Qlocker Ransomware Shuts Down After Getting Half a Million Out of QNAP Victims

Qlocker Ransomware Shuts Down After Getting Half a Million Out of QNAP Victims

The Qlocker ransomware gang has shut down its operations after earning nearly half a million dollars in ransom money in the past month. The ransoms came from owners of exploited QNAP NAS devices.

The attacks started on April 19th, when network-attached devices QNAP NAS worldwide would be encrypted. Instead of their device’s files, users would find password-protected 7-zip archives. And a !!!READ_ME.txt ransom note would explain that they needed to visit a Tor site and pay a ransom to decrypt their files. At the time, Qlocker ransomware gang, who was responsible for attacks on QNAP NAS devices, demanded .01 bitcoins – approximately $550 for the password to decrypt the files.

By exploiting recently disclosed QNAP vulnerabilities threat actors encrypted over a thousand, if not thousands, of devices over the past month.

Before its shutdown, the gang’s Tor sites displayed a message saying, “This site will be closed soon.”

The Qlocker gang then resorted to a bait-and-switch tactic when they first demanded .01 bitcoins, and after the victim paid the ransom and submitted the transaction ID on the payment site, they would demand additional .02 bitcoins.

“Bitcoin is getting harder to find, time waits for nothing. The new price is 0.03,” the bait-and-switch message would say.

Eventually, the above site shut down, but another Qlocker Tor site appeared a day or so later.

Today, according to victim’s reports in Qlocker support topic on BeepingComputer, all of the Qlocker Tor sites are no longer online.

It is not clear if the Qlocker’s shutdown has been prompted by fears of increased law enforcement activity following the high-profile ransomware attacks this month. Some other ransomware gangs certainly followed such reasoning and shut down. 

When DarkSide ransomware attack on Colonial Pipeline forced some US states to declare a state of emergency and cause fuel shortages, the intensifying pressure from US law enforcement cause the DarkSide ransomware to shut down. Then REvil gang announced new rules restricting its targets. Some other ransomware gangs’ Tor sites have gone offline, like those of Ako/Ranzy and Everest.

As Qlocker gang used a fixed set of Bitcoin addresses, it is possible to calculate that its victims paid a total of 8.93258497 bitcoins which at the time of payments was worth almost $450,000.


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.