A major ransomware attack has been underway this week that is targeting users of QNAP devices. The attack takes user files and stores them in password-protected 7zip archives demanding money to return the files. The ransomware behind the attacks is Qlocker, and it began targeting QNAP devices on April 19.
Researchers have found that while the files are being locked, QNAP’s integrated Resource Monitor displays numerous 7z processes. Once the ransomware has finished, the files are stored in password-protected archives with a .7z extension. Devices impacted by the attack are left with a text ransom note, including a unique client key the victim needs to enter into the Tor payment site used by the ransomware.
The amount the attackers demanded to release the files was 0.01 Bitcoins worth about $557. The good news is that a bug was discovered shortly after the attack began propagating that allowed victims to recover their 7zip password. However, the attackers quickly patched the flaw. QNAP has now reportedly removed the back door account in its NAS backup and disaster recovery app that allowed the attack to take place.
QNAP says that the security flaw is fixed in multiple versions of its software. Users are being urged to upgrade their software to eliminate the possibility of being impacted by the attack. QNAP is tracking the issue as CVE-2021-28799, and release notes show the flaw was fixed on April 16.
A company spokesperson said the disclosure delay was due to additional time needed to release patches for QuTS hero and QutScloud versions. QNAP has said that they believe the Qlocker attack is exploiting a SQL Injection vulnerability listed in CVE-2020-36195. It’s unclear at this time how many users of QNAP have been impacted by the ransomware attack.