OK if you're questioning my comments on backups, I agree with you, and I follow up with a reply here th-cam.com/video/Puud1K0OMVs/w-d-xo.html please see that first as I didn't do a great job here of putting across the bigger picture. Regarding paying the ransom, no. I stand by that, in fact I actually held back. I didn't refuse to pay the ransom because I'm "tech savvy" or because I knew I was going to get my files back. In the first video I made, I was resigned to losing my data, at that point I firmly believed it was gone, but at no point did it ever cross my mind to pay these c*nts. Sorry but it's a fact, paying is an enabler, and perpetuates this.
Even though the log file is deleted on a power cycle, you can probably restore it with data recovery software. Granted, you would have to find the file in the haystack of restored files, you could theoretically end up with the password to restore all files from the zips. Edit : So you have already overwritten the files on the nas. The above is no longer an option.
Qnap is definitely at fault. Their response stating they knew one month prior to the exploitation. March 16th they knew and created two incidents to fix the issue. April 17th is when the attack started. Where the HELL were they? ONE THING EVERYONE NEEDS TO KNOW. -- DIGITAL DATA IN ANY FORM IS NOT SAFE IT'S DIGITAL. An ESD or EMP bomb would also wipe out all your data, pacemakers or any other type of electronic device If you backup from Qnap to Qnap then both units get trashed. I agree 321 backups would help. Where did the hackers get the list of QNAP customers, QNAP CLOUD? How secure is their cloud? I paid the ransom and their response was that my payment was a duplicate and they took my money and did not give me a password. SCREWED! 18TB of years of images and personal data. Weeks of torment and endlessly searching the web for a glimmer of hope. I had a backup but my QNAP backup did have holes in its backup. 3200 missing files from THEIR BACKUP SOFTWARE. They SUCK! Qnap support is horrible and irritating. The only way to contact them is through the web and I think they have one kid sitting in front of a computer saying sorry can't help you if you have the patience to wait 40 minutes to text someone. They had to speak with the developers to see if initializing your nas also cleaned the NVME m,2 drive that they use for the cache. They Help desk is useless and all they want to do is get away from the keyboard (NOT EVEN A PHONE because they don't want to talk to you at all). I also blame Bitcoin for allowing payments made through a MOB LIKE Money Laundering scheme. Think about it, the price of a bitcoin rose during the hack payment period. Many people benefited from this, not just the hackers. Is there a class action lawsuit? We as a global force need to send a message to corporations around the world that this is not acceptable business practice. As a precaution, I looked at my network and saw that I needed to upgrade my Netgear firmware on my router. That upgrade trashed the router and bricked it! If you think Qnap is bad... After the buzz on the next got REALLY LOUD about the upgrade, they removed the firmware update and acted as if they never posted the firmware on their site. We are all vulnerable. We continue to purchase products made in countries where their morals and work ethics are not on par with the rest of the world. Only all of you and I can create change. While your videos have made a statement, 6 months from now the chatter will die and it is back to business as usual, and that we need to stop now.
Awesome video, keep up the good work. I purchased a Synology NAS 6 months ago after reading all the bad reviews on Qnap issues. If any of the Qnap management are reading this the world is saying ( Dont' buy Qnap ). If you are a home user or a computer tech like myself and you are looking for a NAS save your self the headache and ( Dont' buy Qnap ).
@TFI I strongly suggest you read my QNAP to Truenas guide forum.qnap.com/viewtopic.php?f=191&t=161170 You can then use truenas on your QNAP NAS. then whatever complaints you have in regards to qnap OS will be fixed yes? However honestly i saw a bunch of things you did wrong that were not qnap related problems. You should fix that... like having a backup for starters..... "nothing you can do about it". This is not true. you should have had a backup for eventualities like this. it's called planning ahead. I can guarantee you, those hdds in your nas aren't gonna survive your whole life time. They do eventually die, so when that happens then what? In worse case scenario you could risk losing data.
You're absolutely right to be mad at qnap but also you're making backup way more complicated then it needs to be. They make 8tb for $200 now buy a fire proof bag and stick it in a fireproof/waterproof chest and u have a pretty solid backup against fire, water, & ransomware. Your greatest risk here isn't any of those things though, it's having a hard drive fail in your NAS and then another one fail during the rebuild of the first one. That can and does happen and that is why you should have a second copy at minimum of your data.
Fair play but still, I suspect you appreciate not everyone is prepared or even capable of doing that! I guess I dunno how I'd react in the even of a house fire, the house fire scenario I mentioned... but either way that's still on me and my responsibility... I'd be mad at me and no-one else. Unless it was the wifes hair curlers... But aye again, I don't want all that to become the focal point when backup or no backup, this was all about QNAP and their stupidity.
@@Neil3D Of course, I wasn't prepared myself, never though my whole house could be reduce to ashes... I agree that your case is a QNAP incompetence, but now that you are aware that you (and anyone else) can lose everything in a fire (or whatever) I think you should seriously consider multi-site backups. It's statistically very unlikely, but if it happens, you'll be mad at yourself, especially now that you're aware of it.
@@Nekzuris Completely agree, but we are talking about two very different things here... me being super pissed at myself at losing my data in a house fire is a very different thing to having it hijacked as a result of QNAPs cuntyness. I'd put that in a completely different category/story to this all together. But yes I agree, for me I might whack the super nostalgic stuff onto an old 3.5" HDD and stash it in the parents house...
@@sang3Eta or just use your own car... :) I have my offsite backup in my car, hope that house fire and stolen/destroyed car might not happen at the same time :D but God knows...
I HATE QNAP! I turned the box off, restored my dropbox and was relieved to see my pictures again. then the QNAP turned itself on again! I pulled the plug. I guess I'll need to roll bac dropbox again
I'm a topography surveyor, usually working with CAD/BIM/Point clouds, I did lost almost half of my data in the attack. I'm here to say thank you for talking about this, because I'm not a Linux expert and bleeding computer forums were way too technical for me. I did turn off everything, so the 7z.log password was beyond recovery. I did consider to pay at first, but then came up the transaction ID thievery story, so that option became too risky and got discarded. Then I've found your video and decided to give photorec a try, and I have to say that I did like it, somehow. Even if incredibly slow (still running since 300 hours), I did recover a lot of erased data - not everything, unsorted, unnamed, but it's still something. So again thank you for taking the time, and I'm glad to hear you did get everything back from the source. QNAP will always be out of my business - everyone can do mistakes, but I did not like their way to manage it. Horrible. It's not like I know what QNAP should do, but still feel like a betrayal.
You're absolutely spot on, I'm fairly tech savvy but I'm not an IT guy and QNAP markets these things too exactly an audience like myself! Like you, I have lost days of my time recovering my files ( luckily not many of my files were ultimately lost because I had them on other disks too) This was entirely QNAPS fault and I want compensated, even though it will probably never happen...
I remember you commenting on my first couple of videos and tbh I had you in my mind when I was pitching my angle here, I remember looking at your channel a few weeks ago and thinking wow... yea its guys like yourself who are buying these devices, I used "wedding photographer" in here but I generally had your gig in mind as the trigger for referencing photographers. Glad you managed to get sorted though!
@@Neil3D Thanks - No wonder what you said rang so true - lol. I'm glad you made these videos though, if anything they helped me (and I'm sure others) understand the situation better and realize that QNAP was not going to do anything to help. This kind of thing is way beyond my tech abilities and their support was absolutely useless! I was lucky I had the back ups and that I can rebuild my "digital life" but even then, I have lost a lot of time. I also now have to figure out what to do with this very expensive QNAP paper weight. Glad to hear you didn't lose too much stuff either. Cheers!
Sorry for your trouble mate. Appreciate you sharing your experience. These days it seems getting one or more accounts hacked is now common place. And researching any product you buy that connects to the internet is probably a best practice although perhaps not always practical. Nothing is full proof. But anything less than redundancy is really poor practices.
One thing to be aware of... every NAS manufacturer is basing their solution on hardware that's basically priced well under half of the appliance price, before any taxes and distributor/retailer cuts are even applied. The other part you're paying for is respective NAS software/services and support. The former is often based on OSS so they're not actually writing everything from scratch, they are preparing UI, predefined defaults, organising the OSS building blocks for the consumer, and maybe adding a few of their own, in some cases patented, tools on top of the OSS base. This means that you're paying a lot, nearly the same as for the hardware inside your NAS appliance boxes, for the peace of mind of the software selections and packaging and fixing. Of course if the system hole comes from eg. a VM or container a user adds/uses through some containerisation or virtualisation tools offered by the appliance manufacturer, than OK, it's the user fault... but not if the vulnerability comes from system software or apps within respective curated app centres (with app packages that are often several versions and revisions behind sources) as then it's a manufacturer responsibility. Therefore, they should have pushed the updates/fixes ASAP to all the machines reachable, similar to OTA Android/iOS updates or Windows10Home updates, with the proviso that if the vulnerability is important enforce the fixes/updates application straight-away even if the appliance needs a reboot to apply the fix - after all users are responsible for setting apps and services and containers and vms to autostart after reboot if required so the manufacturer does not have to worry about consumers as the security and peace of mind is what consumers are paying manufacturers for. It's just that easy - sure some may end up angry for the box temporarily unavailable through the "unscheduled" reboot required for the fixes or something, but one can also add an option akin to other systems to either apply fixes striaght away as they are released or withhold indifinitely until customer logs in to the interface and applies at the time of their own choosing - the latter option could well be implemented/bolstered through eg. an automated email sent to your address from either manufacturer cloud account or devices themselves (akin to the disk failure messages that are already often offered) that this device needs to apply a fix and perform a reboot so please login now and do it otheriwse your device becomes vulnerable to attacks - i am sure 99% of home users would apply the fix ASAP, and those who didn't would end up with a vulnerbale device by their own choice - issue/problem averted, responsibility for the action taken by respective parties up to respective scopes. Of course, companies may still point to having common sense or IT logic engrained in how the consumers think and use their solutions, eg. RAID is not a backup, parity drive options are better than solely striping, admin accounts should have either passwords only or both admin account names and their passwords changed on appliance deployment, root accounts should be disabled, ports should be altered from defaults... Most of these could well be automated by the manufacturers, though in some cases that may make it a bit harder for the non-techies to use them out of the box without a manual or other external support sources...
I fully agree with you. This is one reason to build your own and use TrueNAS or Unraid to run a simple, storage-only NAS. No internet connection by default, no extra access from the Internet unless YOU DO IT YOURSELF.
you are completely right about qnap. I worked in IT for 25 years and never trust hardware or any company. I have another channel with video's. here is my backup flow: shoot video copy video off to NAS (leave video on camera) edit video render video upload to youtube. only then do I delete from camera. periodically backup important data from NAS to external hard drive. mirror that hard drive to another. (now I have 4 copies 3 local one on youtube) a couple times a year backup data to Blu-ray disks (2 copies). one goes in fire resistant safe. one left out for easy access which I rarely need to access. Only then do I delete from NAS. still have a copy on 2 hard drives and blu-ray. on next backup to the external hard drives then the data (that was backed up) is deleted from them. Still have 2 copies on blu-rays and one on youtube. since watching your previous video I checked my qnap (upgraded my firmware). I never used their backup software nor did I have a myqnapcloud account, and my qnap is not connected to the internet (no port forwarding to it). I also uninstalled any apps on it I do not need. I will be getting a synology to replace it as the qnap is long expired its warranty and qnap out of warranty support is garbage.
Tape. It's an expensive investment, but LTO tape is fast and about the same price as hard drives, but last 30 years. Also, for static data, that's easy to backup incrementally only.
He'd probably have to use their B2 solution. My maths might be wrong - but I think it would cost $40 a month to keep 8TB stored. Plus further costs to restore it.
Hey Neil, first off, absolutely awesome videos you made exposing the incredible incompetence of QNAP and FINALLY putting them and all other corps into their place which follow suite!!! COMPLETELY agree with EVERYTHING you mentioned 110%. Given everything you mentioned and the sheer quantity of unsuspecting individuals/companies involved in this unfortunate turn of events, I think it would be very worthy and educational (if you make any more follow-up vids about this) to point out that the ONLY IMMEDIATE indication you had to go and unplug your device was probably solely due to an AUDIBLE indication that your drive heads were going crazy, staring the attack. If these storage devices had been SSD's, there would be NO IMMEDIATE AUDIBLE indication that anything was currently happening (assuming an individual would have even been in ear-shot vicinity of the storage device). Those of us who are tech savvy would know that when disc heads start banging away, it's an indication that something is up and would/should respond accordingly. However, the non-tech savvy would hear it and simply assume it's either supposed to do that for some reason or recognize something is up but wouldn't still know what to do. In those few seconds they are contemplating what they are hearing, a few hundred thousand files, if not all, would be gone/encrypted. I'm simply suggesting that if you do make another vid about this, it would be educational to bring up the difference between the discs and the SSD drives, being audible and the other not - you get what I'm talking about. Anyway, fantastic content, keep it going!! Kevin
Sir! Just watched your first video this morning ;-) Glad you got it all back. I don't have a QNAP, I have a Netgear ReadyNAS and a WD NAS. The Ready NAS hasn't been powered up for a while, but my WD is network facing. Low and behold, they've put out an OS update which I've promptly installed :-)
The people who are willing to give you the source code probably already have given it to security companies. The issue is that once something like that is put up on GitHub then the attackers then alter their infection approach and then only the old infections could be helped as the newer ones would use a different encryption key.
Preach brother. I thought I escaped the April 21 attack, but discovered to night that they got ALL my OLD family photos. The stuff that's not on iCloud, Dropbox and 14 other places. The stuff that I never access until I do. Weddings, kid photos... gone. Really QNAP? Really? None of the crap that I can afford to lose. Worse, I thought I had this off the internet. I am SO TIRED of the SYSADMIN speech on network settings. I am an artist working in my bedroom. 25 years of experience in MAKING ART, not admining network.
Wow, love your integrity for not reviewing the NAS box. I will never buy one, personally, as setting up a server is more fun for me and I love to buy used enterprise gear. Which brings up the question: I wonder if you can install freeNAS on the QNAP?
I recently lost something around 8TB of "plex library" and it could have been 14 more, I cought it in the act and did the most sensible thing and it saved the other 14TB. I switched to a Dell Poweredge because the Qnap was 't powerful enough a few years ago, but because of my own stupidity my DIY NAS had a crippled IO, preventing it from going ham. Lost everything on 2 computers with multiple internal drives and just a few files on my NAS. I didn't loose actual precious data but I did loose months and months of video encoding time. I still feel like you're feeling in this video, disbelief, anger, sadness, and most important the WHY in all forms. There is NOTING that justifies making money this way and EVERYONE deserves the worst thing happening to them!
It’s crazy isn’t it. I bought in Jan this year a TS-453D, for some reason I did not migrate my WD NAS drive to it. Just left it and this QLocker started happening. As of today I have yet to migrate, and of course WD drives also had the erase all data issue. So now I have also unplugged the WD NAS. I saw a Bleeping Computer article about QNAP have fixed the bugs. Looks like my NAS will always be unplugged from internet.
There's no two ways about it, everybody is responsible for backing up their data, but that's easier said than done, and it's one of those things where it's usually too late by the time you realise you really should have done it. Also, like you said, where do you stop? Having a good backup regime is a hassle to even come up with in the first place, let alone actually stick to it. I have a tiny amount of data compared to you, so I'm much less concerned about capacity, but even then, keeping my backups organised is a nightmare because I have incomplete backups spread across multiple external drives. I've also gone for over 12 months without remembering to refresh at least one backup copy too. Even if someone did splash out on having two or more of these NAS boxes and kept a *full* backup on each, that still wouldn't have done them any good in this case. Couldn't agree more about not paying the ransom, btw.
I am truly sorry for the people that happened to, but It's not really that hard to setup a backup (raid is not a backup especially if your still using RAID5 or RAID1 ,,, RAID6 on main NAS, backup nas's can be just RAID5 because if your backup fails you just replace it) Maybe use blackblaze backup key important folders (but isn't suitable for lage data sets usually, unless your willing to wait an extremely long time) or for mass data that is to large to backup online, Setup a different brand nas for backup (say Synology) and just tell it to simply copy the data from your main nas to your Synology every day at say 2am everyday (it has very simple easy backup tools to do it) Maybe use USB backup (witch can be time consuming on first backup and is manual task, use backup software so it only backs up changed files, but it is offline backup once unplugged so mostly immune to ransomware) for normal home use USB disk backup will be fine but remembering to do it is the key
One other piece of advice for everyone that sees this: Disable IPV6 at your modem/gateway/router. Most consumer based devices do not offer any firewall for IPV6, and lets it go right on through. Unlike IPV4 using NAT, there is no protection unless you are using a several thousand dollar Enterprise firewall.
I had Hybrid Backup running weekly to an external HD. Oddly it stopped backing up in January and I had absolutely no idea. I set it and never checked. My Qnap was 100% locked by Ransomware. My external was 100% undamaged. I only lost the first quarter of 2021 which was minimal. Always backup to an external. I don't know why the Ransomware didn't touch my external. Does anyone know? Was it dumb luck?
Glad to hear you managed to get most of the data back. I've been using Synology NAS boxes for nearly 15 years now, they're the sort of competitor to QNAP, but they seem fairly proactive on security/patches/autoupdates etc. might be a worthy replacement option for you.
I looked at both Synology and QNAP when I bought it, but to be perfectly honest when I bought the NAS box I had absolutely no idea it even had an operating system on it never mind an entire app store and cloud integration... I just wanted a storage box. Looking at things now, Synology has a history of Synolocker, QNAP has Qlocker, I'm just gonna run with this Amber unit and cut it off from the internet. I have absolutely no need for my storage box to be connected to the internet, never have done.
Hi TFI, I am from Hong Kong and my QNAP was suffered from the Qlocker issue as well. I followed the method from your last video (the putty one) and successfully saved data. Should I also try the "ReclaiMe" application this time you recommended?
I agree with everything you have said and understand the scope you wish to keep the conversation. I have noticed in the past 10 years the quality of software has gone downhill big time. I have never used NAS storage except for one customer who insisted on it. I never thought that things have gotten to the point of a NAS device having bloatware and other crap. I appreciate the knowledge your video has given me, and will effect all my storage decisions going forward.
For the marketing they did nothing wrong, if you buy a computer and get hacked because you didn't install updates or learn to configure firewalls it's not the manufacturer's fault or Microsoft's fault. Also if it's 0 day (not known to be detected as nobody knows that it exists yet) all bets are off. You can do due diligence to secure things but because something is accessible to the internet it will have some risks. Manufacturers should step up though and force push critical updates but privacy advocates will opt out and have the same thing happen to them.
I agree you've definitely got a justified beef with qnap. I confess I do pay £70 a year for BackBlaze (I have 12TB of data) so I'm hopefully covered - but your angle is nothing to do with having more than one copy of data. If Seagate, Western Digital, etc., made hard drives that failed within days, there would be a massive uprising and potential legal action. Qnap seemed to have slack security and if they're aimed at non-STORAGE literate people, they should have a big button that says, "Use on LAN only", or something similar. I don't know, but I'm guessing these Qnap boxes aren't cheap, so they should have the manpower to get a message to all owners of their hardware to say, "do this and do that to protect your stuff". They shouldn't box them up in a vulnerable condition. I hope you are able to try for compensation even though you fortunately didn't lose too much. 👍
Thanks for this. I was hit and though my data had no monetary value it was of extreme value to me re memories photos etc. When friends talked to me about it afterwards I said if the ransomers said they would reinstate my data for £1 I would not have taken them up on the offer and if everyone else did the same ransom attacks would stop. So we think the same way.
So first and foremost, it's great you got your data back! I hope you have decommissioned your QNAP device and moved to a different platform. Synology or even truenas might be an option.
The backup argument is also only valid if the backup isn't another QNAP getting encrypted as well. Because correct me if I'm wrong but the last time I checked you can't restore data from a backup if it is encrypted as well!
Usually best to have backup device from different vender, say Synology with snapshot enabled, backup should be pull setup (no write access on the backup nas, no shares enabled, unique password and not saved on any local PCs, quick share never setup and daily update checks) and it should always have 55% free space so worst case even if a full backup happens you can undo the encrypted using the snapshot
20:33 You know, I'm not entirely convinced that QNAP knows precisely how the their boxes were rooted. It appears to me that they just shoved a bunch of patches out that the ALREADY knew about and simply hoped that one of them was the actual vector. I have not seen any evidence that a particular vulnerability was for sure used in the QLocker ransomware attack.
Where I do agree with you is... people should never pay the people behind the ransomware things - but sadly they do - including major organisations (just this week a US corporation paid $5 million...). Also a tip for your NAS - if you want that QNAP (or any other NAS) not to be on the internet, set the IP address on it manually and *DO NOT* give it a Gateway Address or DNS Server. If it has no DNS and no Gateway, it has no internet access. Make sure you do the same for IPv4 and IPv6 if your NAS supports both.
It's gonna take me probably a few months to go through my PhotoRec recovered files simply because of my busy work schedule and this file review is consuming most of my family time. I truly do want to know whether this can be a class lawsuit because of QNAP's negligence. I actually wanted to inquire about this but like I said I've been occupied with so much. I would like to hear your feedback on the chances of this turning into a class action lawsuit.
I have my NAS powered down when I don't need to back up. I have a 1TByte drive that takes the daily backups, then the 1TByte tranfers to the NAS when I power it up. Simple D.I.Y power project using Arduino to turn on the power remotely and a simple Script file to start the transfer process that get Virus scanned first. I don't own a QNAP tho... thank God.!! wish the best for you and good luck to everyone. Sorry for those who lost data precious to them. In this day and age, trust NOTHING thats plugged to a wall or has a battery. Only good advice I can give.
I backup to tape. But all your comments are true about me. I have a 3 2 1 strategy, but I only back up home photos of family and movies remotely, as well as git repositories for code. I should take tapes to my in-laws. I don't. It's too much work. And too (insert swear word) expensive.
I felt your anguish when you first brought this news to TH-cam... your cctv footage captured your frenzy very well. I’m relieved you were able to stick to your principles while getting your files back minus a week, no thanks to Qnap. Peace.
I'm sorry for you, man. If you don't have two offline backups in separate locations, then you need to take some responsibility for not backing up 3 2 1.
Actually security training at my workplace tells people not to touch their computers when an incident happens, precisely because things are still running and they can find out what is going on. Had I done that instead of rebooting my NAS, I could have gotten all my files back, instead of working through my backups. I get where you are coming from in that you limited the damage, but taking an hour or two wouldn't have made much of a difference.
An hour or two in an office based ransomware attack could be the difference between it hitting the backup servers or not hitting the backup servers, I stand by everything I said there
Cheers, great to hear you didn’t lose any data. Sounds like you had a backup (old forgotten backup). QNAP security is a hot mess wrapped in a dumpster fire to be sure and they deserve the ire coming their way (not just as of late mind you because this sort of thing has happened before). Other solutions from other manufacturers do seem more secure until such time as they don’t. Many people would probably be better served by a DAS rather then a NAS. Less complicated, fewer attack vectors, cheaper and so on. If you don’t want your NAS to have Internet access just don’t give it a gateway address or the common correct gateway. Anyway, don’t let the bastards get you down.
I agree with you, I would unplug it immediately. Glad you get your data back. Thanks for sharing. Hope you don’t get PTDS… like jump out from bed whenever you hear the harddisk clicks…. P/s: 1) Golden rule of back up 3, 2, 1. 3 copies, 2 mediums, 1 offsite. 2) Raid is not backup. 3) If you can’t backup all, backup the most important, prioritize your backup. I actually do just that, backup my most important files in a Harddisk that I keep in my parents house… ha ha ha. Anyway, QNAP’s action and reaction is less than professional and absolutely undesirable.
Who are those who gave this video a Thumbs Down? Hmmmmm! I'm a Synology user who routinely checks for Updates but I had it set to manual. I have now set it to automatically check for updates daily. There's also a free AV option but haven't installed it.....yet.
I agree with your critique of QNAP over their poor security controls and unnecessary bloatware - in the interests of security they need to dump the bloatware. I think your arguments against backups could mislead other users. It's best to take the attitude that your data doesn't exist until you have at least 2 copies. There are many factors that can destroy a single copy of data, not just ransomware, burglary or your house burning down. As well as USBs sticks, a cheap solution is to burn your most precious files (family photos etc) to writable blurays or DVD disks. You could even use 900-year archival bluray disks for your most precious data. In a diverse collection of data such as yours, there is usually some data that is more precious than other data - you can vary your backup strategy and costs according to that preciousness.
Yea I agree, backing up is a no brainer. My point here was that the presence of backups should not be the issue. QNAP should not be saying hey, we can be lax with security because all our users should have their data backed up in the event that we screw up. But I do agree with you, it's a can of worms talking about backups for the home user as opposed to enterprise which is pretty black & white. Massive topic. Every "2 copy" option for the home user has strong arguments for and against it. Even the archival DVD suggestion isn't for everyone... I don't own any optical writers, not sure I even have an optical reader here! And in 5,10 or 15 years time who knows if you'll be able to source an optical drive anywhere and if PCs at that time will even recognise them. Can of worms but still I agree, I'm not arguing against backing up, that would be crazy!
@@Neil3D "QNAP should not be saying hey, we can be lax with security because all our users should have their data backed up in the event that we screw up." I wholeheartedly agree - that is an abysmal attitude from QNAP. My own large data set (20 TB and growing!) was ransomwared by a phishing email to one of my family members about 2 years ago (a courier email with a malware attachment fooled her). Fortunately I had backups of everything and restored all contents of my QNAP NAS and my family member's workstation. I perform a nightly automatic backup from my RAID-enabled QNAP NAS to my Asustor NAS that I've setup as non-RAID with removable archive disks that I cycle off-site about once every 3 months.
I'd argue that being technically literate in 2021 is everyone's responsibility and learning how to backup data is a requirement. It's the world we live in today. Do you leave your home's security up the experts? AWS S3 Glacier ain't expensive. Yes I know I'm one of the commenters you've got problems with, but I'll say it anyways. You've got random SQL update packages and ISOs, familiar with virtualization... you should know how to backup data. 8tb is pocket change you could slap that on two external drives. You could slap an 8tb drive into your pc, backup your nas and stash the drive away somewhere and be better off than nothing at all. By the way, change your default admin account on your QNAP from Admin to something else. I'm sure you've gotten this at least 50+ times but you're getting it again. The hard coded creds thing you brought up is wild though. I understand why you're pissed at QNAP but they can't be held responsible for your negligence. I don't think NAS' are targeted towards home users either. Home users don't have 8tb of data. The wedding photographer needs to hire a professional to set them up with something and educate them, it'd be a one time thing. I know you said you wont hear anyone say it's your fault but an individuals data is an individuals responsibility. QNAP doesn't sell any guarantees. I assume your QNAP is setup in raid 1, if both your drives fail then what? Are you going to flame Seagate or Western Digital? Give it a rest mate. I agree with you about the hardcore guys with offsite backups. At a point it gets unrealistic. If your house burns down. That's a risk you take. I'd use S3 Glacier and only put your most important stuff up there. I enjoy the content nonetheless, cheers.
Thanks youtube algorithm, a day late and a dollar short. Pulling the plug was the smartest move and I'd would've gambled the filesystem wouldn't get too corrupted. Disconnecting your NAS from the internet is also the good since 99.9% of people don't access their NAS from the internet anyway. The only reason to let it go is to save the system in case someone figures out a way to unencrypt the data because it's been done before. If you have to have it on the Internet then learn how to lock it down (turn off unnecessary services, etc).
29:04 As much as you rejected criticism of people coming out and telling you that you needed a 3-2-1 backup strategy, guilt tripping people that have likely lost more than you and have 1/10th of your technical abilities and knowledge to recover from it without paying the ransom ain't it either man. The reality is that there will ALWAYS be a mix of users on the spectrum from low tech literacy to high tech literacy, and if they are made vulnerable through no fault of there own, some will take the more desperate route. QNAP is to blame, full stop.
I completely agree, but it is also an objective undisputable fact that if people had never paid ransomware attackers then this would never have happened, paying ransomware is an enabler and I can't look past it. And I can say that because I recorded a video and put it on here, during a time when I genuinely thought (and pretty much said) I'd lost a ton of my data permanently... and at no point was I ever going to pay and be part of the problem. So no, I stand by that. And, I've worked 100+ hour weeks in a business hit with ransomware where a group of us would rather work ourselves into exhaustion, genuinely facing the prospect that a business with 300+ employees might go out of business if we can't salvage it, doing everything we can do save what we can, rather than paying the ransom. At no point was it ever considered to pay.
Glad you got your data back. This is a very valuable lesson. Wish I could contact you for a 100% super fast backup solution using off the shelf HW & SW, no monthly cost. One of your problems is you put one of your most valuable assets to 1 vendor thay could have a while host of issues. You also rely on automatic backups. You can have a hybrid backups systems. Due to the cretins on here we need to take it offline. I know I can help you. I have designed a backup system for a photographer friend of mine who jas 21TB of data and he has up to the point of failure backup AND another backup solution as well. He lives in a hurricane prone area and sometimes has to evacuate in very short time. He can take with him, his entire backup system in 10 min and work from a hotel room if needed. The MOST important feature of ANY backup is the ability to RESTORE all of your data, not speed. Let me know if I can help
Victim blaming is never a good thing. I 100% agree with you that qnap messed up and you deserve compensation but please, let this be a learning experience for you to start backing up offsite. I recommend backblaze B2 (user myself, paid by myself, no affiliation). At $0.005/GB/month storage, $0.01/GB for downloads, it's a steal
Glad to hear you got your data back ..... but, it just causes us headaches, frustration and to be extra vigilant about of computers and access to the internet.
Being vigilent wouldn't have helped anyone here, that's the problem, everyone was helpless regardless of how safe they thought they were and how careful they thought they were being!
@14:51 Isn't that like saying, I'll sue Toyota because they allowed a hijacker to point a gun at me and take my car? You cant expect Qnap to be responsible for every single thing out of their control. When you invest in these things, you have a duty and responsibility to understand the bare minimum about how these things should be used and that includes knowing how to back up files. This is not a difficult concept. I'm not asking you to convert decimal into binary. Anyone with half a brain should know by now how to backup their files. That would be like if I decided to purchase a chainsaw and then I ended up cutting my own arm off. If you can not learn basics, then don't invest in these things either. Backup backup backup Keep data on three different medias in three different locations Keep one full backup and keep incremental backups It's that simple folks. If you're serious about keeping your data, then learn how to backup your data.
If Toyota made the window roll down when you waived a gun at it, that's what we are talking about. Jesus, stop apologizing for corporations that are not your friend.
@@edwardallenthree Toyota does make windows that come out when a gun is waved at them. It's called hitting the glass really hard with the gun and opening the door.
This sounds a lot like the oil pipeline attach in the Eastern US ,they should have never paid unless it was a way to track the hackers.I would think differently if it was a kidnapping where a life is at stack.
Don't think you will get any compensation. I mean it's like running windows and you getting the same attack, which by the way happens daily on windows machines then you going to microsoft and asking for compensation. It's a risk we all take with equipment that runs software. And qnap is like all the others. They try to keep their devices up to date as much as possible. Just like microsoft, and any other software developer out there.
Qnap 100% failed at their #1 product objective. I use to think Qnap was a cut above the other NAS systems out there. I'm hoping that this situation heightens their urgency in addressing vulnerabilities. What I feel concerned about is their lack of Empathy. It is almost like they don't really care. If that's the case we could remain in danger. My NAS is now locked down blocked by my router. That pisses me off because my #2 reason for a NAS is for file link sharing. Qnap pisses me off BIG!
I just discovered this disaster a few days ago. I have to say that QNAP sucks. They should have warned me, but they didn't. They could have detailed instructions on how to remove the virus, but they don't - at least not that I can find. I thought I had a pretty robust system. My primary storage is one QNAP box with a second QNAP box as a backup. I also use Dropbox for my most important files. Well.. this virus infected the Dropbox files on my QNAP, and then Dropbox spread the infection on all my computers. The good news, is that Dropbox was able to roll be back to before the virus hit. Dropbox only keeps one month. I just barely made it in time. If QNAP would have sent an email, maybe I would have looked sooner. But QNAO didn't. Both of my QNAP boxes will go to the e-cycle. I already purchased a Synology. I'm also rethinking my backup strategy. I think a periodic offline backup is essential.
sorry for the inconvenience but since you are wearing an autodesk sweater: fcking autodesk cost me way more days of my life than 5 days!!! years, man!!
My firmware was updated to the latest one last week and all my apps were updated ... still I was attacked last saturday ( 3-Sep-2022 ) Shame on you #QNAP .
Just to remind everyone, the NAS was the primary copy of the backup. You need to back it up somewhere else - offsite. In an earlier video I believe TFI said you can't backup 8TB off-site on the cloud - you absolutely can via many tools - so do - or get another NAS, have it elsewhere and have it backup. But never ever assume the worst won't happen. This time it was ransomware, but next time it could be a catastrophic fire in the home or theft of the device etc.
what a sh** show. thou qnaps is not alone in this. i am the typical 'wedding photographer' user and bought wd mycloud box, plugged it in, mapped it, forgot about it. had to google how to log into it, discovered there is an OS update. (not just a patch but full software update) im running v2, and the update is v5 😲.
My point proven exactly! So basically, if this was an attack on WD devices, you would have to logging in every few days... fully updating that storage box every few days perpetually for the entirety of your ownership to even stand a chance of preventing everything on it being essentially erased! Seems reasonable right! Everyone has time for that!
Betting QNAP has language in their TOS where you give them permission to shit the bed on you and they are not liable. They did not value security, but betting they have an ironclad TOS from some pos lawyer.
Both of these things are true: It was QNAP's fault; and you can harden yourself against future attack by various means, which you actually have done by severing your NAS from the internet and that Amber box. Your argument though that the 3-2-1 rule is unreasonable to expect a home user to follow because of cost, knowledge, backup schedules, QNAP's flaky bloatware, etc, etc is almost as pernicious as QNAP telling its customers to let the ransomware attack finish. People will watch this video and be dismissive of backing up their data because of the various reasons you've given. It does you no good to think of this in opposing terms. You were a faultless victim. You can also make yourself near impervious against a similar attack. If you had been beaten up in the street and had resolved afterwards that you were going to either arm yourself or train your body, that would be you adapting to possible threats in a world full of them. Blaming the victim would be to say, "hey, if you had done X, then you wouldn't have been harmed." I'm not saying that. I am saying, "you were victimized in the past, so now let's do something so that the likelihood of that ever happening to you again is lessened." As to your WD exmaple, there are 18TB My Books coming soon. I have an 8TB, which is my main backup. The 8TB is under $300 CAD. It also isn't as large as you think it is. It's 2 inches wide and a lot smaller than a 2-bay NAS. However, you seem to have other options that you are looking at, which actually is you hardening yourself against similar future attacks. It was QNAP's fault, and now you are adapting. This doesn't absolve them and you are not to blame.
Your statements about the photographer not needing to be an IT manager blah blah - you're completely wrong. A home user you might say might not bother - but they should because we live in a world where this stuff matters, and is more vulnerable than the old photo album in a box under the bed. But... the wedding photographer example is running a business, so they have to consider risks to the business - and if they employ anyone they'll have legal obligations to them too - they didn't want to become a HR manager either, but you know what, that's part of the job once you get staff. So it's hard to agree with your thoughts on that because you're pretending your IT is somehow magically different or should be excluded from you paying attention. I also don't really understand how you can say if someone breaks in or the place burns down you can "mitigate" them - yet for some reason a backup - which is mitigation against a risk, you somehow think you shouldn't have to be concerned with - so some things you care about and think you'd take responsibility, other things you think it's just someone else's negligence and you play no part? That makes no sense. You had a responsibility here too, you just want to pretend you don't because you can point the finger at QNAP this time?! Your whole dialog seems to be i'll take responsibility for some scenarios that could arise, but I won't take responsibility for some others. And then you say in these comments you might take a backup and shove a drive at your parents, so you've clearly already changed stance on that too after saying not gonna happen in the video ... confused!
i am a qnap user myself currently running 5 different sized nas boxes. i was fine behind my firewall. qnap is definitely not perfect, but i think your points are not valid at all. autodesk is corporate negligence and incompetence. i don't know how you set your box up but i guess your box was accessible from outside. if you need this setup a vpn and but your box behind a firewall... don't just blame the manufactures
It was your fault you lost (almost) your data. Totally your fault, mate. You put ALL your data on digital format and then did NOTHING to protect it. Oh no, I'm sorry, you put your data into the hands of a crap corporation, knowing nothing about them (per your own admission) , and then get pissed when they get hacked. Look, I'm a home user and an armature photographer and I have about 5TBs of data. I have my data on a raid setup, have it backed up on a couple drives in my home, and have that backed up on another drive I keep at my day jobs office. Cost me about $300 for that entire backup. How much you spend on that QNap device??? I backup my data because it is important to me, and I make the effort to protect it, and I only trust myself. Cheers.
So you're very fixed at your opinion, and probably rightfully so. QNAP screwed it. BUT: home users should also learn, the hard way sometimes, how to live in a digital world. In the past you would be robbed by pocket lifters or burglars. Nowadays they rip you off in a virtual realm. I am a home user and I have a NAS and I would never assume it is my only backup. Not because QNAP is telling me so. Because being an IT enthusiast (not a pro) I understand what backup is about and I would never assume NAS is my miracle solution to all those potential problems. And you chose not to backup - but still you keep ranting about it. Yeah I know, even if you hadn't lost your data you'd still be ranting..... And your example of a house burning down - for me there's no difference . You either have a backup or not. You also complaint you bought a NAS, not a multimedia full of sh** box - well you should have chosen something else then, apparently!!! Yes QNAP is guilty - but no matter how mad you are, are they responsible for ALL of what happened? Imagine someone hacks your iPhone - using a hole in a an app you have never used - would it be all Apple fault? How about your brand new car hacked? Your Smart TV? Your Philips Hue light? This is the new reality! New risks, new scam possibilities - we all have to learn to live with it. If you want to go the root of the thing: how about schools teaching about this? How about TV news channels talking about it instead of just giving us body count (all the negative news I am sick of). I FULLY understand your frustration - but please look at it from a wider perspective
OK if you're questioning my comments on backups, I agree with you, and I follow up with a reply here th-cam.com/video/Puud1K0OMVs/w-d-xo.html please see that first as I didn't do a great job here of putting across the bigger picture.
Regarding paying the ransom, no. I stand by that, in fact I actually held back. I didn't refuse to pay the ransom because I'm "tech savvy" or because I knew I was going to get my files back. In the first video I made, I was resigned to losing my data, at that point I firmly believed it was gone, but at no point did it ever cross my mind to pay these c*nts. Sorry but it's a fact, paying is an enabler, and perpetuates this.
Even though the log file is deleted on a power cycle, you can probably restore it with data recovery software. Granted, you would have to find the file in the haystack of restored files, you could theoretically end up with the password to restore all files from the zips.
Edit : So you have already overwritten the files on the nas. The above is no longer an option.
NAS is for stupid people. Just connect your hard drives to an old computer and set up a network share. Couldn't be easier.
Qnap is definitely at fault. Their response stating they knew one month prior to the exploitation. March 16th they knew and created two incidents to fix the issue. April 17th is when the attack started. Where the HELL were they?
ONE THING EVERYONE NEEDS TO KNOW. -- DIGITAL DATA IN ANY FORM IS NOT SAFE IT'S DIGITAL. An ESD or EMP bomb would also wipe out all your data, pacemakers or any other type of electronic device
If you backup from Qnap to Qnap then both units get trashed. I agree 321 backups would help.
Where did the hackers get the list of QNAP customers, QNAP CLOUD? How secure is their cloud?
I paid the ransom and their response was that my payment was a duplicate and they took my money and did not give me a password. SCREWED! 18TB of years of images and personal data.
Weeks of torment and endlessly searching the web for a glimmer of hope.
I had a backup but my QNAP backup did have holes in its backup. 3200 missing files from THEIR BACKUP SOFTWARE. They SUCK!
Qnap support is horrible and irritating. The only way to contact them is through the web and I think they have one kid sitting in front of a computer saying sorry can't help you if you have the patience to wait 40 minutes to text someone.
They had to speak with the developers to see if initializing your nas also cleaned the NVME m,2 drive that they use for the cache. They Help desk is useless and all they want to do is get away from the keyboard (NOT EVEN A PHONE because they don't want to talk to you at all).
I also blame Bitcoin for allowing payments made through a MOB LIKE Money Laundering scheme. Think about it, the price of a bitcoin rose during the hack payment period. Many people benefited from this, not just the hackers.
Is there a class action lawsuit? We as a global force need to send a message to corporations around the world that this is not acceptable business practice.
As a precaution, I looked at my network and saw that I needed to upgrade my Netgear firmware on my router. That upgrade trashed the router and bricked it! If you think Qnap is bad... After the buzz on the next got REALLY LOUD about the upgrade, they removed the firmware update and acted as if they never posted the firmware on their site.
We are all vulnerable. We continue to purchase products made in countries where their morals and work ethics are not on par with the rest of the world. Only all of you and I can create change. While your videos have made a statement, 6 months from now the chatter will die and it is back to business as usual, and that we need to stop now.
Awesome video, keep up the good work. I purchased a Synology NAS 6 months ago after reading all the bad reviews on Qnap issues. If any of the Qnap management are reading this the world is saying ( Dont' buy Qnap ). If you are a home user or a computer tech like myself and you are looking for a NAS save your self the headache and ( Dont' buy Qnap ).
@TFI
I strongly suggest you read my QNAP to Truenas guide
forum.qnap.com/viewtopic.php?f=191&t=161170
You can then use truenas on your QNAP NAS. then whatever complaints you have in regards to qnap OS will be fixed yes?
However honestly i saw a bunch of things you did wrong that were not qnap related problems. You should fix that... like having a backup for starters.....
"nothing you can do about it". This is not true. you should have had a backup for eventualities like this. it's called planning ahead. I can guarantee you, those hdds in your nas aren't gonna survive your whole life time. They do eventually die, so when that happens then what? In worse case scenario you could risk losing data.
You're absolutely right to be mad at qnap but also you're making backup way more complicated then it needs to be. They make 8tb for $200 now buy a fire proof bag and stick it in a fireproof/waterproof chest and u have a pretty solid backup against fire, water, & ransomware. Your greatest risk here isn't any of those things though, it's having a hard drive fail in your NAS and then another one fail during the rebuild of the first one. That can and does happen and that is why you should have a second copy at minimum of your data.
I've permanently lost data in a house fire, now I'm keeping backups on multiple sites (including parent house).
Fair play but still, I suspect you appreciate not everyone is prepared or even capable of doing that! I guess I dunno how I'd react in the even of a house fire, the house fire scenario I mentioned... but either way that's still on me and my responsibility... I'd be mad at me and no-one else. Unless it was the wifes hair curlers...
But aye again, I don't want all that to become the focal point when backup or no backup, this was all about QNAP and their stupidity.
@@Neil3D Of course, I wasn't prepared myself, never though my whole house could be reduce to ashes...
I agree that your case is a QNAP incompetence, but now that you are aware that you (and anyone else) can lose everything in a fire (or whatever) I think you should seriously consider multi-site backups.
It's statistically very unlikely, but if it happens, you'll be mad at yourself, especially now that you're aware of it.
@@Nekzuris Completely agree, but we are talking about two very different things here... me being super pissed at myself at losing my data in a house fire is a very different thing to having it hijacked as a result of QNAPs cuntyness. I'd put that in a completely different category/story to this all together. But yes I agree, for me I might whack the super nostalgic stuff onto an old 3.5" HDD and stash it in the parents house...
If you don't have an offsite location use a fireproof safe to keep your backups in.
@@sang3Eta or just use your own car... :) I have my offsite backup in my car, hope that house fire and stolen/destroyed car might not happen at the same time :D but God knows...
I m the same situation! How you get your data back?
There's no such thing as too many backups until you run out of places to keep them.
I HATE QNAP! I turned the box off, restored my dropbox and was relieved to see my pictures again. then the QNAP turned itself on again! I pulled the plug. I guess I'll need to roll bac dropbox again
I'm a topography surveyor, usually working with CAD/BIM/Point clouds, I did lost almost half of my data in the attack. I'm here to say thank you for talking about this, because I'm not a Linux expert and bleeding computer forums were way too technical for me.
I did turn off everything, so the 7z.log password was beyond recovery.
I did consider to pay at first, but then came up the transaction ID thievery story, so that option became too risky and got discarded.
Then I've found your video and decided to give photorec a try, and I have to say that I did like it, somehow. Even if incredibly slow (still running since 300 hours), I did recover a lot of erased data - not everything, unsorted, unnamed, but it's still something. So again thank you for taking the time, and I'm glad to hear you did get everything back from the source.
QNAP will always be out of my business - everyone can do mistakes, but I did not like their way to manage it. Horrible. It's not like I know what QNAP should do, but still feel like a betrayal.
You're absolutely spot on, I'm fairly tech savvy but I'm not an IT guy and QNAP markets these things too exactly an audience like myself! Like you, I have lost days of my time recovering my files ( luckily not many of my files were ultimately lost because I had them on other disks too) This was entirely QNAPS fault and I want compensated, even though it will probably never happen...
I remember you commenting on my first couple of videos and tbh I had you in my mind when I was pitching my angle here, I remember looking at your channel a few weeks ago and thinking wow... yea its guys like yourself who are buying these devices, I used "wedding photographer" in here but I generally had your gig in mind as the trigger for referencing photographers. Glad you managed to get sorted though!
@@Neil3D Thanks - No wonder what you said rang so true - lol. I'm glad you made these videos though, if anything they helped me (and I'm sure others) understand the situation better and realize that QNAP was not going to do anything to help. This kind of thing is way beyond my tech abilities and their support was absolutely useless! I was lucky I had the back ups and that I can rebuild my "digital life" but even then, I have lost a lot of time. I also now have to figure out what to do with this very expensive QNAP paper weight. Glad to hear you didn't lose too much stuff either. Cheers!
QNAP is not the only one so I guess there is no safe NAS out there....th-cam.com/video/KWGUW9w4FPo/w-d-xo.html
Yes another main company been hit.
Thank you for your videos. We were able to get all our data back. Truly appreciate it!
Sorry for your trouble mate. Appreciate you sharing your experience. These days it seems getting one or more accounts hacked is now common place. And researching any product you buy that connects to the internet is probably a best practice although perhaps not always practical. Nothing is full proof. But anything less than redundancy is really poor practices.
One thing to be aware of... every NAS manufacturer is basing their solution on hardware that's basically priced well under half of the appliance price, before any taxes and distributor/retailer cuts are even applied. The other part you're paying for is respective NAS software/services and support. The former is often based on OSS so they're not actually writing everything from scratch, they are preparing UI, predefined defaults, organising the OSS building blocks for the consumer, and maybe adding a few of their own, in some cases patented, tools on top of the OSS base. This means that you're paying a lot, nearly the same as for the hardware inside your NAS appliance boxes, for the peace of mind of the software selections and packaging and fixing. Of course if the system hole comes from eg. a VM or container a user adds/uses through some containerisation or virtualisation tools offered by the appliance manufacturer, than OK, it's the user fault... but not if the vulnerability comes from system software or apps within respective curated app centres (with app packages that are often several versions and revisions behind sources) as then it's a manufacturer responsibility. Therefore, they should have pushed the updates/fixes ASAP to all the machines reachable, similar to OTA Android/iOS updates or Windows10Home updates, with the proviso that if the vulnerability is important enforce the fixes/updates application straight-away even if the appliance needs a reboot to apply the fix - after all users are responsible for setting apps and services and containers and vms to autostart after reboot if required so the manufacturer does not have to worry about consumers as the security and peace of mind is what consumers are paying manufacturers for. It's just that easy - sure some may end up angry for the box temporarily unavailable through the "unscheduled" reboot required for the fixes or something, but one can also add an option akin to other systems to either apply fixes striaght away as they are released or withhold indifinitely until customer logs in to the interface and applies at the time of their own choosing - the latter option could well be implemented/bolstered through eg. an automated email sent to your address from either manufacturer cloud account or devices themselves (akin to the disk failure messages that are already often offered) that this device needs to apply a fix and perform a reboot so please login now and do it otheriwse your device becomes vulnerable to attacks - i am sure 99% of home users would apply the fix ASAP, and those who didn't would end up with a vulnerbale device by their own choice - issue/problem averted, responsibility for the action taken by respective parties up to respective scopes.
Of course, companies may still point to having common sense or IT logic engrained in how the consumers think and use their solutions, eg. RAID is not a backup, parity drive options are better than solely striping, admin accounts should have either passwords only or both admin account names and their passwords changed on appliance deployment, root accounts should be disabled, ports should be altered from defaults... Most of these could well be automated by the manufacturers, though in some cases that may make it a bit harder for the non-techies to use them out of the box without a manual or other external support sources...
Most people also do not own a NAS. With great power, comes great responsibility...
I fully agree with you. This is one reason to build your own and use TrueNAS or Unraid to run a simple, storage-only NAS. No internet connection by default, no extra access from the Internet unless YOU DO IT YOURSELF.
you are completely right about qnap.
I worked in IT for 25 years and never trust hardware or any company.
I have another channel with video's. here is my backup flow:
shoot video
copy video off to NAS (leave video on camera)
edit video
render video
upload to youtube.
only then do I delete from camera.
periodically backup important data from NAS to external hard drive.
mirror that hard drive to another. (now I have 4 copies 3 local one on youtube)
a couple times a year backup data to Blu-ray disks (2 copies).
one goes in fire resistant safe. one left out for easy access which I rarely need to access.
Only then do I delete from NAS. still have a copy on 2 hard drives and blu-ray.
on next backup to the external hard drives then the data (that was backed up) is deleted from them.
Still have 2 copies on blu-rays and one on youtube.
since watching your previous video I checked my qnap (upgraded my firmware). I never used their backup software nor did I have a myqnapcloud account, and my qnap is not connected to the internet (no port forwarding to it). I also uninstalled any apps on it I do not need. I will be getting a synology to replace it as the qnap is long expired its warranty and qnap out of warranty support is garbage.
8TB is nothing... thats just the tip of the iceberg of my porn collection and I'd be well pissed if I ever lost that :-D
Tape. It's an expensive investment, but LTO tape is fast and about the same price as hard drives, but last 30 years. Also, for static data, that's easy to backup incrementally only.
just got infected with the new deadbolt ransomware yesterday...so raging
Glad you got your data back! Use backblaze to back up your NAS.
He'd probably have to use their B2 solution. My maths might be wrong - but I think it would cost $40 a month to keep 8TB stored. Plus further costs to restore it.
Hey Neil, first off, absolutely awesome videos you made exposing the incredible incompetence of QNAP and FINALLY putting them and all other corps into their place which follow suite!!! COMPLETELY agree with EVERYTHING you mentioned 110%. Given everything you mentioned and the sheer quantity of unsuspecting individuals/companies involved in this unfortunate turn of events, I think it would be very worthy and educational (if you make any more follow-up vids about this) to point out that the ONLY IMMEDIATE indication you had to go and unplug your device was probably solely due to an AUDIBLE indication that your drive heads were going crazy, staring the attack. If these storage devices had been SSD's, there would be NO IMMEDIATE AUDIBLE indication that anything was currently happening (assuming an individual would have even been in ear-shot vicinity of the storage device). Those of us who are tech savvy would know that when disc heads start banging away, it's an indication that something is up and would/should respond accordingly. However, the non-tech savvy would hear it and simply assume it's either supposed to do that for some reason or recognize something is up but wouldn't still know what to do. In those few seconds they are contemplating what they are hearing, a few hundred thousand files, if not all, would be gone/encrypted. I'm simply suggesting that if you do make another vid about this, it would be educational to bring up the difference between the discs and the SSD drives, being audible and the other not - you get what I'm talking about. Anyway, fantastic content, keep it going!! Kevin
Sir! Just watched your first video this morning ;-) Glad you got it all back. I don't have a QNAP, I have a Netgear ReadyNAS and a WD NAS. The Ready NAS hasn't been powered up for a while, but my WD is network facing. Low and behold, they've put out an OS update which I've promptly installed :-)
The people who are willing to give you the source code probably already have given it to security companies. The issue is that once something like that is put up on GitHub then the attackers then alter their infection approach and then only the old infections could be helped as the newer ones would use a different encryption key.
2 sets of the same data = 1 backup
i can't find in the comments or other what the solution was? if you got data back, how? thanks
Dude an 8 tb hard drive costs under £200. Get a backup.
Sounds like a lot of money... until you consider the alternative.
What do you think of FreeNAS? It would certainly be safer without the bloatware.
Preach brother. I thought I escaped the April 21 attack, but discovered to night that they got ALL my OLD family photos. The stuff that's not on iCloud, Dropbox and 14 other places. The stuff that I never access until I do. Weddings, kid photos... gone. Really QNAP? Really? None of the crap that I can afford to lose. Worse, I thought I had this off the internet. I am SO TIRED of the SYSADMIN speech on network settings. I am an artist working in my bedroom. 25 years of experience in MAKING ART, not admining network.
Wow, love your integrity for not reviewing the NAS box. I will never buy one, personally, as setting up a server is more fun for me and I love to buy used enterprise gear.
Which brings up the question: I wonder if you can install freeNAS on the QNAP?
My Western Digital NAS is set to update automatically... I just receive emails telling me it just updated... and never have to worry about it.
I recently lost something around 8TB of "plex library" and it could have been 14 more, I cought it in the act and did the most sensible thing and it saved the other 14TB.
I switched to a Dell Poweredge because the Qnap was 't powerful enough a few years ago, but because of my own stupidity my DIY NAS had a crippled IO, preventing it from going ham. Lost everything on 2 computers with multiple internal drives and just a few files on my NAS.
I didn't loose actual precious data but I did loose months and months of video encoding time.
I still feel like you're feeling in this video, disbelief, anger, sadness, and most important the WHY in all forms.
There is NOTING that justifies making money this way and EVERYONE deserves the worst thing happening to them!
It’s crazy isn’t it. I bought in Jan this year a TS-453D, for some reason I did not migrate my WD NAS drive to it. Just left it and this QLocker started happening. As of today I have yet to migrate, and of course WD drives also had the erase all data issue. So now I have also unplugged the WD NAS. I saw a Bleeping Computer article about QNAP have fixed the bugs. Looks like my NAS will always be unplugged from internet.
There's no two ways about it, everybody is responsible for backing up their data, but that's easier said than done, and it's one of those things where it's usually too late by the time you realise you really should have done it. Also, like you said, where do you stop? Having a good backup regime is a hassle to even come up with in the first place, let alone actually stick to it. I have a tiny amount of data compared to you, so I'm much less concerned about capacity, but even then, keeping my backups organised is a nightmare because I have incomplete backups spread across multiple external drives. I've also gone for over 12 months without remembering to refresh at least one backup copy too. Even if someone did splash out on having two or more of these NAS boxes and kept a *full* backup on each, that still wouldn't have done them any good in this case. Couldn't agree more about not paying the ransom, btw.
I am truly sorry for the people that happened to, but It's not really that hard to setup a backup (raid is not a backup especially if your still using RAID5 or RAID1 ,,, RAID6 on main NAS, backup nas's can be just RAID5 because if your backup fails you just replace it)
Maybe use blackblaze backup key important folders (but isn't suitable for lage data sets usually, unless your willing to wait an extremely long time)
or for mass data that is to large to backup online, Setup a different brand nas for backup (say Synology) and just tell it to simply copy the data from your main nas to your Synology every day at say 2am everyday (it has very simple easy backup tools to do it)
Maybe use USB backup (witch can be time consuming on first backup and is manual task, use backup software so it only backs up changed files, but it is offline backup once unplugged so mostly immune to ransomware) for normal home use USB disk backup will be fine but remembering to do it is the key
One other piece of advice for everyone that sees this: Disable IPV6 at your modem/gateway/router. Most consumer based devices do not offer any firewall for IPV6, and lets it go right on through. Unlike IPV4 using NAT, there is no protection unless you are using a several thousand dollar Enterprise firewall.
I had Hybrid Backup running weekly to an external HD. Oddly it stopped backing up in January and I had absolutely no idea. I set it and never checked.
My Qnap was 100% locked by Ransomware. My external was 100% undamaged. I only lost the first quarter of 2021 which was minimal.
Always backup to an external. I don't know why the Ransomware didn't touch my external. Does anyone know? Was it dumb luck?
Glad to hear you managed to get most of the data back. I've been using Synology NAS boxes for nearly 15 years now, they're the sort of competitor to QNAP, but they seem fairly proactive on security/patches/autoupdates etc. might be a worthy replacement option for you.
I looked at both Synology and QNAP when I bought it, but to be perfectly honest when I bought the NAS box I had absolutely no idea it even had an operating system on it never mind an entire app store and cloud integration... I just wanted a storage box. Looking at things now, Synology has a history of Synolocker, QNAP has Qlocker, I'm just gonna run with this Amber unit and cut it off from the internet. I have absolutely no need for my storage box to be connected to the internet, never have done.
@@Neil3D Totally fair. If this Amber unit works and you can get more storage in there then that's ideal I suppose.
I backup most stuff but i dont have 8 terrabytes of data yet 😅
Hi TFI, I am from Hong Kong and my QNAP was suffered from the Qlocker issue as well. I followed the method from your last video (the putty one) and successfully saved data. Should I also try the "ReclaiMe" application this time you recommended?
I agree with everything you have said and understand the scope you wish to keep the conversation. I have noticed in the past 10 years the quality of software has gone downhill big time. I have never used NAS storage except for one customer who insisted on it. I never thought that things have gotten to the point of a NAS device having bloatware and other crap. I appreciate the knowledge your video has given me, and will effect all my storage decisions going forward.
For the marketing they did nothing wrong, if you buy a computer and get hacked because you didn't install updates or learn to configure firewalls it's not the manufacturer's fault or Microsoft's fault. Also if it's 0 day (not known to be detected as nobody knows that it exists yet) all bets are off. You can do due diligence to secure things but because something is accessible to the internet it will have some risks. Manufacturers should step up though and force push critical updates but privacy advocates will opt out and have the same thing happen to them.
I agree you've definitely got a justified beef with qnap. I confess I do pay £70 a year for BackBlaze (I have 12TB of data) so I'm hopefully covered - but your angle is nothing to do with having more than one copy of data.
If Seagate, Western Digital, etc., made hard drives that failed within days, there would be a massive uprising and potential legal action. Qnap seemed to have slack security and if they're aimed at non-STORAGE literate people, they should have a big button that says, "Use on LAN only", or something similar. I don't know, but I'm guessing these Qnap boxes aren't cheap, so they should have the manpower to get a message to all owners of their hardware to say, "do this and do that to protect your stuff".
They shouldn't box them up in a vulnerable condition. I hope you are able to try for compensation even though you fortunately didn't lose too much. 👍
Oh and these section things you've added to the time line, are really good.
Thanks for this. I was hit and though my data had no monetary value it was of extreme value to me re memories photos etc. When friends talked to me about it afterwards I said if the ransomers said they would reinstate my data for £1 I would not have taken them up on the offer and if everyone else did the same ransom attacks would stop. So we think the same way.
So first and foremost, it's great you got your data back! I hope you have decommissioned your QNAP device and moved to a different platform. Synology or even truenas might be an option.
The backup argument is also only valid if the backup isn't another QNAP getting encrypted as well. Because correct me if I'm wrong but the last time I checked you can't restore data from a backup if it is encrypted as well!
Usually best to have backup device from different vender, say Synology with snapshot enabled, backup should be pull setup (no write access on the backup nas, no shares enabled, unique password and not saved on any local PCs, quick share never setup and daily update checks) and it should always have 55% free space so worst case even if a full backup happens you can undo the encrypted using the snapshot
I wonder what NAS Compares channel had to say?
20:33 You know, I'm not entirely convinced that QNAP knows precisely how the their boxes were rooted. It appears to me that they just shoved a bunch of patches out that the ALREADY knew about and simply hoped that one of them was the actual vector. I have not seen any evidence that a particular vulnerability was for sure used in the QLocker ransomware attack.
Where I do agree with you is... people should never pay the people behind the ransomware things - but sadly they do - including major organisations (just this week a US corporation paid $5 million...). Also a tip for your NAS - if you want that QNAP (or any other NAS) not to be on the internet, set the IP address on it manually and *DO NOT* give it a Gateway Address or DNS Server. If it has no DNS and no Gateway, it has no internet access. Make sure you do the same for IPv4 and IPv6 if your NAS supports both.
It's gonna take me probably a few months to go through my PhotoRec recovered files simply because of my busy work schedule and this file review is consuming most of my family time. I truly do want to know whether this can be a class lawsuit because of QNAP's negligence. I actually wanted to inquire about this but like I said I've been occupied with so much. I would like to hear your feedback on the chances of this turning into a class action lawsuit.
I swear I thought that box said 'jaqwe' not 'amber' when you picked it up (read it upside down)....and was wondering what a weird name that was.
Living in denial about the essential nature of backups and software updates will not end well, as has already been evidenced. Backing up
I have my NAS powered down when I don't need to back up. I have a 1TByte drive that takes the daily backups, then the 1TByte tranfers to the NAS when I power it up. Simple D.I.Y power project using Arduino to turn on the power remotely and a simple Script file to start the transfer process that get Virus scanned first. I don't own a QNAP tho... thank God.!! wish the best for you and good luck to everyone. Sorry for those who lost data precious to them. In this day and age, trust NOTHING thats plugged to a wall or has a battery. Only good advice I can give.
I backup to tape. But all your comments are true about me. I have a 3 2 1 strategy, but I only back up home photos of family and movies remotely, as well as git repositories for code.
I should take tapes to my in-laws. I don't. It's too much work. And too (insert swear word) expensive.
I felt your anguish when you first brought this news to TH-cam... your cctv footage captured your frenzy very well. I’m relieved you were able to stick to your principles while getting your files back minus a week, no thanks to Qnap. Peace.
I'm sorry for you, man. If you don't have two offline backups in separate locations, then you need to take some responsibility for not backing up 3 2 1.
Actually security training at my workplace tells people not to touch their computers when an incident happens, precisely because things are still running and they can find out what is going on. Had I done that instead of rebooting my NAS, I could have gotten all my files back, instead of working through my backups.
I get where you are coming from in that you limited the damage, but taking an hour or two wouldn't have made much of a difference.
An hour or two in an office based ransomware attack could be the difference between it hitting the backup servers or not hitting the backup servers, I stand by everything I said there
Cheers, great to hear you didn’t lose any data. Sounds like you had a backup (old forgotten backup).
QNAP security is a hot mess wrapped in a dumpster fire to be sure and they deserve the ire coming their way (not just as of late mind you because this sort of thing has happened before). Other solutions from other manufacturers do seem more secure until such time as they don’t.
Many people would probably be better served by a DAS rather then a NAS. Less complicated, fewer attack vectors, cheaper and so on. If you don’t want your NAS to have Internet access just don’t give it a gateway address or the common correct gateway.
Anyway, don’t let the bastards get you down.
I agree with you, I would unplug it immediately. Glad you get your data back. Thanks for sharing.
Hope you don’t get PTDS… like jump out from bed whenever you hear the harddisk clicks….
P/s:
1) Golden rule of back up 3, 2, 1.
3 copies, 2 mediums, 1 offsite.
2) Raid is not backup.
3) If you can’t backup all, backup the most important, prioritize your backup.
I actually do just that, backup my most important files in a Harddisk that I keep in my parents house… ha ha ha.
Anyway, QNAP’s action and reaction is less than professional and absolutely undesirable.
Who are those who gave this video a Thumbs Down? Hmmmmm!
I'm a Synology user who routinely checks for Updates but I had it set to manual. I have now set it to automatically check for updates daily. There's also a free AV option but haven't installed it.....yet.
amen! you could not have explain and talk better! I´m a designer affected by Qnap Qlocker, and totally agre with everything you said, everything!
I agree with your critique of QNAP over their poor security controls and unnecessary bloatware - in the interests of security they need to dump the bloatware. I think your arguments against backups could mislead other users. It's best to take the attitude that your data doesn't exist until you have at least 2 copies. There are many factors that can destroy a single copy of data, not just ransomware, burglary or your house burning down. As well as USBs sticks, a cheap solution is to burn your most precious files (family photos etc) to writable blurays or DVD disks. You could even use 900-year archival bluray disks for your most precious data. In a diverse collection of data such as yours, there is usually some data that is more precious than other data - you can vary your backup strategy and costs according to that preciousness.
Yea I agree, backing up is a no brainer. My point here was that the presence of backups should not be the issue. QNAP should not be saying hey, we can be lax with security because all our users should have their data backed up in the event that we screw up. But I do agree with you, it's a can of worms talking about backups for the home user as opposed to enterprise which is pretty black & white. Massive topic. Every "2 copy" option for the home user has strong arguments for and against it. Even the archival DVD suggestion isn't for everyone... I don't own any optical writers, not sure I even have an optical reader here! And in 5,10 or 15 years time who knows if you'll be able to source an optical drive anywhere and if PCs at that time will even recognise them. Can of worms but still I agree, I'm not arguing against backing up, that would be crazy!
@@Neil3D "QNAP should not be saying hey, we can be lax with security because all our users should have their data backed up in the event that we screw up." I wholeheartedly agree - that is an abysmal attitude from QNAP.
My own large data set (20 TB and growing!) was ransomwared by a phishing email to one of my family members about 2 years ago (a courier email with a malware attachment fooled her). Fortunately I had backups of everything and restored all contents of my QNAP NAS and my family member's workstation. I perform a nightly automatic backup from my RAID-enabled QNAP NAS to my Asustor NAS that I've setup as non-RAID with removable archive disks that I cycle off-site about once every 3 months.
You should backup your data
I'd argue that being technically literate in 2021 is everyone's responsibility and learning how to backup data is a requirement. It's the world we live in today. Do you leave your home's security up the experts? AWS S3 Glacier ain't expensive.
Yes I know I'm one of the commenters you've got problems with, but I'll say it anyways. You've got random SQL update packages and ISOs, familiar with virtualization... you should know how to backup data. 8tb is pocket change you could slap that on two external drives. You could slap an 8tb drive into your pc, backup your nas and stash the drive away somewhere and be better off than nothing at all. By the way, change your default admin account on your QNAP from Admin to something else. I'm sure you've gotten this at least 50+ times but you're getting it again. The hard coded creds thing you brought up is wild though.
I understand why you're pissed at QNAP but they can't be held responsible for your negligence. I don't think NAS' are targeted towards home users either. Home users don't have 8tb of data. The wedding photographer needs to hire a professional to set them up with something and educate them, it'd be a one time thing.
I know you said you wont hear anyone say it's your fault but an individuals data is an individuals responsibility. QNAP doesn't sell any guarantees. I assume your QNAP is setup in raid 1, if both your drives fail then what? Are you going to flame Seagate or Western Digital? Give it a rest mate.
I agree with you about the hardcore guys with offsite backups. At a point it gets unrealistic. If your house burns down. That's a risk you take. I'd use S3 Glacier and only put your most important stuff up there.
I enjoy the content nonetheless, cheers.
Man, that advice is like when you got shot in a robbery and the doctor says to walk it off 👍
No it's not. At all. A doctor can help you but no one can help you if your data is encrypted without a backup.
Thanks youtube algorithm, a day late and a dollar short. Pulling the plug was the smartest move and I'd would've gambled the filesystem wouldn't get too corrupted. Disconnecting your NAS from the internet is also the good since 99.9% of people don't access their NAS from the internet anyway. The only reason to let it go is to save the system in case someone figures out a way to unencrypt the data because it's been done before. If you have to have it on the Internet then learn how to lock it down (turn off unnecessary services, etc).
29:04 As much as you rejected criticism of people coming out and telling you that you needed a 3-2-1 backup strategy, guilt tripping people that have likely lost more than you and have 1/10th of your technical abilities and knowledge to recover from it without paying the ransom ain't it either man. The reality is that there will ALWAYS be a mix of users on the spectrum from low tech literacy to high tech literacy, and if they are made vulnerable through no fault of there own, some will take the more desperate route. QNAP is to blame, full stop.
I completely agree, but it is also an objective undisputable fact that if people had never paid ransomware attackers then this would never have happened, paying ransomware is an enabler and I can't look past it. And I can say that because I recorded a video and put it on here, during a time when I genuinely thought (and pretty much said) I'd lost a ton of my data permanently... and at no point was I ever going to pay and be part of the problem. So no, I stand by that.
And, I've worked 100+ hour weeks in a business hit with ransomware where a group of us would rather work ourselves into exhaustion, genuinely facing the prospect that a business with 300+ employees might go out of business if we can't salvage it, doing everything we can do save what we can, rather than paying the ransom. At no point was it ever considered to pay.
Glad you got your data back. This is a very valuable lesson.
Wish I could contact you for a 100% super fast backup solution using off the shelf HW & SW, no monthly cost.
One of your problems is you put one of your most valuable assets to 1 vendor thay could have a while host of issues. You also rely on automatic backups. You can have a hybrid backups systems.
Due to the cretins on here we need to take it offline. I know I can help you.
I have designed a backup system for a photographer friend of mine who jas 21TB of data and he has up to the point of failure backup AND another backup solution as well. He lives in a hurricane prone area and sometimes has to evacuate in very short time. He can take with him, his entire backup system in 10 min and work from a hotel room if needed.
The MOST important feature of ANY backup is the ability to RESTORE all of your data, not speed.
Let me know if I can help
As a casual user I 100% agree with everything you said
i lost my entire family photos since my childhood 40+yrs ago.
Victim blaming is never a good thing. I 100% agree with you that qnap messed up and you deserve compensation but please, let this be a learning experience for you to start backing up offsite. I recommend backblaze B2 (user myself, paid by myself, no affiliation). At $0.005/GB/month storage, $0.01/GB for downloads, it's a steal
Glad to hear you got your data back ..... but, it just causes us headaches, frustration and to be extra vigilant about of computers and access to the internet.
Being vigilent wouldn't have helped anyone here, that's the problem, everyone was helpless regardless of how safe they thought they were and how careful they thought they were being!
@14:51 Isn't that like saying, I'll sue Toyota because they allowed a hijacker to point a gun at me and take my car? You cant expect Qnap to be responsible for every single thing out of their control. When you invest in these things, you have a duty and responsibility to understand the bare minimum about how these things should be used and that includes knowing how to back up files. This is not a difficult concept. I'm not asking you to convert decimal into binary. Anyone with half a brain should know by now how to backup their files. That would be like if I decided to purchase a chainsaw and then I ended up cutting my own arm off. If you can not learn basics, then don't invest in these things either.
Backup backup backup
Keep data on three different medias in three different locations
Keep one full backup and keep incremental backups
It's that simple folks. If you're serious about keeping your data, then learn how to backup your data.
If Toyota made the window roll down when you waived a gun at it, that's what we are talking about. Jesus, stop apologizing for corporations that are not your friend.
@@edwardallenthree Toyota does make windows that come out when a gun is waved at them. It's called hitting the glass really hard with the gun and opening the door.
This sounds a lot like the oil pipeline attach in the Eastern US ,they should have never paid unless it was a way to track the hackers.I would think differently if it was a kidnapping where a life is at stack.
Don't think you will get any compensation. I mean it's like running windows and you getting the same attack, which by the way happens daily on windows machines then you going to microsoft and asking for compensation. It's a risk we all take with equipment that runs software. And qnap is like all the others. They try to keep their devices up to date as much as possible. Just like microsoft, and any other software developer out there.
Qnap 100% failed at their #1 product objective. I use to think Qnap was a cut above the other NAS systems out there. I'm hoping that this situation heightens their urgency in addressing vulnerabilities. What I feel concerned about is their lack of Empathy. It is almost like they don't really care. If that's the case we could remain in danger. My NAS is now locked down blocked by my router. That pisses me off because my #2 reason for a NAS is for file link sharing. Qnap pisses me off BIG!
I just discovered this disaster a few days ago. I have to say that QNAP sucks. They should have warned me, but they didn't. They could have detailed instructions on how to remove the virus, but they don't - at least not that I can find.
I thought I had a pretty robust system. My primary storage is one QNAP box with a second QNAP box as a backup. I also use Dropbox for my most important files. Well.. this virus infected the Dropbox files on my QNAP, and then Dropbox spread the infection on all my computers.
The good news, is that Dropbox was able to roll be back to before the virus hit. Dropbox only keeps one month. I just barely made it in time. If QNAP would have sent an email, maybe I would have looked sooner. But QNAO didn't.
Both of my QNAP boxes will go to the e-cycle. I already purchased a Synology.
I'm also rethinking my backup strategy. I think a periodic offline backup is essential.
sorry for the inconvenience but since you are wearing an autodesk sweater: fcking autodesk cost me way more days of my life than 5 days!!! years, man!!
Forget about qnap I just switched the synology,
Glad you got your data back👍
My firmware was updated to the latest one last week and all my apps were updated ... still I was attacked last saturday ( 3-Sep-2022 ) Shame on you #QNAP .
You always need to think of the noobs.
Don't leave your devices sitting directly on the internet
I agree with you, completely.
I lost my data too.. fuck qnap
Can you show how you recovered your data using this software?
Just to remind everyone, the NAS was the primary copy of the backup. You need to back it up somewhere else - offsite. In an earlier video I believe TFI said you can't backup 8TB off-site on the cloud - you absolutely can via many tools - so do - or get another NAS, have it elsewhere and have it backup. But never ever assume the worst won't happen. This time it was ransomware, but next time it could be a catastrophic fire in the home or theft of the device etc.
what a sh** show. thou qnaps is not alone in this. i am the typical 'wedding photographer' user and bought wd mycloud box, plugged it in, mapped it, forgot about it. had to google how to log into it, discovered there is an OS update. (not just a patch but full software update) im running v2, and the update is v5 😲.
My point proven exactly! So basically, if this was an attack on WD devices, you would have to logging in every few days... fully updating that storage box every few days perpetually for the entirety of your ownership to even stand a chance of preventing everything on it being essentially erased! Seems reasonable right! Everyone has time for that!
You should sue QNAP for negligence.
Betting QNAP has language in their TOS where you give them permission to shit the bed on you and they are not liable. They did not value security, but betting they have an ironclad TOS from some pos lawyer.
Both of these things are true: It was QNAP's fault; and you can harden yourself against future attack by various means, which you actually have done by severing your NAS from the internet and that Amber box. Your argument though that the 3-2-1 rule is unreasonable to expect a home user to follow because of cost, knowledge, backup schedules, QNAP's flaky bloatware, etc, etc is almost as pernicious as QNAP telling its customers to let the ransomware attack finish. People will watch this video and be dismissive of backing up their data because of the various reasons you've given.
It does you no good to think of this in opposing terms. You were a faultless victim. You can also make yourself near impervious against a similar attack. If you had been beaten up in the street and had resolved afterwards that you were going to either arm yourself or train your body, that would be you adapting to possible threats in a world full of them. Blaming the victim would be to say, "hey, if you had done X, then you wouldn't have been harmed." I'm not saying that. I am saying, "you were victimized in the past, so now let's do something so that the likelihood of that ever happening to you again is lessened."
As to your WD exmaple, there are 18TB My Books coming soon. I have an 8TB, which is my main backup. The 8TB is under $300 CAD. It also isn't as large as you think it is. It's 2 inches wide and a lot smaller than a 2-bay NAS. However, you seem to have other options that you are looking at, which actually is you hardening yourself against similar future attacks. It was QNAP's fault, and now you are adapting. This doesn't absolve them and you are not to blame.
Your statements about the photographer not needing to be an IT manager blah blah - you're completely wrong. A home user you might say might not bother - but they should because we live in a world where this stuff matters, and is more vulnerable than the old photo album in a box under the bed. But... the wedding photographer example is running a business, so they have to consider risks to the business - and if they employ anyone they'll have legal obligations to them too - they didn't want to become a HR manager either, but you know what, that's part of the job once you get staff. So it's hard to agree with your thoughts on that because you're pretending your IT is somehow magically different or should be excluded from you paying attention.
I also don't really understand how you can say if someone breaks in or the place burns down you can "mitigate" them - yet for some reason a backup - which is mitigation against a risk, you somehow think you shouldn't have to be concerned with - so some things you care about and think you'd take responsibility, other things you think it's just someone else's negligence and you play no part? That makes no sense. You had a responsibility here too, you just want to pretend you don't because you can point the finger at QNAP this time?!
Your whole dialog seems to be i'll take responsibility for some scenarios that could arise, but I won't take responsibility for some others. And then you say in these comments you might take a backup and shove a drive at your parents, so you've clearly already changed stance on that too after saying not gonna happen in the video ... confused!
i am a qnap user myself currently running 5 different sized nas boxes. i was fine behind my firewall. qnap is definitely not perfect, but i think your points are not valid at all. autodesk is corporate negligence and incompetence. i don't know how you set your box up but i guess your box was accessible from outside. if you need this setup a vpn and but your box behind a firewall... don't just blame the manufactures
Go and research what happened here, then explain to me how a firewall and/or VPN would have prevented this.
It was your fault you lost (almost) your data. Totally your fault, mate. You put ALL your data on digital format and then did NOTHING to protect it. Oh no, I'm sorry, you put your data into the hands of a crap corporation, knowing nothing about them (per your own admission) , and then get pissed when they get hacked.
Look, I'm a home user and an armature photographer and I have about 5TBs of data. I have my data on a raid setup, have it backed up on a couple drives in my home, and have that backed up on another drive I keep at my day jobs office. Cost me about $300 for that entire backup. How much you spend on that QNap device???
I backup my data because it is important to me, and I make the effort to protect it, and I only trust myself. Cheers.
So you're very fixed at your opinion, and probably rightfully so. QNAP screwed it. BUT: home users should also learn, the hard way sometimes, how to live in a digital world. In the past you would be robbed by pocket lifters or burglars. Nowadays they rip you off in a virtual realm. I am a home user and I have a NAS and I would never assume it is my only backup. Not because QNAP is telling me so. Because being an IT enthusiast (not a pro) I understand what backup is about and I would never assume NAS is my miracle solution to all those potential problems.
And you chose not to backup - but still you keep ranting about it. Yeah I know, even if you hadn't lost your data you'd still be ranting.....
And your example of a house burning down - for me there's no difference . You either have a backup or not.
You also complaint you bought a NAS, not a multimedia full of sh** box - well you should have chosen something else then, apparently!!!
Yes QNAP is guilty - but no matter how mad you are, are they responsible for ALL of what happened?
Imagine someone hacks your iPhone - using a hole in a an app you have never used - would it be all Apple fault? How about your brand new car hacked? Your Smart TV? Your Philips Hue light?
This is the new reality! New risks, new scam possibilities - we all have to learn to live with it. If you want to go the root of the thing: how about schools teaching about this? How about TV news channels talking about it instead of just giving us body count (all the negative news I am sick of).
I FULLY understand your frustration - but please look at it from a wider perspective
INSIDE JOB
drama queen