In just 5 days, the ransomware gang has made $260,000 from victims by remotely encrypting files. Read on to know more about it…
Since April 19, Qlocker has been running a ransomware campaign targeting QNAP devices all over the world. The ransomware encrypts files and stores them in password-protected 7zip folders. According to BleepingComputer, its Qlocker support forum is seeing a lot of activity from some victims. Furthermore, the ID-Ransomware service has seen a spike in victim submissions.
This isn’t the first time that a cyber gang has attacked QNAP NAS devices. In Germany, the QSnatch malware infected over 7,000 QNAP NAS devices in 2019.
Observations
The hackers are using 7-Zip to transfer files from QNAP devices into password-protected archives in this campaign. The QNAP Resource Monitor displays different 7z processes while the files are being locked.
QNAP system files are saved in password-protected 7-Zip archives with the.7z extension after the ransomware finishes its operations. Victims may need a password to access these files.
The victims are given a!!!READ ME[.]txt ransom note once the encryption is full. The note contains a unique client key that must be entered to access the ransomware’s Tor payment website.
According to the Qlocker ransom notes, all victims must pay 0.01 Bitcoins i.e. around $557.74 in order to receive a password for their password-protected files.
Security Vulnerabilities
Qlocker operators, according to QNAP, are using the CVE-2020-36195 vulnerability to execute their ransomware. The company patched two vulnerabilities on April 16th, with the following details
CVE-2020-2509: In the QTS and QuTS hero, there is a command injection security vulnerability.
CVE-2020-36195: In the Multimedia Console and the Media Streaming Add-On, there is a SQL injection weakness.
In the beginning, QNAP believed that the Qlocker ransomware operation exploited CVE-2020-36195 (the SQL injection flaw) to gain access to Internet-connected NAS devices and encrypt users’ data, but it was discovered that CVE-2021-28799 (the improper authorization vulnerability, i.e., a backdoor account) was used instead.
In any case, the hackers are likely to have gained access to thousands of computers belonging to both customers and Small-to-Medium-sized Businesses (SMBs) and encrypt the information stored on them. According to Abrams, over 500 of the victims have paid the ransom.
Due to a flaw in 7-Zip, about 50 victims were fortunate enough to have security researcher Jack Cable assist them in recovering their files without a password. The window of opportunity, however, did not last long.
Mitigation
The Qlocker ransomware takes advantage of a previously patched vulnerability. This suggests that a number of companies that use QNAP devices haven’t updated their firmware. It’s critical to keep network devices up to date with the latest updates once they’re released to the users.
Users who are not infected should download the new Malware Remover version and run a malware scan as a precaution. Since the users are often targeted by threat actors, they should heed QNAP’s advice and follow best security practices.
For accessing the NAS operating interface, QNAP suggests using strong passwords and changing the default network port 8080.
The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps should also be updated to the latest versions, according to QNAP.