Qlocker, an infamous ransomware rise in prominence after victimizing the QNAP NAS storage, uses 7-zip to move files into password-protected archives...

Continue reading
Qlocker is a malicious program classified under the ransomware type that overruns the storage device access while acting as a file locker—locking the user data access demanding ransoms until a password is provided for access recovery.

The ransomware came into prominence after exclusively exploiting the zero-day vulnerability CVE-2021-28799 detected in the old versions of QNAP NAS storage devices reportedly since then, the number of exploits rose exponentially encrypting the files by storing them in password-protected 7-zip archives. However, QNAP believes that Qlocker operators exploit the CVE-2020-36195 vulnerability to execute their ransomware as the company has already patched the known vulnerability that Qlocker has exploited.
While the original extensions of compromised files are changed to the ".7z" extension along with a "!!!READ_ME.txt" into affected folders with a ransom note and an access key to the ransomware payment site. As it leads to incompatible authorization of user access and is tagged to the weakness category CWE-285.
The ransom prompt reflected over the infected folders translates that victims' files have been encrypted. To retrieve the data, the concerned user needs a decryption key that is only available if the ransom demand is fulfilled. QNAP classified this CVE with a severity score of 10.
However, the ransom size is not disclosed in the ransom note. For more details, victims are directed to use Tor Browser and the "Client Key" assigned to them to access the intended webpage of the website mentioned in the ransom note.
cd /usr/local/sbin; printf '#!/bin/sh \necho $@\necho $@>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z;
Conducts thorough monitoring and scanning of the target system, identifies the existing unpatched vulnerabilities to be exploited in order to gain root access to the stored data. The threat actors start executing the 7-zip archival utility with encryption to lock user access to all the files on the device with a unique password for access recovery. Besides, a !!ReadMe!! File is added as a ransom note with details on the fund transfer procedure to the attackers.

To obtain the password which remains unique and cannot be used on other devices, the victims are required to access the payment webpage via Tor Browser, enter a specified client ID, and make the ransom payment in Bitcoins based on the ransom demand. Once the payment is successful, a secret password would reflect on the screen, decrypting the files. However, each file would have to be unlocked individually as the files/folders are locked as separate units and not compressed into a single folder.
