QNAP Issue a Public Statement About the QLocker Ransomware Attack on Thousands of NAS Devices
It has been a rather turbulent few weeks for QNAP NAS users (and indeed the brand itself) since the initial impact of the QLocker ransomware impacted the storage systems of thousands of users. With many users waking up to find their data (in large parts) inaccessibly encrypted, seeking resolution with QNAP in effects to avoid paying the culprits $500+, this has been a rather troubling time for the brand, as well as the NAS Server industry as a whole. We have covered the development of QLocker over on YouTube, as well as shared potential resolutions with some absolute heroes over on Reddit, but QNAP has now issued an official statement on this, which we have replicated below.
The original statement can be found on the official QNAP page here
QNAP Statement About Qlocker Ransomware
Recently the Qlocker ransomware launched a hostile campaign against QNAP NAS and has caused inconvenience and data loss for our valued users. We understand that our users are deeply troubled by this incident. While it has always been QNAP’s top priority to timely patch software issues and to release relevant information, we stand behind our commitment and are doubling our efforts to the continuing enhancement of the security features provided in our products. We sincerely invite our users to join us and work together toward the goal of fighting against ransomware, in order to make the Internet a safer place for everyone.
On April 16, 2021, we released an updated version (16.0.0415) of the Hybrid Backup Sync (HBS) app to add new features and to address certain security issues described in the QNAP Security Advisory QSA-21-13. On April 21, we began to receive user reports about possible ransomware attacks. Subsequently, after our initial investigation, it is confirmed that the Qlocker ransomware is exploiting one of the patched HBS vulnerabilities against unpatched QNAP NAS that are directly connected to the Internet.
The attacker took advantage of a patched HBS vulnerability. Once the weakness is exploited, the malware could obtain the inappropriate permission level of the QNAP NAS involved. After the NAS is breached, the attacker would insert malicious code into the system to delete all snapshots and to compress user files with a password by using the built-in 7-Zip utility that is intended for normal file compression/decompression operations. After the encryption begins, Qlocker will leave a ransom note and delete itself to increase the difficulty of our investigation.
Based on the limited information we’ve gathered from early-reported cases, we released updated detection rules of the QNAP NAS Malware Remover app to detect and stop malware activities. We’ve also added short scripts to attempt extractions of the encryption key when the compression is still in progress.
Subsequently, on April 22, we released a piece of Product Security News to urge our users to install all recently-released updates before we can confirm the actual attack path. And after the path is identified, we updated the Malware Remover rule again to quarantine the HBS code in question for unpatched QNAP NAS.
- Infected but not yet active
- No abnormality will be observed for Qlocker-infected QNAP NAS.
- Active (encryption in progress)
- If Qlocker is currently active (encryption/compression in progress), the filename extension of user files will become “.7z” one after one. Alternatively, in Resource Monitor, the 7z process is occupying an abnormally high level of system resources.
- Post-activity (encryption ended)
- After Qlocker ended its malicious activity (encryption/compression ended), the filename extension of all user files (size < 20MB) is now “.7z”. A ransom note (clear text file) is also generated on QNAP NAS.
Timeline of Our Response to Qlocker
- March 19, 2021
- Received HBS security issue report.
- April 16, 2021
- Released the patched HBS app for the current version. To protect users who have not yet applied the update from attacks, we adjusted the disclosure time for the corresponding security advisory.
- April 21, 2021
- Began to receive user reports about ransomware attacks. We immediately initiated our investigation.
- April 22, 2021
- Updated the Malware Remover detection rule to stop the Qlocker encryption/compression. We’ve also released Product Security News and the corresponding security advisory on the same day.
- April 23 to 25, 2021
- The QNAP technical support staff around the globe worked around the clock with affected users to test and purge Qlocker, and to offer our help by all possible means.
- April 26, 2021
- Added new Malware Remover detection rule for Qlocker to quarantine the HBS code in question for unpatched QNAP NAS.
What a Malware Remover scan does
- By running a Malware Remover scan on a QNAP NAS with Qlocker infected (not yet active), the Qlocker malicious code will be purged. If an unpatched version of HBS is detected as well, the HBS code in question will be removed.
- By running a Malware Remover scan on a QNAP NAS with Qlocker active (encryption/compression in progress), the encryption/compression will stop. The scan will also attempt to extract the encryption key used for the attack. If an unpatched version of HBS is detected as well, the HBS code in question will be removed.
- By running a Malware Remover scan on a QNAP NAS after the Qlocker attack (encryption/compression ended), the HBS code in question will be removed if an unpatched version of HBS is detected.
For all Malware Remover activities, corresponding system event log will be generated.
User-actionable items against Qlocker
For all users, we strongly recommend running a manual Malware Remover scan while the QNAP NAS is connected to the Internet. Malware Remover will update its detection rule to the latest version, and then detect if your QNAP NAS is under the influence of the Qlocker ransomware and the patched HBS weakness.
However please be advised that the way your QNAP NAS is connected to the Internet also affects the overall system security. To proceed securely, please refer to the general recommendations listed in the next section.
- Encryption/compression active or ended
- If your QNAP NAS is under the influence of Qlocker, regardless of the encryption/compression status, do not shutdown or reboot the NAS. Do not update the NAS OS as well. Please run the above mentioned manual Malware Remover scan and contact QNAP technical support right away. We will inspect your QNAP NAS to determine if your files could be retrieved;
- Infected but not yet active
- If Malware Remover detects Qlocker and purges it from your QNAP NAS, and your files are intact, please take the measures listed in the general recommendations at your earliest convenience to enhance NAS security;
- If Malware Remover did not detect Qlocker in your QNAP NAS, you should still take the measures listed in the general recommendations at your earliest convenience to enhance NAS security.
We strongly urge that users do not directly connect their QNAP NAS to the Internet. This is to enhance the security of your QNAP NAS. We recommend users to enable the VPN server service on their router. To access your QNAP NAS from the Internet, first establish a VPN connection to your router, and then connect to the QNAP NAS via VPN. This can effectively harden the NAS and decrease the chance of being attacked. You can also use the myQNAPcloud Link relay feature provided by QNAP. For details, please refer to the QNAP Blog article: https://blog.qnap.com/nas-internet-connect-en/
While we are actively extending our investigation to a broader scope, there is a series of actions that our users can take to make their QNAP NAS more secure for defending against cyber attacks. These actions include:
- Enable auto update settings, or periodically check for OS and app updates manually
- Refer to the 3-2-1 backup strategy and back up files stored in QNAP NAS
- Please note: if you store the only copy of your files in QNAP NAS, even if you’ve enabled data protection features such as RAID and snapshots, your data is not protected against all possible risks. RAID only protects against disk failures, and snapshots offer protections for the scenario of ransomware attacks from your personal computer. To make sure your files are safe and sound, back up your NAS data, or back up the backup file stored in your QNAP NAS.
- Please refer to the second half of this QNAP Blog article for recommendations on security settings to increase NAS security: https://blog.qnap.com/nas-internet-connect-en/
- Sign up a QNAP ID and subscribe to our security advisories to receive our latest security update information: https://account.qnap.com/
We would take this opportunity to acknowledge the contribution of ZUSO, the Taiwan-based information security company, for reporting the issue and helping with the response of the incident. We will continue working with ZUSO and other security research companies/teams to enhance the security and protection of all QNAP products.
So, What Do You Guys Think?
Now QNAP has issued a formal statement on this, I would genuinely love to hear your thoughts on this – Share your thoughts below in the comments below, contacting us (if you are affected) on the free advice section or over on YouTube. I look forward to sharing your thoughts, reactions and feedback on QNAP’s official statement later this week on YouTube, so if you can keep it constructive and relative, that is always the best way forward! Thanks for reading and I look forward to hearing from you!