An ongoing massive ransomware campaign targeting QNAP devices around the world, stores users’ files in password-protected 7zip archives, warns BleepingComputer CEO Lawrence Abrams.

Dubbed Qlocker, the ransomware began targeting QNAP devices on April 19th.

According to Lawrence, attackers use 7-zip to move files on QNAP devices into password-protected archives with the .7z extension. While the files are being locked, the QNAP Resource Monitor will display numerous ‘7z’ processes which are the 7zip command-line executable.

Qlocker victims will need to enter a password known only to the attacker in order to extract these archives.

password-protected-files image heimdal security

Image Source: BleepingComputer

Following the encryption of QNAP devices, users are left with a !!!READ_ME.txt ransom note which includes a unique client key that the victims need to enter to log into the ransomware’s Tor payment site.

ransom-note image heimdal security

Image Source: BleepingComputer

All victims are told to pay 0.01 Bitcoins ($557.74), to get a password for their archived files.

qlocker-payment-page image heimdal security

Image Source: BleepingComputer

Recently QNAP fixed two critical vulnerabilities that could allow a remote actor to gain full access to a device and execute ransomware.

  • CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero – If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application.
  • CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On – If exploited, the vulnerability allows remote attackers to obtain application information.

Due to the nature of this attack, you are advised to update QTS, Multimedia Console, and the Media Streaming Add-on to the latest versions.

While this will not recover your files, it will protect you from future attacks using this vulnerability.

Last month, QNAP’s unpatched network-attached-storage (NAS) devices were the most recent targets in attacks aimed at taking them over for use in a cryptocurrency mining campaign. It was discovered that NAS devices have actually been targeted for several months, with warnings of infections regarding QSnatch malware, Muhstik Ransomware infections, the eChOraix Ransomware campaign, and AgeLocker Ransomware attacks going back to August 2019.

NAS Devices Still Targeted by Brute-Force Attacks, QNAP Warns

Unpatched QNAP NAS Devices Targeted by UnityMiner in Cryptocurrency Mining Campaign

Cyber Analysts Find Links Between SunCrypt and QNAPCrypt Ransomware


Which criminals are responsible and how do we get these people to face justice?

Any latest update on rectification

Leave a Reply

Your email address will not be published. Required fields are marked *