Ransomware Strain Qlocker

A new ransomware strain called Qlocker is infecting hundreds of QNAP NAS devices every day and demanding a $550 ransom payment.

The first reports of the infections emerged on April 20, with the adversaries behind the operations demanding a bitcoin payment (0.01 bitcoins or about $500.57) to receive the decryption key.

QNAP Systems, Inc. (QNAP), leading computing, networking, and storage solution innovator, issued a statement in response to recent user reports and media coverage that two types of ransomware (Qlocker and eCh0raix) are targeting QNAP NAS and encrypting users’ data for ransom.

The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices.

Patches Available

Patches for the three apps were released by QNAP over the last week.

CVE-2020-36195 concerns an SQL injection vulnerability in QNAP NAS running Multimedia Console or Media Streaming Add-on, successful exploitation of which could result in information disclosure. 

On the other hand, CVE-2021-28799 relates to an improper authorization vulnerability affecting QNAP NAS running HBS 3 Hybrid Backup Sync that could be exploited by an attacker to log in to a device.

Experts say Qlocker is not the only strain that’s being used to encrypt NAS devices, what with threat actors deploying another ransomware named “eCh0raix” to lock sensitive data.

Since its debut in July 2019, the eCh0raix gang is known for going after QNAP storage appliances by leveraging known vulnerabilities or carrying out brute-force attacks.

Experts pointed out that at the time of this writing, there is no way of recovering the data that were stored by Qlocker in the 7zip archive without paying the ransom.

QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. 

The vendor has updated the Malware Remover tool for QTS and QuTS platforms in response to the last wave of attacks.

Experts suggested that those unaffected users should install the latest Malware Remover version and run a malware scan as a precautionary measure. 

It is also recommended to use strong passwords and to modify the default network port 8080 for accessing the NAS operating interface. Update the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps to the latest versions.

“The data stored on NAS should be backed up or backed up again utilizing the 3-2-1 backup rule, to further ensure data integrity and security.”, the company mentions.

Also Read

Browser Locker Ransomware – A Fake Page that Threatens user and demands Ransom

Tech Gaint Acer Hit by a REvil Ransomware – Attackers Demanding $50,000,000 Ransom

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.