{"id":7418,"date":"2021-06-11T12:45:08","date_gmt":"2021-06-11T19:45:08","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7418"},"modified":"2023-04-20T02:32:47","modified_gmt":"2023-04-20T09:32:47","slug":"all-about-qlocker-ransomware","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/all-about-qlocker-ransomware\/","title":{"rendered":"All About Qlocker Ransomware"},"content":{"rendered":"
We urge organizations to patch the vulnerability immediately to avoid more devices being targeted by QLocker and other ransomware gangs.\u00a0<\/strong><\/p>\n <\/p>\n The Qlocker ransomware exploited an unpatched vulnerability to launch its attacks.<\/p><\/blockquote>\n Researchers at Cyber Security Works (CSW) have been tracking Qlocker, a recently discovered ransomware family. This new strain began surfacing across QNAP devices in April 2021 and exploited CVE-2021-28799.\u00a0<\/strong><\/p>\n Attackers used a 7-zip utility to lock away files from the user, and demanded a ransom for providing the decryptor.<\/p>\n {Updated on April 05, 2022}: <\/strong>Almost 10 months after being called out by CSW,\u00a0CISA has added CVE-2021-28799 to its Known Exploited Vulnerabilities<\/a> list and warned organizations to patch the vulnerability by April 21,\u00a02022.<\/p>\n {Updated on January 24, 2022}:<\/strong> On January 6,\u00a0QNAP Network Attached Storage (NAS) devices worldwide began to be targeted once again by the threat actors behind the QLocker ransomware. The attackers exploited a hard-coded credentials vulnerability in the HBS 3 Hybrid Backup Sync application to gain access into users’ devices to encrypt their files. Ransom notes were also dropped by the ransomware gang onto compromised devices, in their latest campaign.<\/p>\n Qlocker is ransomware that invades users\u2019 storage devices and acts as a file locker, by locking users out until a password is provided. The Qlocker ransomware exclusively targets QNAP<\/a> devices, which are network-attached storage (NAS) systems. It locks the user\u2019s files in a 7-zip encrypted format, sealed by a password. Once the files are locked, victims are left with a .7z storage, a ReadMe file with a ransom note, and an access key to the ransomware payment site. According to the ransom claims, hackers reportedly demanded a payment of 0.01 Bitcoin, amounting to around $550<\/a> per user to divulge the password to unlock the files.<\/p>\n <\/p>\n As the Qlocker ransomware seems to be targeting older vulnerable versions of QNAP devices, all users have been requested to update their software immediately. The first attack was reported on April 19, 2021, and since then, the number of exploits have been rising.\u00a0 The targets of Qlocker are regular consumers and small-to-medium business owners using QNAP for network storage. According to reports, the attackers have already acquired 8.93 Bitcoins amounting to approximately $350,000 in ransom<\/a> from over 800 victims, based on twenty-two Bitcoin addresses used by the group.<\/p>\n The Qlocker ransomware exploit vulnerability exists in the software without any malware.<\/p>\n <\/p>\n Existing vulnerabilities in QNAP are exploited to procure access to the stored files.<\/p>\n<\/li>\n A 7-zip archival utility is executed with encryption to lock all the files on the device with a secret password.<\/p>\n<\/li>\n A ReadMe file is added to the affected folders with details of how to transfer\u00a0 ransom money to the attackers.<\/p>\n<\/li>\n<\/ol>\n Readme.txt<\/span><\/em><\/p>\n <\/p>\n Image source: https:\/\/www.bleepingcomputer.com\/news\/security Qlocker victims are then required to access the Tor Browser, enter a specified client ID, and pay the ransom in Bitcoins as suggested. Once the payment is through, a secret password would appear on the screen, which can then unlock the files. However, each file would have to be unlocked individually as the files\/folders are locked as separate units and not compressed into a single folder.<\/p>\n<\/li>\n<\/ol>\n <\/p>\n Image source: https:\/\/www.bleepingcomputer.com\/news\/security\/a-ransomware-gang-made-260-000-in-5-days-using-the-7zip-utility\/<\/a><\/span><\/p>\n Affected devices: QNAP NAS running Hybrid Backup Sync 3 (HBS 3)<\/p>\n<\/li>\n CVE-2021-28799 was exposed primarily due to the Qlocker ransomware exploit as a zero-day vulnerability on April 19, 2021. QNAP acknowledged the vulnerability on April 22, 2021, which was then published in the NVD on May 12, 2021.<\/p>\n<\/li>\n QNAP classified this CVE with a severity score of 10.<\/p>\n<\/li>\n CVE-2021-28799 leads to improper authorization of user access and is tagged to the weakness category CWE-285.<\/p>\n<\/li>\n<\/ul>\n QNAP recommends upgrading firmware to avoid becoming an attack victim. Organizations\u00a0can find the updated versions at https:\/\/www.qnap.com\/en\/security-advisory\/qsa-21-12<\/a>. Switch to one of the below versions for safer storage.<\/p>\n QTS 4.5.2: HBS 3 v16.0.0415 and later<\/p>\n<\/li>\n QTS 4.3.6: HBS 3 v3.0.210412 and later<\/p>\n<\/li>\n QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later<\/p>\n<\/li>\n QuTS hero h4.5.1: HBS 3 v16.0.0419 and later<\/p>\n<\/li>\n QuTS cloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later<\/p>\n<\/li>\n<\/ul>\n Note:<\/strong> QNAP NAS running HBS 2 and HBS 1.3 are not affected.<\/p>\n Attacked by Qlocker?\u00a0Do not turn off the NAS!\u00a0Run a malware scan to identify the issues and contact QNAP technical support immediately.<\/p>\n<\/li>\n Change the default network port (8080) that provides an entry point to the NAS operating system.<\/p>\n<\/li>\n<\/ul>\n A QNAP device search on Shodan brings up 232,197 devices that are exposed to the Internet worldwide. There are 97,331 instances of port 8080 and 94,750 instances of port 443 connected to QNAP NAS.<\/p>\n <\/b><\/p>\n The Qlocker ransomware attack is a classic case of an unpatched vulnerability being exploited. As no malware is involved in the exploits, it indicates how threat actors, while dangerous, are also looking at simple methods to target their victims. Therefore, the responsibility lies\u00a0with\u00a0organizations to correctly identify, prioritize, and address vulnerabilities<\/a> without delay!<\/p>\n <\/p>\n Want to understand the vulnerabilities in the products you use?<\/p>\nWhat is Qlocker?<\/h2>\n
How does Qlocker attack?<\/h2>\n
\n
\n\/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices\/<\/a><\/span><\/p>\n\n
Qlocker: Cheat Sheet<\/h2>\n
\n
How can organizations avoid\u00a0Qlocker?<\/h2>\n
\n
What should organizations\u00a0do if attacked?<\/h2>\n
\n
What is the impact of the attacks?<\/h2>\n
CSW’s take on Qlocker Ransomware<\/h2>\n