Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices

Emily Charlotes

Update 4/22/21: A bug was discovered last night that allowed victims to recover their 7zip password for free but was fixed soon after being discovered. You can find more info in the update below.
Update 4/24/21: A frequently asked questions section has been added to the bottom of the article.


A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives.

The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. Since then, there has been an enormous amount of activity in our support forum, and the ID-Ransomware ransomware identification site has seen a surge of submissions from victims.

ID-R submissions from Qlocker victims
ID-R submissions from Qlocker victims

According to reports from victims in a BleepingComputer Qlocker support topic, the attackers use 7-zip to move files on QNAP devices into password-protected archives. While the files are being locked, the QNAP Resource Monitor will display numerous ‘7z’ processes which are the 7zip command-line executable.

7zip seen running in the QNAP Resource Monitor
7zip seen running in the QNAP Resource Monitor

When the ransomware has finished, the QNAP device’s files will be stored in password-protected 7-zip archives ending with the .7z extension. To extract these archives, victims will need to enter a password known only to the attacker.

Password-protected 7zip archive
Password-protected 7zip archive

After QNAP devices are encrypted, users are left with a !!!READ_ME.txt ransom note that includes a unique client key that the victims need to enter to log into the ransomware’s Tor payment site.

Qlocker ransom note
Qlocker ransom note

From the Qlocker ransom notes seen by BleepingComputer, all victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. 

Qlocker Tor payment site
Qlocker Tor payment site

After paying the ransom and entering a valid Bitcoin transaction ID, the Tor payment site will display the password for the victim’s 7Zip archives, as shown below.

The password displayed after a ransom is paid
The password displayed after a ransom is paid

This password is unique to the victim and cannot be used on other victims’ devices.

Update 4/22/21 09:15 AM EST: Early this morning, BleepingComputer was contacted by security researcher Jack Cable about a bug he discovered in the Qlocker Tor site that allowed users to recover their 7zip passwords for free.

Using this bug, victims could take a Bitcoin transaction ID from a person who had already paid and slightly alter it. When they submitted the altered transaction ID into the Qlocker Tor site, it accepted it as payment and displayed the victim’s 7zip password.

Last night, Cable had been privately helping people recover their passwords, and arrangements were being made with Emsisoft to create a help system to better exploit this weakness.

Sadly, an hour after we learned of the bug, the ransomware operators caught on and fixed it.

At this point, there is no way to recover the files without a password, which can no longer be retrieved for free.

QNAP believes attackers are exploiting vulnerabilities

Recently QNAP resolved critical vulnerabilities that could allow a remote actor to gain full access to a device and execute ransomware.

QNAP fixed these two vulnerabilities on April 16th with the following descriptions:

More information about these vulnerabilities can be found in a blog post by the SAM Seamless Network research team, who disclosed the bugs to QNAP in October and November.

QNAP told BleepingComputer that they believe Qlocker exploits the CVE-2020-36195 vulnerability to execute the ransomware on vulnerable devices.

Due to this, it is strongly recommended to update QTS, Multimedia Console, and the Media Streaming Add-on to the latest versions.

“QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices,” QNAP stated in a security advisory.

QNAP warns that if a device’s files have been encrypted, they should not reboot the device and instead immediately run the malware scanner.

“If user data is encrypted or being encrypted, the NAS must not be shut down. Users should run a malware scan with the latest Malware Remover version immediately, and then contact QNAP Technical Support at https://service.qnap.com/,” advises QNAP.

While the malware scanner and security updates will not recover your files, they will protect you from future attacks using this vulnerability.

Qlocker frequently asked questions

Trying to follow all the information in this article’s comments and the Qlocker support topics can quickly become overwhelming.

To help QNAP owners and Qlocker victims, we have put together this FAQ regarding the attack using various contributions from QNAP users who have posted comments to this article and the Qlocker help topic.

How are my files get encrypted?

The Qlocker threat actors exploit vulnerabilities in QNAP devices that allow them to execute commands on your NAS device remotely.

While most ransomware operations deploy specially crafted malware programs, the Qlocker attackers are simply scanning for QNAP devices and using vulnerabilities to remotely launch the built-in 7zip archive utility to password-protect files.

With this type of attack, QNAP devices are not being infected with any malware but simply being abused by vulnerabilities taking advantage of software already bundled with the operating system.

It is unclear what vulnerabilities are being used, but it is believed to be one of the following, which QNAP fixed this month.

QNAP has told BleepingComputer that they  believe it is the CVE-2020-36195 vulnerability that is being exploited.

Updates for all of these vulnerabilities were released earlier this month and should be installed immediately.

My files are being encrypted! What should I do?

If you see that your QNAP files are actively being encrypted, you should immediately disable myQNAPcloud and change the default web admin port from port 8080 to another port number.

These changes will effectively prevent the threat actors from issuing further 7zip commands to password-protect your files.

Now that the threat actors can no longer access your device remotely, you should terminate any active ‘7z’ processes that may be running to stop any current encryption commands.

You can do this by logging into your QNAP device via SSH or Telnet using the following guide.

Then issue the following command at the console to terminate all 7z processes.

kill -9 `ps |grep sbin/7z|grep -v grep|awk '{ print $1 }'`

Is there a way to get our passwords for free?

Tuesday night, security researcher Jack Cable discovered a method that tricked the ransomware payment site into thinking a payment was made and to display the victim’s passwords.

Unfortunately, this bug was short-lived, and the bug no longer works.

For users who have not restarted their QNAP device since being encrypted, it may be possible to recover your password from the ‘7z.log’ file using a command offered by a victim.

The following command must be entered from the QNAP console when you are connected via SSH or Telnet.

cd /usr/local/sbin; printf '#!/bin/sh necho [email protected] [email protected]>>/mnt/HDA_ROOT/7z.lognsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;

Once you execute the following command, you can look in the /mnt/HDA_ROOT/7z.log for a 7z command-line showing your password, as shown in the example below.

a -mx = 0 -sdel -pmFyBIvp55M46kSxxxxxYv4EIhx7rlTD [FOLDER PATH]

In the above case, the password is ‘mFyBIvp55M46kSxxxxxYv4EIhx7rlTD.’

YouTube video has been created to demonstrate how to perform this task.

If you have run QNAP’s Malware Remover tool, the program will have moved the 7z.log to ‘/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/7z.log‘.

QNAP is emailing customers instructions with more information on possibly recovering a password from the 7z.log file.

Unfortunately, if you have previously restarted your device, the log file contents will be wiped.

In some cases, even if you have not restarted your device, the log file may be empty.

What has QNAP’s response been?

In a security advisory released Tuesday, QNAP advises users not to restart their QNAP devices and to run the latest version of the Malware Remover to help protect against Qlocker.

When executed, Malware Remover will perform the following tasks:

  • Rename /usr/local/sbin/7z to 7z.orig 
  • Replace /usr/local/sbin/7z to 7z.orig with this script.
  • The script will copy various data to the current 7z.log file and then copy that file to ‘/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/7z.log‘.
  • Look for and quarantine the /tmp/qnap/r.py and /tmp/qnap/re.sh scripts to the /tmp/qnap folder. If you have these scripts, we would love to see them, and you can submit them here.

In addition to running Malware Remover, QNAP is advising users to immediately update to the latest versions of Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync through the App Center.

After installing the latest updates, QNAP advises customers to review their guide on best practices to enhance NAS security.

How to decrypt multiple files at once

If you found your passwords or paid the ransom, you can use the following command (thanks ss1973) to decrypt all of your files at once from within Windows. 

SET source=C:Usersthomb158Downloads5thKind7z
FOR /F "TOKENS=*" %%F IN ('DIR /S /B "%source%*.7z"') DO "C:Program Files7-Zip7z.exe" x -pPASSWORD "%%~fF" -o"%%~pF"
EXIT

In the above command, ‘SET source=‘ is the path to your encrypted files, and -p is the password. You will also need to have installed the 7zip program.

If anyone has a command to perform these steps directly through the QNAP console, please let me know.

Update 4/24/21: Added a frequently asked questions section.

Qlocker IOCs:

Associated Files:

!!!READ_ME.txt

Ransom note text:

!!! All your files have been encrypted !!!
 
All your files were encrypted using a private and unique key generated for the computer. This key is stored in our server and the only way to receive your key and decrypt your files is making a Bitcoin payment.
 
To purchase your key and decrypt your files, please follow these steps:
 
1. Dowload the Tor Browser at "https://www.torproject.org/". If you need help, please Google for "access onion page".
 
2. Visit the following pages with the Tor Browser:
 
gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion
 
3. Enter your Client Key:
 
[client_key]
 

Next Post

Why was the internet down today

It wasn’t just you, the internet really did break today. Getty No, it wasn’t just you. The internet really did break on the morning of 8 June, causing lots of the biggest and most popular websites in the world to become unavailable. Including Forbes. So, what actually happened? I first […]