A new massive ransomware campaign against QNAP NAS (network-attached storage) devices is underway in which attackers use Qlocker ransomware. Multiple users reported the loss of files that had been packed in password-protected 7zip archives.
The campaign began on April 19th, 2021, as BeepingComputer reports. Since then, they have seen an enormous amount of reports in their support forum thread for Qlocker.
According to reports from victims, the attackers pack a victim’s files stored on QNAP NAS devices into password-protected 7-zip archives. Victims can’t extract these archives, since passwords are known only to the attackers.
Upon encryption, users see a !!!READ_ME.txt ransom note that offers a key that the victims can enter to log into the ransomware’s Tor payment site to discuss the ransom terms with hackers.
As BleepingComputer’s Lawrence Adams reports, all victims are demanded to pay 0.01 Bitcoins – around $557 for a password necessary to decrypt their files.
Later, BleepingComputer wrote that there might be a way for victims to recover their files without paying a ransom. It seems, two days later, they are still investigating this incident and haven’t found a solution yet.
In the current campaign against QNAP devices, attackers might be exploiting now patched critical vulnerability that allowed a remote actor to gain full access to a device and execute ransomware. Qnap confirmed this in a conversation with BleepingComputer saying they believe Qlocker exploits the CVE-2020-36195 vulnerability to execute the ransomware on vulnerable NAS devices.
The two vulnerabilities now fixed by Qnap on April 16th are:
- CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero
- CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On
Read more on these flaws in a blog post by the SAM Seamless Network research team who were the first to find the bugs.
QNAP strongly recommends its customers to update QTS, Multimedia Console, and the Media Streaming Add-on to the latest available versions. It will not recover the lost files but will protect users from future attacks exploiting this vulnerability.