QLocker Ransomware Attacks QNAP NAS Devices & Demands a $550 Ransom Payment
A custom ransomware campaign has begun to target QNAP devices worldwide as victims are now finding their files stored in password-protected 7-Zip archives. The culprit behind these attacks is a ransomware threat called QLocker, and the hackers behind it began targeting QNAP devices at the end of April 2021. According to reports from victims, the attackers have leveraged 7-Zip to move files on QNAP devices into password-protected archives.
Once the ransomware has been fully executed, the QNAP device’s files will then be seen in password-protected 7-Zip archives that end with the .7z extension. In order to extract these files, victims will have to utilize a password created by the attacker. Upon encryption, victims will find a !!!READ_ME.txt ransom note that includes a unique client key users must enter to log into the ransomware’s Tor payment site.
Victims are being extorted for 0.01 Bitcoins, which equals approximately $557, in return for a password to obtain their archived files. Upon paying the ransom and providing a valid Bitcoin transaction ID, the hacker’s Tor payment site then displays the password needed to unlock the victim’s 7-Zip archives.
For a brief period, a security researcher named Jack Cable, was able to help victims recover their passwords for free via a bug that he had discovered on the QLocker Tor site. Shortly after the discovery of the bug, QLocker’s operators quickly caught on and applied a fix. So at this point, there, unfortunately, is no way to recover the files sans the password, which cannot be retrieved for free.
According to QNAP, the hackers are exploiting three recently fixed vulnerabilities which are: CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero, CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On & CVE-2021-28799 – Improper Authorization Vulnerability in HBS 3 Hybrid Backup Sync
The QLocker File Encryption Process
The QLocker ransomware gang exploits vulnerabilities in QNAP devices that then allow remote command execution on NAS devices. Unlike most ransomware gangs that distribute unique malicious codes, QLocker hackers scan for QNAP devices that are yet to be updated to address their vulnerabilities and then remotely launch the 7-Zip archive utility to password-protect files.
So more simply put, QNAP devices aren’t actually infected with any unique malware, but rather, they are being exploited via vulnerabilities contained in the software already installed within the devices’ operating system.
To find more guides for dealing with ransomware threats visit our dedicated ransomware section.
