A new wave of Qlocker ransomware attacks targets QNAP NAS devices

QNAP NAS devices are under attack, experts warn of a new Qlocker ransomware campaign that hit devices worldwide.

A new wave of Qlocker ransomware it targeting QNAP NAS devices worldwide, the new campaign started on January 6 and it drops ransom notes named !!!READ_ME.txt on infected devices.

In May, the Taiwanese vendor QNAP warned its customers of updating the HBS 3 disaster recovery app running on their Network Attached Storage (NAS) devices to prevent Qlocker ransomware infections.

At the end of April, experts warned of a new strain of ransomware named Qlocker that was infecting hundreds of QNAP NAS devices on daily bases. The threat actors behind the attacks were exploiting an improper authorization vulnerability, tracked as CVE-2021-28799, that could allow them to log in to a NAS device

“A ransomware campaign targeting QNAP NAS began the week of April 19th, 2021. The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync).” reads the security advisory published by the vendor.

The attacks were first spotted on April 20, and the number of infections has skyrocketed into the hundreds per day, according to statistics provided by Michael Gillespie, the creator of ransomware identification service ID-Ransomware.

Once the ransomware has infected a device, it moves all the files on the NAS into password-protected 7z archives and demands the payment of a $550 ransom. Then it also deletes snapshots to prevent restoring of data from the backups and drops a ransom note (named !!!READ_ME.txt) in each affected folder.

The ransom note contains the instructions to get in touch with ransomware operators through their Tor site.

According to BleepingComputer, ransomware operators are demanding the payment of ransoms ranging between 0.02 and 0.03 bitcoins. BleepingComputer also reported that dozens of ransom notes and encrypted files have been submitted to the ID-Ransomware service by affected QNAP users.

“It seems like a new version of the QLocker ransomware appeared on 06/1/2022. Let’s call it QLocker2 and refer to the old one as QLocker1. We are not sure yet, what differs from the original version, but it seems like users cannot connect to the NAS after the infection. Up to date apps and firmware seem not to help either.” reads the support topic available on BleepingComputer forum.

“It could also be that the QLocker1 ransomware is just being used again, and no new version exist. We will see if thats the case. It is also unclear if previous recovery methods still work, but here are useful links about the old version.”

In December 2021, another wave of ech0raix ransomware attacks started targeting QNAP network-attached storage (NAS) devices. The eCh0raix ransomware has been active since at least 2019, when eExperts from security firms Intezer and Anomali separately discovered sample of the ransomware targeting Network Attached Storage (NAS) devices.

NAS servers are a privileged target for hackers because they normally store large amounts of data.The ransomware was targeting poorly protected or vulnerable NAS servers manufactured by QNAP, threat actors exploited known vulnerabilities or carried out brute-force attacks.

The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

In May, QNAP warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

Independent experts observed a surge in eCh0raix infection reports between April 19 and April 26.

In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.

In 2019, Anomali researchers reported a wave of eCh0raix attacks against Synology NAS devices, threat actors conducted brute-force attacks against them.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP NAS)

[adrotate banner=”5″]

[adrotate banner=”13″]