Massive Qlocker Ransomware Encrypts QNAP Devices

Massive Qlocker Ransomware Encrypts QNAP Devices

A new massive ransomware campaign against QNAP NAS (network-attached storage) devices is underway in which attackers use Qlocker ransomware. Multiple users reported the loss of files that had been packed in password-protected 7zip archives.

The campaign began on April 19th, 2021, as BeepingComputer reports. Since then, they have seen an enormous amount of reports in their support forum thread for Qlocker.

According to reports from victims, the attackers pack a victim’s files stored on QNAP NAS devices into password-protected 7-zip archives. Victims can’t extract these archives, since passwords are known only to the attackers.

Upon encryption, users see a !!!READ_ME.txt ransom note that offers a key that the victims can enter to log into the ransomware’s Tor payment site to discuss the ransom terms with hackers.

As BleepingComputer’s Lawrence Adams reports, all victims are demanded to pay 0.01 Bitcoins – around $557 for a password necessary to decrypt their files. 

Later, BleepingComputer wrote that there might be a way for victims to recover their files without paying a ransom. It seems, two days later, they are still investigating this incident and haven’t found a solution yet.

In the current campaign against QNAP devices, attackers might be exploiting now patched critical vulnerability that allowed a remote actor to gain full access to a device and execute ransomware. Qnap confirmed this in a conversation with BleepingComputer saying they believe Qlocker exploits the CVE-2020-36195 vulnerability to execute the ransomware on vulnerable NAS devices.

The two vulnerabilities now fixed by Qnap on April 16th are:

Read more on these flaws in a blog post by the SAM Seamless Network research team who were the first to find the bugs.

QNAP strongly recommends its customers to update QTS, Multimedia Console, and the Media Streaming Add-on to the latest available versions. It will not recover the lost files but will protect users from future attacks exploiting this vulnerability.


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.