Qlocker, ransomware that targets QNAP NAS devices worldwide, is attacking again. The ransomware was exploiting the CVE-2021-28799, a hard-coded credentials vulnerability found in the HBS 3 Hybrid Backup Sync app. The first ransomware campaign started on April 19 of 2021. Qlocker moves the files into a 7-zip archive, which is protected by a password if the breach is successful.
Targeting all networking devices
Qlocker ransomware started attacking devices on January 6 of 2022 again. The notorious ransomware leaves a note which is named “!!!READ_ME.txt” on compromised devices. The note leads the victim to a Tor site that informs the victim how to pay the ransom to regain access to files. The ransom demand of the new ransomware campaign ranges between 0.02 and 0.03 bitcoins.
Users can take a look at QNAP’s statement about Qlocker from last year to protect themselves from ransomware. QNAP also published a product security statement about ransomware and brute-force attacks widely targeting all networking devices. QNAP urged all QNAP NAS users to follow the security settings to ensure the security of QNAP networking devices. These settings are:
- Disable the Port Forwarding function of the router: Go to the management interface of your router, check the Virtual Server, NAT, or Port Forwarding settings, and disable the port forwarding setting of the NAS management service port (port 8080 and 443 by default).
- Disable the UPnP function of the QNAP NAS: Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration”, and unselect “Enable UPnP Port forwarding”.