Search This Blog

Showing posts with label Qlocker. Show all posts

A Ransomware Group Made $260,000 in 5 Days

 

A ransomware group made $260,000 by remotely encrypting files on QNAP computers using the 7zip archive software in an interval of five days. After a ransomware operation called Qlocker exploited vulnerabilities on their computers, QNAP NAS users all over the world discovered their files had been encrypted as of Monday. 

While most ransomware groups spend a significant amount of time developing their malware to make it powerful, feature-rich, and safe, the Qlocker gang didn't have to do so. Rather, they scanned for QNAP devices that were connected to the Internet and manipulated them with the recently disclosed flaws. 

The threat actors were able to use these exploits to remotely run the 7zip archival utility and password secure all of the files on the victims' NAS storage devices. Using a time-tested encryption algorithm built into the 7zip archive utility, they were able to encrypt over a thousand devices in just five days. To access all of a victim's computers and not leak their stolen data, enterprise-targeting ransomware usually demands ransom payments ranging from $100,000 to $50 million. 

Qlocker, on the other hand, chose a different audience: customers and small-to-medium-sized businesses that use QNAP NAS computers for network storage. The threat actors seem to have a good understanding of their goals since their ransom demands were just 0.01 Bitcoins or around $500 at today's Bitcoin rates. 

Since the Qlocker ransomware uses a series of Bitcoin addresses that are rotated around, BleepingComputer collected the addresses and tracked their payments. Security researcher Jack Cable discovered a short-lived bug that allowed him to recover passwords for 55 victims for free. He gathered ten separate Bitcoin addresses that the threat actors were rotating with victims when using this bug and shared them with BleepingComputer. 

BleepingComputer has since collected an additional ten bitcoin addresses, bringing the total number of bitcoin addresses used by the Qlocker threat actors to 20. The 20 bitcoin addresses have received ransom payments totaling 5.25735623 Bitcoins at this time which equates to around $258,494 in today's money. Unfortunately, as users make the difficult decision to pay a ransom to retrieve their files, the number of ransoms will likely rise over the weekend and into the next week. 

This ransomware campaign is still active, with new victims being reported daily. To patch the vulnerabilities and defend against these ransomware attacks, all QNAP users must upgrade the latest versions of the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync software. Users can also protect their NAS devices so that potential attacks are more difficult to carry out.

Ransomware Qlocker Encrypts QNAP Devices with 7Zip

 

A huge ransomware campaign seems to be underway to attack QNAP devices globally and customers can now locate their files in password-protected 7zip archives. The ransomware is known as Qlocker and on 19 April 2021, it was aimed at attacking QNAP computers. Ever since the help platform of bleeping computers has had enormous development, and the victims' requests have increased in ID-Ransomware. 

However, as per the victims in the Qlocker support department of Bleeping Computer, hackers use 7-zip to transfer files to password-protected archives on QNAP computers. During locking of the files, multiple 72 processes are displayed on the QNAP Resource Monitor, which can be executed on the 7zip command line. Once ransomware is completed, files of the QNAP computer will be saved in a password-protected 7-zip file with a.7z extension. Victims must enter the password identified by the perpetrator only to retrieve those archives. 

As soon as one has encrypted the QNAP devices, they then have a !!!READ ME.txt ransom note with a special client key to sign on to the Tor ransomware payment platform. All victims are expected to pay Bitcoins of roughly 0.01, which is around $557.74, from the Qlocker restitution notes shown to get a password for their archived data. After payment is made and an invalid Bitcoin Tax ID has been entered, a 7Zip archive password will be displayed on the Tor Payments website. This password is exclusive to the victim that cannot be used on computers of all the other victims. 

On April 22, a security investigator, Jack Cable, announced a bug found in the Qlocker Tor platform that allows users to freely retrieve their 7zip passwords. This bug could allow victims to obtain a Bitcoin transaction ID from someone who has previously paid but changed it slightly. When the modified transaction ID was sent to the Qlocker Tor site, the payment was acknowledged, and the victim's password was displayed. 

Jack Cable also helped victims secretly recover their passwords and Emsisoft arranged to build a support system to further exploit this vulnerability. Unfortunately, the ransomware developers took it and patched it an hour after they heard of the error. There is no way to download files without a password that is not available for free anymore at this stage.

QNAP has lately solved critical vulnerabilities which enable a mobile player to access a device completely and to run ransomware. 

The following descriptions were found for these two vulnerabilities by QNAP on 16 April: 
CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero
CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On 

"QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices," QNAP stated in a security advisory.