Qlocker Ransomware remains a thorn in the side of network-storage company QNAP, who are now advising customers up update their Hybrid Backup Sync (HBS 3) disaster recovery app as it has become a backdoor for the ransomware strain. The recovery app is a feature of QNAPs’ Network-attached-storage (NAS) devices, which Qlocker ransomware has been targeting. “The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3. To prevent infection from Qlocker, we recommend updating HBS 3 to the latest version.” the Taiwan-based NAS appliance maker said in a security advisory issued last week.
QNAP Systems is a Taiwanese corporation that specializes in Network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications. Headquartered in Xizhi District, New Taipei City, Taiwan, QNAP has offices in 16 countries and employs over 1000 people around the world.
QNAP’s problems with Qlocker ransomware began on April 19, when the company were attacked by a devastating ransomware campaign. Qlocker ransomware breaches thousands of QNAP NAS devices, replacing victims’ files with password-protected 7-zip archives.
At the time, the attack vector for Qlocker ransomware was unknown. Since then, QNAP has confirmed that the hackers abused the CVE-2021-28799 hard-coded credentials vulnerability. This flaw acts as a backdoor accounts, and allows attacks to access devices running out-of-date HBS 3 versions.
QNAP added that CVE-2021-28799 has already been fixed in the following HBS 3 versions (HBS 2 and HBS 1.3 are not impacted):
- QTS 4.5.2: HBS 3 v16.0.0415 and later
- QTS 4.3.6: HBS 3 v3.0.210412 and later
- QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
- QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
- QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later
Though this is not the first time QNAP specifically mentioned Qlocker Ransomware targeting the HBS 3 backdoor, it is the first time that company have stated that this method is the primary attack vector.
For many of QNAP’s customers, these warnings come much too late. 5 weeks after the initial attacks, the campaign has slowed down considerably – the hackers have already made off with the money.
In these 5 weeks, hackers stole over $350,000 from users, forcing them to pay 0.01 bitcoins (about $500) to obtain the password for their files. This is a relatively low ransom amount but stretched out over the entire userbase to adds up to a considerable payday. Lower ransom amounts such as these also give a hacker’s campaign a higher chance of success.
It is believed the hackers behind Qlocker Ransomware also wanted to make an abrupt end to the campaign instead of continuing to infect new users. Cybersecurity researchers have confirmed that Qlocker TOR sites on the darkweb are no longer accessible, with the gang apparently vanishing.
These actions are following a new trend – Since the Darkside attack on the Colonial Pipeline, ransomware gangs are going offline or laying low for now. It is believed that the attack has drawn unwanted attention to the world of cybercrime, so gangs are forced to play it safe.
While Qlocker ransomware might have shut down, this is not the only ransomware currently targeting QNAP NAS devices. During the last few weeks, QNAP customers were also urged to secure their devices against new Agelocker and eCh0raix ransomware campaigns.
QNAP has released a list of best practice steps for customers to secure their NAS devices, which can be found here.
Qlocker Ransomware Anaylsis
Note: The Analysis of Qlocker Ransomware was carried out by cybersecurity researchers at BleepingComputer.
The attackers use 7-zip to move files on QNAP devices into password-protected archives. While the files are being locked, the QNAP Resource Monitor will display numerous ‘7z’ processes which are the 7zip command-line executable.
When the ransomware has finished, the QNAP device’s files will be stored in password-protected 7-zip archives ending with the .7z extension. To extract these archives, victims will need to enter a password known only to the attacker.
After QNAP devices are encrypted, users are left with a !!!READ_ME.txt ransom note that includes a unique client key that the victims need to enter to log into the ransomware’s Tor payment site.
From the Qlocker ransom notes seen by BleepingComputer, all victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files.
After paying the ransom and entering a valid Bitcoin transaction ID, the Tor payment site will display the password for the victim’s 7Zip archives, as shown below.
During the research, independent security researcher Jack Cable reached out to Bleeping Computer about a bug he discovered in the Qlocker Tor site that allowed users to recover their 7zip passwords for free.
Sadly, within an hour of announcing the bug, Qlocker Ransomware operators made a hotfix, removing the flaw. In that time, at least some victims files were freed.
At this point, there is no way to recover the files without a password, which can no longer be retrieved for free.
The Qlocker threat actors exploit vulnerabilities in QNAP devices that allow them to execute commands on your NAS device remotely.
While most ransomware operations deploy specially crafted malware programs, the Qlocker attackers are simply scanning for QNAP devices and using vulnerabilities to remotely launch the built-in 7zip archive utility to password-protect files.
With this type of attack, QNAP devices are not being infected with any malware but simply being abused by vulnerabilities taking advantage of software already bundled with the operating system.
In cases like Qlocker Ransomware, we see supply-chain vulnerabilities, where a weak link in the software pipeline can affect an entire network. These attacks are becoming more and more common, and it is important that business leaders and home owners use the right tools to protect themselves from evolving threats. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.