QNAP Systems' Appliance Users Hit by RansomwareUsers Advised to Install Malware Remover, Conduct Scan
Following news reports of ransomware attackers targeting QNAP Systems' network-attached storage appliances, encrypting users' data and then demanding a ransom, the company is urging users to immediately install a malware remover and run a malware scan.
The Taiwan-based company is also urging users to update the Multimedia Console, Media Streaming Add-on and Hybrid Backup Sync apps to the latest versions to further secure them from two types of ransomware - Qlocker and eCh0raix.
The company says a small number of its appliance users were targeted by ransomware attackers.
But Bleeping Computer reports that QNAP devices across the world were targeted starting Monday by ransomware called Qlocker.
QNAP Systems, which did not reveal many details about the ransomware attacks, says it's working on a solution to remove malware from infected devices. It also released an updated version of its Malware Remover for its operating systems, including QTS and QuTS hero.
QNAP Systems warned users to not shut down their NAS devices if their data is encrypted and urged them to implement stronger passwords.
"Additionally, users are advised to modify the default network port 8080 for accessing the NAS operating interface," the company states. "Steps to perform the operation can be found in the information security best practice offered by QNAP. The data stored on NAS should be backed up or backed up again utilizing the 3-2-1 backup rule, to further ensure data integrity and security."
The vulnerabilities in QNAP System appliances that apparently were exploited in the ransomware attacks were first discovered by the security research organization SAM, which tracks vulnerabilities in IoT devices.
The QNAP appliance vulnerabilities "are severe in nature as they allow for full takeover of a device from the network including access to the user’s stored data, without any prior knowledge," SAM said in a blog.
QNAP confirms that Qlocker encrypts data on vulnerable devices by exploiting a SQL injection vulnerability, CVE-2020-36195, for which a patch is now available. QNAP has also patched two other vulnerabilities this week - CVE-2021-28799 and CVE-2020-2509 .
Natalie Page, threat intelligence analyst at the security firm Talion, says Qlocker ransomware uses file extension 7-Zip to encrypt QNAP devices. The adversaries behind these attacks have employed this file extension type to move files into password-protected archives and lock the files with a .7z extension, Page says.
"In attacks seen thus far, users are contacted via !!!READ_ME.txt ransom note and directed to a Tor payment site to receive the password needed to retrieve their files, after a payment of 0.01 Bitcoins, around £400 or $553.87," Page says. "Currently, there is no solution for victims to retrieve encrypted files for free. Users are urged to implement the security update released Thursday from QNAP to avoid falling victim to this strain."
Security researcher Jack Cable says he discovered a loophole in the attackers' bitcoin payment method that enabled victims to retrieve their files for free.
He says he was able to decrypt around 50 keys, saving victims $27,000 in ransom payments, but he reported on Twitter that the operators behind the ransomware strain have now fixed the loophole.