Home Cyber Crime Massive QLocker ransomware attack uses 7zip to encrypt QNAP devices

Massive QLocker ransomware attack uses 7zip to encrypt QNAP devices



A large ransomware marketing campaign focusing on QNAP units worldwide is underway, and customers are discovering their recordsdata now saved in password-protected 7zip archives.

The ransomware known as Qlocker and commenced focusing on QNAP units on April nineteenth, 2021. Since then, there was an unlimited quantity of exercise in our assist discussion board, and ID-Ransomware has seen a surge of submissions from victims.

ID-R submissions from Qlocker victims
ID-R submissions from Qlocker victims

In response to stories from victims in a BleepingComputer Qlocker support topic, the attackers use 7-zip to maneuver recordsdata on QNAP units into password-protected archives. Whereas the recordsdata are being locked, the QNAP Useful resource Monitor will show quite a few ‘7z’ processes that are the 7zip command-line executable.

7zip seen running in the QNAP Resource Monitor
7zip seen operating within the QNAP Useful resource Monitor

When the ransomware has completed, the QNAP machine’s recordsdata shall be saved in password-protected 7-zip archives ending with the .7z extension. To extract these archives, victims might want to enter a password identified solely to the attacker.

Password-protected 7zip archive
Password-protected 7zip archive

After QNAP units are encrypted, customers are left with a !!!READ_ME.txt ransom notice that features a distinctive shopper key that the victims want to enter to log into the ransomware’s Tor cost web site.

Qlocker ransom note
Qlocker ransom notice

From the Qlocker ransom notes seen by BleepingComputer, all victims are informed to pay 0.01 Bitcoins, which is roughly $557.74, to get a password for his or her archived recordsdata. 

Qlocker Tor payment site
Qlocker Tor cost web site

Whereas the ‘7z’ course of is energetic on a tool, it could be potential to get better the password by connecting to the device using SSH or Telnet.

When you log in to the console, you may run the ps -ef command to see the command line arguments for the 7z program, together with the password used to archive your recordsdata. Should you can entry the command line for 7z, please contact us so we may also help you extract the password.

BleepingComputer has not examined this technique and would love to listen to anybody’s suggestions concerning whether or not this system works.

QNAP believes they’re utilizing current vulnerability

Just lately QNAP resolved essential vulnerabilities that would permit a distant actor to achieve full entry to a tool and execute ransomware.

QNAP fastened these two vulnerabilities on April sixteenth with the next descriptions:

QNAP informed BleepingComputer that they consider Qlocker exploits the CVE-2020-36195 vulnerability to execute the ransomware on weak units.

As a consequence of this, it’s strongly beneficial to replace QTS, Multimedia Console, and the Media Streaming Add-on to the newest variations.

Whereas this won’t get better your recordsdata, it would shield you from future assaults utilizing this vulnerability.

Qlocker IOCs:

Related Recordsdata:


Ransom notice textual content:

!!! All of your recordsdata have been encrypted !!!
All of your recordsdata had been encrypted utilizing a non-public and distinctive key generated for the pc. This secret is saved in our server and the one strategy to obtain your key and decrypt your recordsdata is making a Bitcoin cost.
To buy your key and decrypt your recordsdata, please comply with these steps:
1. Dowload the Tor Browser at "https://www.torproject.org/". Should you need assistance, please Google for "entry onion web page".
2. Go to the next pages with the Tor Browser:
3. Enter your Shopper Key:

Source link