QNAP Devices Held Hostage By Ransomware Gang Using 7Zip Archives

When we hear of ransomware attacks, it usually involves high-value targets, such as the recent $50 million attack against Apple supplier Quanta. This time, a ransomware gang took a different approach and targeted consumers and small businesses using QNAP devices and subsequently encrypted their files. In just five days, the gang managed to collect $260,000 in Bitcoin for unlocking all the devices they took hostage.

On Monday, a ransomware operation called Qlocker kicked off, exploiting new vulnerabilities in QNAP NAS devices and leaving users to wake up to their files being locked up. The ransomware gang behind this pulled it off by scanning the web for connected QNAP devices and then locking up files using the 7zip archive utility.

btc addy ransomware gang holds qnap devices hostage using 7zip archives
One Of The Ransomware Gang's BTC Addresses

This simple approach to ransomware proves to be effective as BleepingComputer found that nearly 525 victims have paid $260,000, but this amount has now climbed to nearly $350,000 by our calculations. This was discovered because the ransomware gang has been using 20 different Bitcoin addresses that rotate on their Tor website.

jack cable ransomware gang holds qnap devices hostage using 7zip archives

Interestingly, security researcher Jack Cable managed to unlock roughly 55 victims’ devices for free after finding a bug within the ransomware gang’s website which was not properly checking Bitcoin transaction IDs. This bug has since been patched, thus making things more difficult for affected users. If you have not restarted the QNAP device since things were encrypted, however, you may be in luck as BleepingCompter further reports that you can run the following command through SSH or Telnet:
Command:     cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
Example:        a -mx = 0 -sdel -pmFyBIvp55M46kSxxxxxYv4EIhx7rlTD [FOLDER PATH]
After running the command, look in the /mnt/HDA_ROOT/7z.log for a line such as the one above to show the password. Alternatively, if a user ran the QNAP Malware remover tool, the 7z.log will now be found at “/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/7z.log.” QNAP is also reaching out to customers to provide help and instructions to recover a password from the log file.

Whether or not you can recover your files for free, the stress of having files held hostage is immense. To prevent this in the future, users need to make sure their devices do not face the internet as it is always a security risk. If it is absolutely necessary to be internet-facing, though, hard passwords and keeping up-to-date on patches will be essential. In any case, let us know if you were affected by the ransomware and if you managed to recover your files in the comments below.