Qlocker ransomware leverages HBS flaw to infect QNAP NAS devices

QNAP warns customers of updating the HBS 3 disaster recovery app to prevent Qlocker ransomware attack.

Taiwanese vendor QNAP is warning its customers of updating the HBS 3 disaster recovery app running on their Network Attached Storage (NAS) devices to prevent Qlocker ransomware infections.

At the end of April, experts warned of a new strain of ransomware named Qlocker that was infecting hundreds of QNAP NAS devices on daily bases.

The threat actors behind the attacks are exploiting an improper authorization vulnerability, tracked as CVE-2021-28799, that could allow them to log in to a NAS device

“A ransomware campaign targeting QNAP NAS began the week of April 19th, 2021. The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync).” reads the security advisory published by the vendor.

The attacks were first spotted on April 20, and the number of infections has skyrocketed into the hundreds per day, according to statistics provided by Michael Gillespie, the creator of ransomware identification service ID-Ransomware.

Once the ransomware has infected a device, it moves all the files on the NAS into password-protected 7z archives and demands the payment of a $550 ransom. Then it also deletes snapshots to prevent restoring of data from the backups and drops a ransom note (named !!!READ_ME.txt) in each affected folder.

The vendor has addressed the flaw with the release of the following versions of HBS 3:

• QTS 4.5.2: HBS 3 v16.0.0415 and later
• QTS 4.3.6: HBS 3 v3.0.210412 and later
• QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
• QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
• QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later

NAS devices running HBS 2 and HBS 1.3 are not affected by the issue.

At the time of this writing, the Qlocker Tor sites are down and the ransomware gang seems to have shut down its operations.

Last week, QNAP warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

Early this month, the Taiwanese vendor warned its customers of AgeLocker ransomware attacks on their NAS devices

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QLocker ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]