Friday, April 23rd 2021

QNAP NAS Affected by Qlocker Ransomware, Company Advises Immediate Action to Secure Your Data

QNAP Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, today issued a statement in response to recent user reports and media coverage that two types of ransomware (Qlocker and eCh0raix) are targeting QNAP NAS and encrypting users' data for ransom. QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices.

QNAP has released an updated version of Malware Remover for operating systems such as QTS and QuTS hero to address the ransomware attack. If user data is encrypted or being encrypted, the NAS must not be shut down. Users should run a malware scan with the latest Malware Remover version immediately, and then contact QNAP Technical Support at this page.
For unaffected users, it's recommended to immediately install the latest Malware Remover version and run a malware scan as a precautionary measure. All user should update their passwords to stronger ones, and the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version. Additionally, users are advised to modify the default network port 8080 for accessing the NAS operating interface. Steps to perform the operation can be found in the information security best practice offered by QNAP (https://qnap.to/3daz2n). The data stored on NAS should be backed up or backed up again utilizing the 3-2-1 backup rule, to further ensure data integrity and security.

For details, please refer to the QNAP security advisory QSA-21-11 (this page) and QSA-21-13 (this page).

QNAP Product Security Incident Response Team (PSIRT) constantly monitors the latest intelligence to deliver up-to-date information and software updates, ensuring data security for users. Once again, QNAP urges users to take the above-mentioned actions and periodically check/install product software updates to keep their devices away from malicious influences. QNAP also provides the best practice for improving personal and organizational information security. By working together to fight against cybersecurity threats, we make the Internet a safer place for everyone.
Add your own comment

17 Comments on QNAP NAS Affected by Qlocker Ransomware, Company Advises Immediate Action to Secure Your Data

#1
TheUn4seen
I understand that convenience is an important factor, but why would anyone think that exposing your data storage to the Internet is a smart thing? Firewall your damn NAS, update manually from an offline source or at least have a cold storage system with a reasonably frequent backup schedule.
Posted on Reply
#2
DeathtoGnomes
TheUn4seen
I understand that convenience is an important factor, but why would anyone think that exposing your data storage to the Internet is a smart thing? Firewall your damn NAS, update manually from an offline source or at least have a cold storage system with a reasonably frequent backup schedule.
There are several ports intentionally left open by m$'s firewall that cant be closed. Why? IDK, but lets call it telemetry ports just to be silly. I can only guess why users are not using passwords for their pirated movieDATA storage, sharing with friends and neighbors maybe?

But this reads as if the malware was pre-installed and shipped.
Posted on Reply
#3
FreedomEclipse
~Technological Technocrat~
Qnap also suggested disabling the default admin user account. I have done this but this has caused all sorts of issues to do with user access rights and privileges even if i have the new admin account given full privileges and access to some folders and files.

NAS wont let new admin account access certain shared folders even though access privileges has been set up to include new admin account.
NAS wont let new admin delete files remotely when accessed remotely from an android device.
NAS wont let me cut/copy or paste data from NAS to my desktop with new admin account from within windows unless i disable Windows ACL

Ive checked the user priviledges loads of times and played around. I got shared folder access back but i still cant delete files if im using my tablet to access the NAS and i got my cut/copy paste back by disabling ACL

Ive been told that the Windows ACL function/feature is bugged and from what i read on their forums, It has been bugged for a long time.
Posted on Reply
#4
trparky
DeathtoGnomes
There are several ports intentionally left open by m$'s firewall that cant be closed. Why? IDK, but lets call it telemetry ports just to be silly.
Where's your proof on that? Because last time I checked and yes, I actually did check, this isn't true at all. The port scans prove it. Stop spreading FUD.
Posted on Reply
#5
Solaris17
Dainty Moderator
Storage appliances facing the web has always confused me.
Posted on Reply
#6
newtekie1
Semi-Retired Folder
DeathtoGnomes
There are several ports intentionally left open by m$'s firewall that cant be closed. Why? IDK, but lets call it telemetry ports just to be silly.
What does that have to do with anything? If there isn't a service listening on those ports, it doesn't matter if they are open. And if you are behind a NAT firewall anyway, and your Windows PC doesn't have a public IP(by the way those ports are all closed by default if your network connection is set to public), then those open ports aren't accessible by the internet anyway.
DeathtoGnomes
I can only guess why users are not using passwords for their pirated movieDATA storage, sharing with friends and neighbors maybe?
Windows doesn't allow this by default either. You have to have a password to share data.
Posted on Reply
#7
destruya
I have a QNAP TS-231P but nothing on it is vital - being able to access media anywhere on my laptop or phone is a good boredom alleviator. That still hasn't stopped ~skript kiddiez~ from probing it with brute force password attacks.

All the data I can't afford or don't want to lose/have compromised is air-gapped.

That being said, my next NAS will be *built*, not *bought*. In addition to this, QNAP's been slowly moving apps over to a micro-transaction model. They think they're being slick about it, but everyone who's paying attention knows what's up.
Posted on Reply
#8
DeathtoGnomes
newtekie1
Windows doesn't allow this by default either. You have to have a password to share data.
Should have been clearer, wasnt thinking default.
newtekie1
What does that have to do with anything? If there isn't a service listening on those ports, it doesn't matter if they are open. And if you are behind a NAT firewall anyway, and your Windows PC doesn't have a public IP(by the way those ports are all closed by default if your network connection is set to public), then those open ports aren't accessible by the internet anyway.
Thats a big IF really.
Posted on Reply
#9
holyprof
QNAP is a joke. Same thing happened 2 years ago. They just shrugged off and told the users it's their own problem. I know 2 people that were affected by that and lost everything.

Link from 2019 and they still haven't fixed it:
www.bankinfosecurity.com/report-new-ransomware-targets-qnap-storage-devices-a-12774
"A new ransomware strain called eCh0raix is targeting enterprise storage devices sold by QNAP Network by exploiting vulnerabilities in the gear and bypassing weak credentials using brute-force techniques, according to the security firm Anomali." Article from July 11, 2019

[insert facepalm meme here]
Posted on Reply
#10
newtekie1
Semi-Retired Folder
DeathtoGnomes
Thats a big IF really.
Not really. I'd say a very large majority of computers don't have public IPs.
Posted on Reply
#11
Chaitanya
holyprof
QNAP is a joke. Same thing happened 2 years ago. They just shrugged off and told the users it's their own problem. I know 2 people that were affected by that and lost everything.

Link from 2019 and they still haven't fixed it:
www.bankinfosecurity.com/report-new-ransomware-targets-qnap-storage-devices-a-12774
"A new ransomware strain called eCh0raix is targeting enterprise storage devices sold by QNAP Network by exploiting vulnerabilities in the gear and bypassing weak credentials using brute-force techniques, according to the security firm Anomali." Article from July 11, 2019

[insert facepalm meme here]
So they should drop Q from their brand name on urgent basis.
Posted on Reply
#12
R-T-B
newtekie1
Not really. I'd say a very large majority of computers don't have public IPs.
But don't worry, IPv6 will fix this. :p
Posted on Reply
#13
DeathtoGnomes
newtekie1
Not really. I'd say a very large majority of computers don't have public IPs.
I agree but that doesnt mean some hacker will visit your negihborhood looking for available connections. And we're back to learn2secure your network and devices.
R-T-B
But don't worry, IPv6 will fix this. :p
IPv6, I heard of that before, where.... :rolleyes:
Posted on Reply
#14
trparky
R-T-B
But don't worry, IPv6 will fix this. :p
And on my router, I actually have to enable a rule firewall rule to pass IPv6 packets from the WAN side to the LAN side. Otherwise, the router stops incoming IPv6 packets for the LAN side and doesn't allow them through unless the LAN side device requested it.
Posted on Reply
#15
R-T-B
trparky
And on my router, I actually have to enable a rule firewall rule to pass IPv6 packets from the WAN side to the LAN side. Otherwise, the router stops incoming IPv6 packets for the LAN side and doesn't allow them through unless the LAN side device requested it.
A good router will do this. I was sarcastically referring to the designers "dream spec" of ipv6, which essentially is an IoT world where every device has a public IP.

Yeah, that's a bad idea, just like it sounds.
DeathtoGnomes
IPv6, I heard of that before, where....
Most ISPs provide it now actually. Even Verizon and Comcast do.
Posted on Reply
#16
newtekie1
Semi-Retired Folder
DeathtoGnomes
I agree but that doesnt mean some hacker will visit your negihborhood looking for available connections. And we're back to learn2secure your network and devices.
Sure, that was a valid argument back when routers shipped with no WiFi password and WEP was the default security method. But not now.
Posted on Reply
#17
trparky
R-T-B
designers "dream spec" of ipv6, which essentially is an IoT world where every device has a public IP.


Reminds me of the bad old days of the first cable modems, your Network Neighborhood was literally your neighborhood. With everything having a public IP your Network Neighborhood would be the whole damn planet. How they thought that was a good idea, I'll never know.
Posted on Reply
Add your own comment