We urge organizations to patch the vulnerability immediately to avoid more devices being targeted by QLocker and other ransomware gangs.
The Qlocker ransomware exploited an unpatched vulnerability to launch its attacks.
Researchers at Cyber Security Works (CSW) have been tracking Qlocker, a recently discovered ransomware family. This new strain began surfacing across QNAP devices in April 2021 and exploited CVE-2021-28799.
Attackers used a 7-zip utility to lock away files from the user, and demanded a ransom for providing the decryptor.
{Updated on April 05, 2022}: Almost 10 months after being called out by CSW, CISA has added CVE-2021-28799 to its Known Exploited Vulnerabilities list and warned organizations to patch the vulnerability by April 21, 2022.
{Updated on January 24, 2022}: On January 6, QNAP Network Attached Storage (NAS) devices worldwide began to be targeted once again by the threat actors behind the QLocker ransomware. The attackers exploited a hard-coded credentials vulnerability in the HBS 3 Hybrid Backup Sync application to gain access into users’ devices to encrypt their files. Ransom notes were also dropped by the ransomware gang onto compromised devices, in their latest campaign.
What is Qlocker?
Qlocker is ransomware that invades users’ storage devices and acts as a file locker, by locking users out until a password is provided. The Qlocker ransomware exclusively targets QNAP devices, which are network-attached storage (NAS) systems. It locks the user’s files in a 7-zip encrypted format, sealed by a password. Once the files are locked, victims are left with a .7z storage, a ReadMe file with a ransom note, and an access key to the ransomware payment site. According to the ransom claims, hackers reportedly demanded a payment of 0.01 Bitcoin, amounting to around $550 per user to divulge the password to unlock the files.
As the Qlocker ransomware seems to be targeting older vulnerable versions of QNAP devices, all users have been requested to update their software immediately. The first attack was reported on April 19, 2021, and since then, the number of exploits have been rising. The targets of Qlocker are regular consumers and small-to-medium business owners using QNAP for network storage. According to reports, the attackers have already acquired 8.93 Bitcoins amounting to approximately $350,000 in ransom from over 800 victims, based on twenty-two Bitcoin addresses used by the group.
How does Qlocker attack?
The Qlocker ransomware exploit vulnerability exists in the software without any malware.
- Attackers scan for QNAP devices exposed to the internet.
-
Existing vulnerabilities in QNAP are exploited to procure access to the stored files.
-
A 7-zip archival utility is executed with encryption to lock all the files on the device with a secret password.
-
A ReadMe file is added to the affected folders with details of how to transfer ransom money to the attackers.
Readme.txt
Image source: https://www.bleepingcomputer.com/news/security
/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/
-
Qlocker victims are then required to access the Tor Browser, enter a specified client ID, and pay the ransom in Bitcoins as suggested. Once the payment is through, a secret password would appear on the screen, which can then unlock the files. However, each file would have to be unlocked individually as the files/folders are locked as separate units and not compressed into a single folder.
Image source: https://www.bleepingcomputer.com/news/security/a-ransomware-gang-made-260-000-in-5-days-using-the-7zip-utility/
Qlocker: Cheat Sheet
-
Affected devices: QNAP NAS running Hybrid Backup Sync 3 (HBS 3)
-
CVE-2021-28799 was exposed primarily due to the Qlocker ransomware exploit as a zero-day vulnerability on April 19, 2021. QNAP acknowledged the vulnerability on April 22, 2021, which was then published in the NVD on May 12, 2021.
-
QNAP classified this CVE with a severity score of 10.
-
CVE-2021-28799 leads to improper authorization of user access and is tagged to the weakness category CWE-285.
How can organizations avoid Qlocker?
QNAP recommends upgrading firmware to avoid becoming an attack victim. Organizations can find the updated versions at https://www.qnap.com/en/security-advisory/qsa-21-12. Switch to one of the below versions for safer storage.
-
QTS 4.5.2: HBS 3 v16.0.0415 and later
-
QTS 4.3.6: HBS 3 v3.0.210412 and later
-
QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
-
QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
-
QuTS cloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later
Note: QNAP NAS running HBS 2 and HBS 1.3 are not affected.
What should organizations do if attacked?
-
Attacked by Qlocker? Do not turn off the NAS! Run a malware scan to identify the issues and contact QNAP technical support immediately.
-
Change the default network port (8080) that provides an entry point to the NAS operating system.
What is the impact of the attacks?
A QNAP device search on Shodan brings up 232,197 devices that are exposed to the Internet worldwide. There are 97,331 instances of port 8080 and 94,750 instances of port 443 connected to QNAP NAS.
CSW’s take on Qlocker Ransomware
The Qlocker ransomware attack is a classic case of an unpatched vulnerability being exploited. As no malware is involved in the exploits, it indicates how threat actors, while dangerous, are also looking at simple methods to target their victims. Therefore, the responsibility lies with organizations to correctly identify, prioritize, and address vulnerabilities without delay!
Want to understand the vulnerabilities in the products you use?
Not sure what to patch first? Talk to us!