Cyber Crime

A new wave of Qlocker ransomware attacks targets QNAP NAS devices

QNAP NAS devices are under attack, experts warn of a new Qlocker ransomware campaign that hit devices worldwide.

A new wave of Qlocker ransomware it targeting QNAP NAS devices worldwide, the new campaign started on January 6 and it drops ransom notes named !!!READ_ME.txt on infected devices.

In May, the Taiwanese vendor QNAP warned its customers of updating the HBS 3 disaster recovery app running on their Network Attached Storage (NAS) devices to prevent Qlocker ransomware infections.

At the end of April, experts warned of a new strain of ransomware named Qlocker that was infecting hundreds of QNAP NAS devices on daily bases. The threat actors behind the attacks were exploiting an improper authorization vulnerability, tracked as CVE-2021-28799, that could allow them to log in to a NAS device

“A ransomware campaign targeting QNAP NAS began the week of April 19th, 2021. The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync).” reads the security advisory published by the vendor.

The attacks were first spotted on April 20, and the number of infections has skyrocketed into the hundreds per day, according to statistics provided by Michael Gillespie, the creator of ransomware identification service ID-Ransomware.

Once the ransomware has infected a device, it moves all the files on the NAS into password-protected 7z archives and demands the payment of a $550 ransom. Then it also deletes snapshots to prevent restoring of data from the backups and drops a ransom note (named !!!READ_ME.txt) in each affected folder.

The ransom note contains the instructions to get in touch with ransomware operators through their Tor site.

According to BleepingComputer, ransomware operators are demanding the payment of ransoms ranging between 0.02 and 0.03 bitcoins. BleepingComputer also reported that dozens of ransom notes and encrypted files have been submitted to the ID-Ransomware service by affected QNAP users.

“It seems like a new version of the QLocker ransomware appeared on 06/1/2022. Let’s call it QLocker2 and refer to the old one as QLocker1. We are not sure yet, what differs from the original version, but it seems like users cannot connect to the NAS after the infection. Up to date apps and firmware seem not to help either.” reads the support topic available on BleepingComputer forum.

“It could also be that the QLocker1 ransomware is just being used again, and no new version exist. We will see if thats the case. It is also unclear if previous recovery methods still work, but here are useful links about the old version.”

In December 2021, another wave of ech0raix ransomware attacks started targeting QNAP network-attached storage (NAS) devices. The eCh0raix ransomware has been active since at least 2019, when eExperts from security firms Intezer and Anomali separately discovered sample of the ransomware targeting Network Attached Storage (NAS) devices.

NAS servers are a privileged target for hackers because they normally store large amounts of data.The ransomware was targeting poorly protected or vulnerable NAS servers manufactured by QNAP, threat actors exploited known vulnerabilities or carried out brute-force attacks.

The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

In May, QNAP warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

Independent experts observed a surge in eCh0raix infection reports between April 19 and April 26.

In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.

In 2019, Anomali researchers reported a wave of eCh0raix attacks against Synology NAS devices, threat actors conducted brute-force attacks against them.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP NAS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

29 seconds ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

12 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

16 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

21 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.