A ransomware attack targeting QNAP devices is encrypting users’ NAS and demanding a ransom to recover files. It is a massive campaign using two ransomware named “Qlocker” and “eCh0raix”.
Affected users are finding that their files have been encrypted and are now stored in password-protected 7zip archives. Qlocker uses the compression tool to move data stored on QNAP devices, and convert them into password-protected .7z files known only to the attacker.
Victims report that the QNAP resource monitor will display multiple ‘7z’ processes, and that once the entire QNAP device is encrypted, the user is left with only a text file called !!!READ_ME.txt with the ransom note.
In addition to containing a message telling the user that all their files have been encrypted, the text also includes a unique key that the victim must use to log into the attacker’s website within the Tor network and make a payment.
As reported on BleepingComputer, all those affected are required to pay 0.01 Bitcoins, or just over 400 euros in order to obtain a password and unlock their files.
The password is unique for each device, so it could not be used on other victims’ computers. QNAP believes that the Qlocker ransomware is exploiting a vulnerability that the company fixed on April 16 to hijack files on devices that are still vulnerable because they have not been updated.
QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices.
In addition to this, QNAP warns that if files on a device have already been encrypted, the user should not reboot the device and instead should immediately run the malware scanner and contact technical support.