How can i Brute-force attack with 32 charset
#6
Oh I had another look at these news articles and description of the problem and it seems that :
it's not enough to look at a log file (7z.log or similar)... you instead need to catch the malware while it's still encrypting and the 7z.log needs to be created by YOU (i.e. a command can be run to log the "ps" output.... the list of running processes under linux with all the command line arguments. The -p[PASSWORD_HERE] is of course then also within the command line).

This is just a clarification / correction (I don't want that wrong claims/facts are mentioned above by me, I didn't know that the log file was NOT automatically created and that you must also catch qlocker while still encrypting your (only small) files. It's using this "small files" approach for ensuring to do more damage in a small amount of time, instead of encrypting large movie files or similar).

Some further links:
https://www.qnap.com/en/security-news/20...e-qnap-nas
https://www.qnap.com/en/how-to/faq/artic...iles-by-7z
https://security.stackexchange.com/questions/248696/
https://www.bleepingcomputer.com/news/se...p-utility/
https://sourceforge.net/p/sevenzip/suppo...uests/389/
https://sourceforge.net/p/sevenzip/discu...c08f09aa8/
https://www.bleepingcomputer.com/news/se...overy-app/
https://np.reddit.com/r/qnap/comments/mx..._testdisk/
https://forum.qnap.com/viewtopic.php?f=4...95#p788526
https://forum.qnap.com/viewtopic.php?f=4...55#p788798
https://forum.qnap.com/viewtopic.php?f=4...50#p788325


It seems the photorec / testdisk method to recover files is working good for a lot of affected users (you just need to do it the correct way and not use the disk heavily... i.e. read-only and not mess around with the disk itself... just copy everything before i.e. special backup of the whole disk 1:1, bit by bit copy).
This of course is only needed if you don't have the password. This only works because the malware just use -sdel parameter of 7z and did not override the underlying data (like shred or similar).

Good luck recovering the files ! It seems doable because of these weaknesses/problems of the encryption.
Reply


Messages In This Thread
RE: How can i Brute-force attack with 32 charset - by philsmd - 05-22-2021, 01:00 PM