Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices

If You Own A QNAP NAS That May Have Be Exposed to The Hack, Check It Now and Block All External Access Until You Are Sure the Firmware and Apps Have Been Updated.

LAST UPDATED ON APRIL 22, 2021
QUICK READ
1 min
Let's get started!
CEZARINA
DINU
HEAD OF MARKETING COMMUNICATIONS & PR

An ongoing massive ransomware campaign targeting QNAP devices around the world, stores users’ files in password-protected 7zip archives, warns BleepingComputer CEO Lawrence Abrams.

Dubbed Qlocker, the ransomware began targeting QNAP devices on April 19th.

According to Lawrence, attackers use 7-zip to move files on QNAP devices into password-protected archives with the .7z extension. While the files are being locked, the QNAP Resource Monitor will display numerous ‘7z’ processes which are the 7zip command-line executable.

Qlocker victims will need to enter a password known only to the attacker in order to extract these archives.

password-protected-files image heimdal security

Image Source: BleepingComputer

Following the encryption of QNAP devices, users are left with a !!!READ_ME.txt ransom note which includes a unique client key that the victims need to enter to log into the ransomware’s Tor payment site.

ransom-note image heimdal security

Image Source: BleepingComputer

All victims are told to pay 0.01 Bitcoins ($557.74), to get a password for their archived files.

qlocker-payment-page image heimdal security

Image Source: BleepingComputer

Recently QNAP fixed two critical vulnerabilities that could allow a remote actor to gain full access to a device and execute ransomware.

  • CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero – If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application.
  • CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On – If exploited, the vulnerability allows remote attackers to obtain application information.

Due to the nature of this attack, you are advised to update QTS, Multimedia Console, and the Media Streaming Add-on to the latest versions.

While this will not recover your files, it will protect you from future attacks using this vulnerability.

Last month, QNAP’s unpatched network-attached-storage (NAS) devices were the most recent targets in attacks aimed at taking them over for use in a cryptocurrency mining campaign. It was discovered that NAS devices have actually been targeted for several months, with warnings of infections regarding QSnatch malware, Muhstik Ransomware infections, the eChOraix Ransomware campaign, and AgeLocker Ransomware attacks going back to August 2019.

RELATED

NAS Devices Still Targeted by Brute-Force Attacks, QNAP Warns

Unpatched QNAP NAS Devices Targeted by UnityMiner in Cryptocurrency Mining Campaign

Cyber Analysts Find Links Between SunCrypt and QNAPCrypt Ransomware

Comments
Dre on April 23, 2021 at 10:53 pm

Which criminals are responsible and how do we get these people to face justice?

Reply
Mohsan on April 23, 2021 at 8:01 am

Any latest update on rectification

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP