May 25, 2022

Qlocker is an active ransomware group and it is detected to be targeting and attacking QNAP devices all over the world. This campaign started on April 19. The infected user’s files are stored in a password protected 7zip archives. 

The Campaign-

It is reported by BleepingComputer that Qlocker support forum is witnessing increased amount of activity from a chunk of its victims. In addition to this, The ID-Ransomware services saw an increase in the number of submissions from its victims.

  • The attackers are using 7-Zip archives to lock the files of the victims in password protected archives. During the process of the locking of the files, the monitor of the QNAP device shows various 7-Zip processes.
  • Once the ransomware has completed its encryption processes, the files get stored in a password protected archive with .7z extension. These files will need a password to retrieve the files.
  • At the end of the process, the victims get a !!!READ_ME.txt ransom note. This contains the credentials to access the tor payment site.
  • The victims are demanded to pay 0.01 Bitcoins, ($557.74), after which they get the password to the archived folder.

The Vulnerabilities that are being exploited-

QNAP suggests that Qlocker has been exploiting the CVE-2020-36195 for executing their ransomware. They fixed two of their vulnerabilities as of April 16.

  • CVE-2020-2509: This is a command injection vulnerability that exists in QTS and QuTS hero.
  • CVE-2020-36195: This is an SQL vulnerability that exists in multimedia Console and the Media Streaming Add-On.

Conclusion-

Qlocker ransomware is exploiting a known vulnerability that is known to be patched already. This indicates towards the fact that several organizations have not patched their firmware. So, it is important that organizations always keep their network updated with the latest patch whenever they are released.

Leave a Reply

Your email address will not be published.