A large-scale ransomware campaign targeting QNAP devices has been recently reported. Users targeted by the ransomware attacks end up with their files added to 7zip archives that are password-protected so that the user can’t access them. According to the latest information, the campaign is currently underway, so users must be careful not to fall victim to it.
The name of the threat is Qlocker, and it first started spreading to QNAP devices 3 days ago, on the 19th of April. Since then, there has been a massive surge in the ID-Ransomware submissions made by victims of this exact threat.
The reports from users who have fallen victims to this threat state that the malware automatically initiates 7z processes (that can be seen in the QNAP devices’ resource monitors). Once the processes complete, the victims’ files are added to a locked 7zip archive and the user is asked to pay a ransom in exchange for the password for the archive.
Usually, when one archives files using 7zip, the original files remain and the ones present in the archive are copies of them. However, when Qlocker strikes, it makes sure to delete the original files so that only the ones stored in the archives remain.
Once the file-locking processes finishes, a notepad file named !!!READ_ME.txt is created on the QNAP device. This file contains ransom payment instructions as well as a unique key that the victim would need to make the ransom transfer to the hacker.
Currently, there is some information that experts are working on coming up with a solution, a possible workaround for the encryption that may allow users to restore their data. If we learn anything else, we will update this post with more details.
Recently Detected QNAP Vulnerabilities May be the Cause of the Attacks
According to QNAP, the most likely way hackers have managed to target the company’s devices is by exploiting two recently discovered vulnerabilities. The two flaws were fixed in an update that was released on the 16th of April, but it is likely that many devices don’t have the update installed on them yet. The two vulnerabilities in question are:
- CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero
- CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On
Because of this, it is highly advisable that users of QNAP devices immediately install the latest security updates for their device and the software that’s on it. Unfortunately, if you have already fallen victim to the Qlocker Ransomware, an update will not free your data but at least it will prevent any future attacks of similar nature.