hiding backdoors – some have taken up to 8 years to be discovered by security companies. Consider ALL passwords ever used to access that NAS server compromised – never use them again and if you still use them somewhere else, change them – because the hackers now know them. If you used a pattern – never use that password pattern again. Any credentials used by your IT team to access that server are now, possibly, compromised. They should also be changed to an entirely new password. Без повече P@ssw0rd123!
6. Инсталирайте нов NAS сървър от нулата, and start uploading clean data on it only after hardening it against a breach. That means:
   1. Follow the DISA STIG guidelines for security hardening, depending on the Operating System of the server.
   2. Update all software on the server, not just the Operating System – if that software has a STIG for it, use it.
   3. Use 25+ character passwords, unique to this server.
   4. If possible, enable 2-factor authentication for logging in as an Administrator to the server. It is your NAS server, a password alone mustn't grant access to it.
7. Decryptors for encrypted NAS servers usually become available after a while. It could be a week; it could be six months or a year, or never. Preserve the original forensic copy in secure storage if file recovery was impossible. Check what was the encryption method used and monitor for the availability of a decryptor.

Трябва ли да плащате откупа?

This is the question every victim asks, and there is no universal answer. Paying the ransom does not guarantee you will receive a working decryption key. In some campaigns, the decryptor provided was buggy and caused further data loss. In others, paying simply confirmed to the attackers that you were a viable target, resulting in a second attack months later. Law enforcement agencies in the US, UK, and EU officially advise against paying ransoms, partly because it funds the criminal ecosystem and incentivizes future attacks. That said, we understand that for many organizations, the alternative — losing years of business data — is existential. If you are considering payment, do not act alone: involve a professional incident response team first. They can verify whether the decryptor being offered is legitimate, negotiate the ransom amount (yes, ransoms are negotiable — attackers often accept 30–50% of the initial demand), and document the transaction for insurance and legal purposes. Never pay directly from a company account, and never communicate with attackers using corporate email.

Как да идентифицирате вида рансъмуер и да намерите безплатен декриптор

Before considering payment or accepting data loss as permanent, identify exactly which ransomware family attacked your server. The ransom note, the file extension appended to encrypted files, and the naming convention of the note file itself are all identifying markers. Submit this information — along with a sample encrypted file and its unencrypted original if available — to No More Ransom, a project run jointly by Europol, the Dutch National Police, and major cybersecurity vendors. The portal maintains a regularly updated library of free decryptors and can match your submission to a known strain. For QNAP-specific ransomware, QNAP has also released its own recovery tools following several major campaigns. Identifying the strain also matters forensically: knowing whether you were hit by DeadBolt versus eCh0raix versus a custom variant tells you a great deal about the sophistication of your attacker, what data was likely exfiltrated, and whether other systems on your network may also be at risk.