Qlocker ransomware gang is using 7zip utility to lock files on QNAP devices

The gang has generated $260,000 in just 5 days from victims

A ransomware group has been targeting QNAP NAS users from all over the world in an ongoing attack that has enabled the group to generate about $260,000 within a week by remotely encrypting files on target devices using the 7zip archive utility.

According to Bleeping Computer, the Qlocker ransomware operation is exploiting some recently disclosed vulnerabilities to compromise QNAP devices and remotely execute the 7zip utility to password-protect all files on victims' NAS storage devices.

While the files on the target device are locked, QNAP's integrated Resource Monitor displays multiple 7z processes, the researchers found. Once the ransomware finishes its task, the files are stored in password-protected archives with a .7z extension.

The approach has enabled the operators to encrypt over a thousand devices since 19 April. The devices impacted by the attack received a text ransom note, telling users that they need to pay 0.01 Bitcoins (approximately $555) to get their files back. The ransom note also includes a unique client key that the victim needs to enter into the payment site used by the ransomware group.

Bleeping Computer said it has details of 20 bitcoin addresses that are being used by the Qlocker operators, suggesting that they have already received ransom payments totalling 5.25735623 Bitcoins (equivalent to about $258,494). The campaign is ongoing, and new victims are appearing every day.

In a statement on its website, QNAP said that security vulnerabilities have been fixed in Multimedia Console, Hybrid Backup Sync apps and Media Streaming Add-on software and users must update to the latest versions to protect their devices against these ransomware attacks.

"For unaffected users, it's recommended to immediately install the latest Malware Remover version and run a malware scan as a precautionary measure," the company said.

"All users should update their passwords to stronger ones, and the Multimedia Console, Media Streaming Add-on and Hybrid Backup Sync apps need to be updated to the latest available version. Additionally, users are advised to modify the default network port 8080 for accessing the NAS operating interface."

On Tuesday, Stanford student and security researcher Jack Cable also found a short-lived bug in the ransomware payment system that allowed him to recover the passwords for 55 victims, saving them about $27,000 in potential losses.

Cable said that after investigating the attack, he was able to unlock password-protected files by changing one letter from lowercase to uppercase in the "transaction ID" that hackers used to track payments.

The system unlocked the files after misjudging the new input for a victim that had already made the ransom payment.

Cable is now asking the victims to contact him so he can help recover their data.

This is not the first time for QNAP NAS devices have been targeted by a cyber gang. In 2019, more than 7,000 QNAP NAS devices in Germany were infected by QSnatch malware. At that time, cyber security researchers at Finland's National Cyber Security Centre (NCSC-FI) spotted a large number of devices trying to communicate with specific command and control (C&C) servers. NCSC-FI's Autoreporter service automatically generated warning reports and sent them to admins to caution about security incidents in networks.