{"id":7418,"date":"2021-06-11T12:45:08","date_gmt":"2021-06-11T19:45:08","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7418"},"modified":"2023-04-20T02:32:47","modified_gmt":"2023-04-20T09:32:47","slug":"all-about-qlocker-ransomware","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/all-about-qlocker-ransomware\/","title":{"rendered":"All About Qlocker Ransomware"},"content":{"rendered":"

We urge organizations to patch the vulnerability immediately to avoid more devices being targeted by QLocker and other ransomware gangs.\u00a0<\/strong><\/p>\n

 <\/p>\n

The Qlocker ransomware exploited an unpatched vulnerability to launch its attacks.<\/p><\/blockquote>\n

Researchers at Cyber Security Works (CSW) have been tracking Qlocker, a recently discovered ransomware family. This new strain began surfacing across QNAP devices in April 2021 and exploited CVE-2021-28799.\u00a0<\/strong><\/p>\n

Attackers used a 7-zip utility to lock away files from the user, and demanded a ransom for providing the decryptor.<\/p>\n

{Updated on April 05, 2022}: <\/strong>Almost 10 months after being called out by CSW,\u00a0CISA has added CVE-2021-28799 to its Known Exploited Vulnerabilities<\/a> list and warned organizations to patch the vulnerability by April 21,\u00a02022.<\/p>\n

{Updated on January 24, 2022}:<\/strong> On January 6,\u00a0QNAP Network Attached Storage (NAS) devices worldwide began to be targeted once again by the threat actors behind the QLocker ransomware. The attackers exploited a hard-coded credentials vulnerability in the HBS 3 Hybrid Backup Sync application to gain access into users’ devices to encrypt their files. Ransom notes were also dropped by the ransomware gang onto compromised devices, in their latest campaign.<\/p>\n

What is Qlocker?<\/h2>\n

Qlocker is ransomware that invades users\u2019 storage devices and acts as a file locker, by locking users out until a password is provided. The Qlocker ransomware exclusively targets QNAP<\/a> devices, which are network-attached storage (NAS) systems. It locks the user\u2019s files in a 7-zip encrypted format, sealed by a password. Once the files are locked, victims are left with a .7z storage, a ReadMe file with a ransom note, and an access key to the ransomware payment site. According to the ransom claims, hackers reportedly demanded a payment of 0.01 Bitcoin, amounting to around $550<\/a> per user to divulge the password to unlock the files.<\/p>\n

 <\/p>\n

As the Qlocker ransomware seems to be targeting older vulnerable versions of QNAP devices, all users have been requested to update their software immediately. The first attack was reported on April 19, 2021, and since then, the number of exploits have been rising.\u00a0 The targets of Qlocker are regular consumers and small-to-medium business owners using QNAP for network storage. According to reports, the attackers have already acquired 8.93 Bitcoins amounting to approximately $350,000 in ransom<\/a> from over 800 victims, based on twenty-two Bitcoin addresses used by the group.<\/p>\n

How does Qlocker attack?<\/h2>\n

The Qlocker ransomware exploit vulnerability exists in the software without any malware.<\/p>\n

\"Qlocker<\/p>\n

    \n
  1. Attackers scan for QNAP devices exposed to the internet.<\/li>\n
  2. \n

    Existing vulnerabilities in QNAP are exploited to procure access to the stored files.<\/p>\n<\/li>\n

  3. \n

    A 7-zip archival utility is executed with encryption to lock all the files on the device with a secret password.<\/p>\n<\/li>\n

  4. \n

    A ReadMe file is added to the affected folders with details of how to transfer\u00a0 ransom money to the attackers.<\/p>\n<\/li>\n<\/ol>\n

    Readme.txt<\/span><\/em><\/p>\n

    <\/p>\n

    Image source: https:\/\/www.bleepingcomputer.com\/news\/security
    \n\/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices\/<\/a><\/span><\/p>\n

      \n
    1. \n

      Qlocker victims are then required to access the Tor Browser, enter a specified client ID, and pay the ransom in Bitcoins as suggested. Once the payment is through, a secret password would appear on the screen, which can then unlock the files. However, each file would have to be unlocked individually as the files\/folders are locked as separate units and not compressed into a single folder.<\/p>\n<\/li>\n<\/ol>\n

      <\/p>\n

      Image source: https:\/\/www.bleepingcomputer.com\/news\/security\/a-ransomware-gang-made-260-000-in-5-days-using-the-7zip-utility\/<\/a><\/span><\/p>\n

      Qlocker: Cheat Sheet<\/h2>\n