Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices
If You Own A QNAP NAS That May Have Be Exposed to The Hack, Check It Now and Block All External Access Until You Are Sure the Firmware and Apps Have Been Updated.
An ongoing massive ransomware campaign targeting QNAP devices around the world, stores users’ files in password-protected 7zip archives, warns BleepingComputer CEO Lawrence Abrams.
Dubbed Qlocker, the ransomware began targeting QNAP devices on April 19th.
According to Lawrence, attackers use 7-zip to move files on QNAP devices into password-protected archives with the .7z extension. While the files are being locked, the QNAP Resource Monitor will display numerous ‘7z’ processes which are the 7zip command-line executable.
Qlocker victims will need to enter a password known only to the attacker in order to extract these archives.
Image Source: BleepingComputer
Following the encryption of QNAP devices, users are left with a !!!READ_ME.txt ransom note which includes a unique client key that the victims need to enter to log into the ransomware’s Tor payment site.
Image Source: BleepingComputer
All victims are told to pay 0.01 Bitcoins ($557.74), to get a password for their archived files.
Image Source: BleepingComputer
Recently QNAP fixed two critical vulnerabilities that could allow a remote actor to gain full access to a device and execute ransomware.
- CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero – If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application.
- CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On – If exploited, the vulnerability allows remote attackers to obtain application information.
Due to the nature of this attack, you are advised to update QTS, Multimedia Console, and the Media Streaming Add-on to the latest versions.
While this will not recover your files, it will protect you from future attacks using this vulnerability.
Last month, QNAP’s unpatched network-attached-storage (NAS) devices were the most recent targets in attacks aimed at taking them over for use in a cryptocurrency mining campaign. It was discovered that NAS devices have actually been targeted for several months, with warnings of infections regarding QSnatch malware, Muhstik Ransomware infections, the eChOraix Ransomware campaign, and AgeLocker Ransomware attacks going back to August 2019.
Which criminals are responsible and how do we get these people to face justice?
Any latest update on rectification