What are you looking for ?
Advertise with us
RAIDON

QNAP Statement About Qlocker Ransomware

Incident description, symptoms, timeline of response to Qlocker, what Malware Remover scan does

From Qnap Systems, Inc.

Recently the Qlocker ransomware launched a hostile campaign against Qnap Systems, Inc.’s NAS and has caused inconvenience and data loss for our valued users.

Qnap Statement About Qlocker Ransomware

We understand that our users are deeply troubled by this incident. While it has always been the company’s top priority to timely patch software issues and to release relevant information, we stand behind our commitment and are doubling our efforts to the continuing enhancement of the security features provided in our products. We sincerely invite our users to join us and work together toward the goal of fighting against ransomware, in order to make the Internet a safer place for everyone.

Incident description
On April 16, 2021, we released an updated version (16.0.0415) of the Hybrid Backup Sync (HBS) app to add new features and to address certain security issues described in the Qnap Security Advisory QSA-21-13. On April 21, we began to receive user reports about possible ransomware attacks. Subsequently, after our initial investigation, it is confirmed that the Qlocker ransomware is exploiting one of the patched HBS vulnerabilities against unpatched the firm’s NAS that are directly connected to the Internet.

The attacker took advantage of a patched HBS vulnerability. Once the weakness is exploited, the malware could obtain the inappropriate permission level of the company’s NAS involved. After the NAS is breached, the attacker would insert malicious code into the system to delete all snapshots and to compress user files with a password by using the built-in 7-Zip utility that is intended for normal file compression/decompression operations. After the encryption begins, Qlocker will leave a ransom note and delete itself to increase the difficulty of our investigation.

Based on the limited information we’ve gathered from early-reported cases, we released updated detection rules of the firm’s NAS Malware Remover app to detect and stop malware activities. We’ve also added short scripts to attempt extractions of the encryption key when the compression is still in progress.

Subsequently, on April 22, we released a piece of Product Security News to urge our users to install all recently-released updates before we can confirm the actual attack path. And after the path is identified, we updated the Malware Remover rule again to quarantine the HBS code in question for unpatched the company’s NAS.

Symptoms

  • Infected but not yet active
    No abnormality will be observed for Qlocker-infected Qnap NAS.

  • Active (encryption in progress)
    If Qlocker is currently active (encryption/compression in progress), the filename extension of user files will become ‘.7z’ one after one. Alternatively, in Resource Monitor, the 7z process is occupying an abnormally high level of system resources.

  • Post-activity (encryption ended)
    After Qlocker ended its malicious activity (encryption/compression ended), the filename extension of all user files (size <20MB) is now ‘.7z’. A ransom note (clear text file) is also generated on Qnap NAS.

Timeline of our response to Qlocker

  • March 19, 2021
    Received HBS security issue report.

  • April 16, 2021
    Released the patched HBS app for the current version. To protect users who have not yet applied the update from attacks, we adjusted the disclosure time for the corresponding security advisory.

  • April 21, 2021
    Began to receive user reports about ransomware attacks. We immediately initiated our investigation.

  • April 22, 2021
    Updated the Malware Remover detection rule to stop the Qlocker encryption/compression. We’ve also released Product Security News and the corresponding security advisory on the same day.

  • April 23 to 25, 2021
    The Qnap technical support staff around the globe worked around the clock with affected users to test and purge Qlocker, and to offer our help by all possible means.

  • April 26, 2021
    Added new Malware Remover detection rule for Qlocker to quarantine the HBS code in question for unpatched Qnap NAS.

What Malware Remover scan does
  • By running a Malware Remover scan on a Qnap NAS with Qlocker infected (not yet active), the Qlocker malicious code will be purged. If an unpatched version of HBS is detected as well, the HBS code in question will be removed.
  • By running a Malware Remover scan on a Qnap NAS with Qlocker active (encryption/compression in progress), the encryption/compression will stop. The scan will also attempt to extract the encryption key used for the attack. If an unpatched version of HBS is detected as well, the HBS code in question will be removed.

  • By running a Malware Remover scan on a Qnap NAS after the Qlocker attack (encryption/compression ended), the HBS code in question will be removed if an unpatched version of HBS is detected.

For all Malware Remover activities, corresponding system event log will be generated.

User-actionable items against Qlocker
For all users, we strongly recommend running a manual Malware Remover scan while the Qnap NAS is connected to the Internet. Malware Remover will update its detection rule to the latest version, and then detect if your Qnap NAS is under the influence of the Qlocker ransomware and the patched HBS weakness.

However please be advised that the way your Qnap NAS is connected to the Internet also affects the overall system security. To proceed securely, refer to the general recommendations listed in the next section.

Additionally,

  • Encryption/compression active or ended
      • If your Qnap NAS is under the influence of Qlocker, regardless of the encryption/compression status, do not shutdown or reboot the NAS. Do not update the NAS OS as well. Please run the above mentioned manual Malware Remover scan and contact Qnap technical support right away. We will inspect your Qnap NAS to determine if your files could be retrieved;

  • Infected but not yet active
      • If Malware Remover detects Qlocker and purges it from your Qnap NAS, and your files are intact, please take the measures listed in the general recommendations at your earliest convenience to enhance NAS security;

  • Unaffected
      • If Malware Remover did not detect Qlocker in your Qnap NAS, you should still take the measures listed in the general recommendations at your earliest convenience to enhance NAS security.

General recommendations
To connect to your Qnap NAS from the Internet, we suggest that users can make use of the myQNAPcloud Link feature provided by the company. No complex configurations are required for enabling myQNAPcloud Link. For other users, we strongly urge that their Qnap NAS should not be directly connected to the Internet. This is to enhance the security of your NAS. We recommend users to enable the VPN server service on their router. To access your NAS from the Internet, first establish a VPN connection to your router, and then connect to the NAS via VPN. This can effectively harden the NAS and decrease the chance of being attacked. For details, please refer to the firm’s Blog article

While we are actively extending our investigation to a broader scope, there is a series of actions that our users can take to make their Qnap NAS more secure for defending against cyber attacks.

These actions include:

  • Enable auto update settings, or periodically check for OS and app updates manually

  • Refer to the 3-2-1 backup strategy and back up files stored in Qnap NAS

      • Please note: if you store the only copy of your files in the NAS, even if you’ve enabled data protection features such as RAID and snapshots, your data is not protected against all possible risks. RAID only protects against disk failures, and snapshots offer protections for the scenario of ransomware attacks from your personal computer. To make sure your files are safe and sound, back up your NAS data, or back up the backup file stored in your Qnap NAS.

  • Please refer to the second half of this Qnap Blog article for recommendations on security settings to increase NAS security.
  • Sign up a Qnap ID and subscribe to our security advisories to receive our latest security update information.  

Acknowledgement
Qnap would take this opportunity to acknowledge the contribution of ZUSO, the Taiwan-based information security company, for reporting the issue and helping with the response of the incident. We will continue working with ZUSO and other security research companies/teams to enhance the security and protection of all Qnap products.

Resources:
How do I know the NAS has been attacked by qlocker?
Malware Remover prompt ID MR2102
What should I do when found NAS is encrypting my files by 7z?

Read also :
Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E