Qlocker
Qlocker is a ransomware strain that targeted QNAP network-attached storage (NAS) devices in a large-scale campaign beginning on 2021-04-19.
Profile source: Mallory opens in a new tabQlocker
Family profile
Qlocker is a ransomware strain that targeted QNAP network-attached storage (NAS) devices in a large-scale campaign beginning on 2021-04-19. It primarily affected internet-exposed QNAP systems and abused vulnerabilities in QNAP applications to remotely launch the built-in 7-Zip utility, placing victim files into password-protected .7z archives rather than using a custom encryption routine. Affected users were left with a ransom note named "!!!READ_ME.txt" containing a unique client key and instructions to access a Tor payment site, where operators demanded 0.01 BTC (reported as roughly $550 at the time) in exchange for the per-victim archive password. The password was unique to each victim and could not be reused across devices.
High-confidence reporting in the content states QNAP believed the campaign exploited CVE-2020-36195, an SQL injection vulnerability in Multimedia Console and the Media Streaming Add-on, and also referenced CVE-2021-28799 in HBS 3 Hybrid Backup Sync as potentially involved. QNAP reported fixes for CVE-2020-36195 and CVE-2020-2509 on 2021-04-16, and advised users to update Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync, install and run the latest Malware Remover, and avoid rebooting already-affected devices. During active attacks, numerous "7z" processes could be observed, and QNAP Malware Remover was described as quarantining scripts such as /tmp/qnap/r.py and /tmp/qnap/re.sh. The content also notes a possible recovery avenue on non-rebooted devices by extracting the archive password from /mnt/HDA_ROOT/7z.log, or from /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/7z.log after Malware Remover activity.
The campaign was widely reported as infecting hundreds of QNAP devices per day. Qlocker is consistently associated with QNAP-focused ransomware activity and is mentioned alongside other operations such as DeadBolt, Checkmate, and eCh0raix as part of the broader pattern of ransomware targeting vulnerable QNAP NAS appliances.
Ransomware.live
Operational record
Reporting
Research mentioning Qlocker
QNAP社製NASを狙うDeadBoltランサムウェアに関連した調査 - セキュリティ研究センターブログ
過去にもQLockerやech0raix等のランサムウェアがQNAP NASの脆弱性を悪用するケースは度々ありました。
QNAP warns of critical auth bypass flaw in its NAS devices
Some ransomware operations previously known for targeting QNAP devices are DeadBolt, Checkmate, and Qlocker.
New Qlocker ransomware is hitting hundreds of QNAP NAS devices per day | The Record from Recorded Future News
A new ransomware strain named Qlocker is on a rampage and infecting hundreds of QNAP network-attached storage (NAS) devices every day, taking over hard drives, moving users' files inside password-protected 7zip archives, and asking for a $550 ransom payment.
Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices
A massive ransomware campaign targeting QNAP devices worldwide is underway... The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021.