An active ransomware campaign by Qlocker was discovered targeting QNAP devices all around the world starting from April 19. The ransomware is storing infected users’ files in password-protected 7zip archives.
What happened?
BleepingComputer reported that its Qlocker support forum is witnessing an enormous amount of activity from several victims. In addition, the ID-Ransomware service has seen an increase in submissions from victims.
In this campaign, attackers are using 7-Zip to move files on QNAP devices into password-protected archives. While the files are being locked, the QNAP Resource Monitor shows various 7z processes.
After the ransomware finishes its operations, QNAP device files are saved in password-protected 7-Zip archives with a .7z extension. To extract these archives, victims need a password.
After encryption is complete, victims are left with a !!!READ_ME[.]txt ransom note. The note has a unique client key that is needed to log into the ransomware's Tor payment site.
As stated in Qlocker ransom notes, all victims are demanded to pay 0.01 Bitcoins, ($557.74), to get a password for their locked password-protected archives.
Exploited vulnerabilities
QNAP believes that Qlocker operators are exploiting the CVE-2020-36195 vulnerability to execute their ransomware. On April 16, the company fixed two vulnerabilities with the following details:
CVE-2020-2509: A command injection vulnerability that exists in the QTS and QuTS hero.
CVE-2020-36195: A SQL injection vulnerability that exists in the Multimedia Console and the Media Streaming Add-On.
Conclusion
Qlocker ransomware is exploiting a known vulnerability that has already been patched. This indicates that several organizations using QNAP ..
Support the originator by clicking the read the rest link below.