The Qlocker ransomware gang has shut down its operations after earning nearly half a million dollars in ransom money in the past month. The ransoms came from owners of exploited QNAP NAS devices.
The attacks started on April 19th, when network-attached devices QNAP NAS worldwide would be encrypted. Instead of their device’s files, users would find password-protected 7-zip archives. And a !!!READ_ME.txt ransom note would explain that they needed to visit a Tor site and pay a ransom to decrypt their files. At the time, Qlocker ransomware gang, who was responsible for attacks on QNAP NAS devices, demanded .01 bitcoins – approximately $550 for the password to decrypt the files.
By exploiting recently disclosed QNAP vulnerabilities threat actors encrypted over a thousand, if not thousands, of devices over the past month.
Before its shutdown, the gang’s Tor sites displayed a message saying, “This site will be closed soon.”
The Qlocker gang then resorted to a bait-and-switch tactic when they first demanded .01 bitcoins, and after the victim paid the ransom and submitted the transaction ID on the payment site, they would demand additional .02 bitcoins.
“Bitcoin is getting harder to find, time waits for nothing. The new price is 0.03,” the bait-and-switch message would say.
Eventually, the above site shut down, but another Qlocker Tor site appeared a day or so later.
Today, according to victim’s reports in Qlocker support topic on BeepingComputer, all of the Qlocker Tor sites are no longer online.
It is not clear if the Qlocker’s shutdown has been prompted by fears of increased law enforcement activity following the high-profile ransomware attacks this month. Some other ransomware gangs certainly followed such reasoning and shut down.
When DarkSide ransomware attack on Colonial Pipeline forced some US states to declare a state of emergency and cause fuel shortages, the intensifying pressure from US law enforcement cause the DarkSide ransomware to shut down. Then REvil gang announced new rules restricting its targets. Some other ransomware gangs’ Tor sites have gone offline, like those of Ako/Ranzy and Everest.
As Qlocker gang used a fixed set of Bitcoin addresses, it is possible to calculate that its victims paid a total of 8.93258497 bitcoins which at the time of payments was worth almost $450,000.