users' NAS are being encrypted with 7zip




A targeted ransomware attack on QNAP devices, it is encrypting users' NAS asking for a ransom to get the files back. It is a massive campaign that uses two ransomware called "Qlocker" and "eCh0raix".



Affected users are finding that their files have been encrypted and are now stored in password-protected 7zip archives. Qlocker uses the compression tool to move the data stored on QNAP devices, and convert them to .7z files protected with a password known only to the attacker.



All victims are required to pay a ransom in Bitcoin




Qlocker Payment Page




Victims report that the QNAP resource monitor will show multiple '7z' processes, and that once the entire QNAP device is encrypted, the user is left with only one text file called !!! READ_ME.txt with the ransom note.



In addition to containing a message indicating to the user that all their files have been encrypted, the text also includes a unique key that the victim must use to enter the attacker's website within the Tor network and make a payment.



As reported in BleepingComputer, all those affected are required to pay 0.01 Bitcoins, that is to say, just over 400 euros to be able to obtain a password and unlock your files.







What to do if you have a QNAP NAS affected by the Qlocker and eCh0raix ransomware attack






The password is unique for each device, so it could not be used on other victims' computers. At QNAP they believe that the Qlocker ransomware is taking advantage of a vulnerability that the company corrected on April 16, to hijack files on devices that are still vulnerable due to not being updated.




QNAP strongly urges all users to immediately install the latest version of Malware Remover and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on and Hybrid Backup Sync applications should also be updated to the latest version available to further protect the QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices




Besides this, QNAP advises that if the files on a device have already been encrypted, the user should not reboot the device and should instead immediately run the malware scanner and contact technical support.