New Qlocker ransomware infected hundreds of QNAP NAS devices in a few days

A new ransomware strain dubbed Qlocker is infecting hundreds of QNAP NAS devices every day and demanding a $550 ransom payment.

Experts are warning of a new strain of ransomware named Qlocker that is infecting hundreds of QNAP NAS devices on daily bases. The malware moves all files stored on the device to password-protected 7zip archives and demand the payment of a $550 ransom.

The Taiwanese vendor published a security advisory to warn its customers of the ongoing attacks and is urging them to install the latest Malware Remover version and scan their devices for indicators of compromise.

“QNAP® Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, today issued a statement in response to recent user reports and media coverage that two types of ransomware (Qlocker and eCh0raix) are targeting QNAP NAS and encrypting users’ data for ransom. QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS.” read the advisory published by the vendor. “The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices.”

The vendor has updated the Malware Remover tool for QTS and QuTS platforms in response to the last wave of attacks.

Unaffected users should install the latest Malware Remover version and run a malware scan as a precautionary measure. The vendor recommends the use of strong passwords and to modify the default network port 8080 for accessing the NAS operating interface.

The company also recommends updating the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps to the latest versions.

Recently QNAP addressed a critical authentication bypass issue, tracked as CVE-2021-28799, in its Hybrid Backup Sync.

Last week, QNAP addressed a SQL Injection flaw in Multimedia Console and the Media Streaming Add-On tracked as CVE-2020-36195.

The attacks were first spotted this week April 20, and the number of infections has skyrocketed into the hundreds per day, according to statistics provided by Michael Gillespie, the creator of ransomware identification service ID-Ransomware.

If you are using a QNAP NAS device update the above apps and its firmware as soon as possible.

A Stanford student, Jack Cable, has found glitch in the ransomware payment system that allowed at least 50 victims to avoid paying the ransom.

Unfortunately, the Qlocker operators immediately addressed their code after the issue was disclosed.

Experts pointed out that at the time of this writing, there is no way of recovering the data that were stored by Qlocker in the 7zip archive without paying the ransom.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP NAS)

[adrotate banner=”5″]

[adrotate banner=”13″]