Qlocker Ransomware Returns to Target QNAP NAS Devices Worldwide

The threat actors behind Qlocker ransomware are once again targeting QNAP network-attached storage (NAS) devices exposed to the Internet around the world.

Qlocker previously targeted QNAP customers in a massive ransomware campaign that began the week of April 19, moving victims’ files into password-protected 7-zip archives with the .7z extension after breaching their devices SIN.

QNAP has warned that attackers are exploiting the CVE-2021-28799 hard-coded credential vulnerability in the HBS 3 Hybrid Backup Sync application to hack users’ devices and lock their files.

However, for some QNAP customers targeted by last year’s Qlocker ransomware campaign, the warning came far too late after attackers extorted hundreds of QNAP users.

In total, the affected QNAP users lost about $350,000 in one month after paying ransoms of 0.01 bitcoin (worth about $500 at the time) to obtain the password needed for the recovery of their data.

Qlocker returns in the new 2022 campaign

The new Qlocker ransomware campaign started on January 6 and drops ransom notes named !!!READ_ME.txt on compromised devices.

Qlocker ransom note
Qlocker ransom note (BleepingComputer)

These ransom notes also include the Tor site address (gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion) victims are invited to visit the site to obtain more information on the amount they will have to pay to regain access to their file.

Tor victim pages seen by BleepingComputer since the start of this new series of Qlocker attacks show ransom demands of between 0.02 and 0.03 bitcoins.

Qlocker Tor website
Qlocker Tor website (BleepingComputer)

More information on what to do if the QLocker2 ransomware campaign has affected you can be found in this support topic (Qlocker 2021 campaign topic can be found here).

You can also check out the old guide on how to recover data from NAS devices compromised in last year’s Qlocker ransomware attacks.

Since the return of Qlocker on January 6, dozens of ransom notes and encrypted files have been submitted to the ID-Ransomware service by affected QNAP users.

Qlocker2 ransomware campaign
Qlocker2 ransomware campaign (ID-Ransomware)

Unfortunately, Qlocker isn’t the only ransomware targeting QNAP NAS devices, as seen in a wave of ech0raix ransomware attacks that began just before Christmas.

Earlier this month, the company also warned customers to protect NAS devices exposed to the Internet from ransomware and brute force attacks by disabling port forwarding on their routers and disabling UPnP on their devices.

QNAP also warned customers last year to secure their devices against incoming attacks, including Agelocker and eCh0raix ransomware campaigns.

The NAS manufacturer recommends implementing the following best practices if you want to protect your QNAP device from further attacks.

Back To Top