Skip to content

QNAP and Ransomware

  • by
qnap devices

QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices.

A massive Qlocker ransomware campaign started breaching QNAP NAS devices during the week of April 19, replacing victims’ files with password-protected 7-zip archives.

While the attack vector was not known at the time, QNAP has now confirmed that the attackers abused a hard-coded credentials vulnerability. This security flaw acts as a backdoor account, allowing attackers to access devices running out-of-date HBS 3 (Hybrid Backup Sync) versions.

Unfortunately for QNAP customers targeted in the Qlocker ransomware campaign, this warning comes too late since the threat actors behind these attacks have already stopped the onslaught.

However, this happened only after extorting hundreds of QNAP users and robbing them of $350,000 within a single month after forcing them to pay ransoms of 0.01 bitcoins (worth roughly $500 at the time) to obtain the password for their files.

Sadly, all of the Qlocker Tor sites are no longer accessible and victims who had their NAS files encrypted in password-protected archives no longer have a way to pay the ransom. It is not known why these sites shut down, but speculation points to law enforcement investigations related to the recent oil pipeline attack a few months ago. Recent information points to ransomware groups restricting targets due to the investigations surrounding the pipeline attack, as well as the recent attack on the healthcare system in Ireland.

While Qlocker ransomware might have shut down, this is not the only ransomware currently targeting QNAP NAS devices. During the last few weeks, QNAP customers were also urged to secure their devices against new Agelocker and eCh0raix ransomware campaigns.

Frankenstein Computers can occasionally locate decryptors for older ransomware, often they use newer versions that limit access and recovery. We will gladly attempt to locate a decryptor for you and we will attempt everything in our knowledge to assist in any way we can. Best practice is to have multiple backups, including one that is offsite.  Frankenstein Computers has been taking care of our happy clients since 1999. We specialize in IT Support, IT Service, MAC repair, PC Repair, Virus Removal, and much more. Give us a call for remote support or drop in to drop off.

A portion of this article was originally published on BleepingComputer.com