Thursday, May 28, 2020

All your data is belong to us

So it isn't looking good. The software that got me was ech0raix. It is a ransomware attack that encrypts Linux based NAS drives made by QNAP. The infection was caught by the Malware AP, which told me to submit a help ticket to QNAP with the subject line "ransomware."

I got a reply about an hour ago. The software uses a 173 character password to encrypt the files using a 256 bit algorithm. (If I am screwing up the terminology, bear with me. I was up all night trying to retrieve anything I can. I have been up for 32 hours) They say that the key is not entirely random, so there is a chance that someday it will be cracked. For that reason, I will lock the drives away, and maybe I can recover my stuff then.

They claim that it infects your system by brute forcing the password. QNAP accused me of having a weak password. I didn't think I did- It was 11 characters long, upper case, lower case, punctuation, and numbers. I am not sure I believe that, because if all it is, is a brute force attack, then why does it only affect certain QNAP model numbers?

I used to backup data every six months by burning backups onto CD ROM, but I started using all QNAP software for backup, so we stopped doing backups. The last backup I have is from November of 2016. Almost everything since then is gone: Financial data, tax data, pictures, and everything else. I may have some of the pictures, but most are gone, including wedding pictures.

I don't yet know what I have and don't have. We are going through everything to see what we can find saved in various places that the malware may have missed. I will still continue to try and find a way to recover those files, but at this point, I don't see much hope.

We will be getting rid of our NAS and returning to the old ways- backup to CD ROM once a quarter. Not as convenient day to day, but this is the first virus I have ever been hit with, and I have been online and computing since the days of BBS boards. (1980s)

I have been beating myself up for becoming complacent and not backing up all of the time, but I dropped the ball. I just know that I never want to see my wife that upset again. It wounds me to know that a good number (half or more) of her wedding pictures, our Europe vacation, our Alaska trip, and many pictures of the grandkids and me are gone for good, and the effect it has on her.


Barehander said...

I got it in 2013....Luckily I wasn't on my on my companies server..A 9billion$ a year multi-national Co., wold have wiped them out also..It was so new, the head of Corp.IT security didn't know a thing about it...I had an external drive connected, Dropbox, which had all my department's work product on it, and Carbonite....It got them all...
I learned right then that those backup programs are worthless...Luckily, I had the habit of backing up all of it (Including 100,000 photos)on 2 other externals....I no longer leave any external drive plugged in for more than I need.....I feel your pain.... Good luck.

Therefore said...

Here is the closing of the door after the horses have fled the barn...

Find a simple Unix box and install and run Amanda. Configure it to store your data to Amazon S3. It allows you to decide how many copies you want. I have it set up for my servers with a 2+ year schedule.

S3 is cheap even for terabytes of data.

That Linux system can back up all your Linux or Microsoft systems and likely Macs as well.

Hit me up if you want help getting this set up.

Divemedic said...

I think going forward, we will use the NAS to store data, but we will not be doing an online backup. Anything with access to the Internet can be hacked.

Instead, I am going to take anything that will not change over time (pictures, videos, etc.) and every 90 days bundle them up and burn them to a CD (or more frequently when a special event happens (weddings, holidays, trips to Europe, etc.)) Then label the CD something like: Pictures 2nd Qtr 2020.

For more fluid files (documents, spreadsheets, etc) we will be using a passport drive to back them up every 90 days. I will then keep the last two versions.