Ransomware group makes $260,000 in 5 days after exploiting vulnerability to attack encrypted QNAP devices and then demanding ransom via the dark web

The ransomware group made $260,000 in just five days using the 7zip archive program to remotely encrypt files on QNAP devices by exploiting the QNAP vulnerability.

Beginning Monday, QNAP NAS users from all over the world suddenly discovered that a ransomware called Qlocker used a vulnerability to encrypt the files on their devices.

The ransomware group scanned QNAP devices connected to the Internet and used recently disclosed vulnerabilities to exploit them. These exploits allow threat actors to remotely execute the 7zip archive utility and use passwords to illegally encrypt all files on the victim's NAS storage device.

Using this simple method, they can use the time-proven encryption algorithm built into the 7zip archive utility to encrypt more than a thousand QNAP devices in just five days.

Ransom demand is correctly priced

Ransomware targeting businesses usually requires payment of ransoms ranging from US$100,000 to US$50 million to decrypt all of the victim’s devices without revealing the stolen data.

However, the Qlocker ransomware group chose a different target-consumers and small and medium-sized business owners who use QNAP NAS devices for network storage.

The blackmail gang seems to know their goals well. On the dark web site http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion/ , they only set a ransom demand at 0.01 bitcoin or today's bitcoin price (about 500 US dollars).

The decision to pay millions of dollars requires the company to seriously consider whether the lost data is worth millions of dollars.

However, paying $500 can be seen as a small price to pay for the recovery of important documents, and the victim may not feel the violation.

The Qlocker ransom gang’s decision seems to have paid off, because people eager to recover data have started to pay, earning a considerable return for the ransom gang.

So far, Qlocker’s revenue is nearly $260,000

Since the Qlocker ransomware gang uses a set of fixed Bitcoin addresses, the victims will take turns to pass through these addresses. On Tuesday night, security researcher Jack Cable discovered a brief error that allowed him to recover 55 victims for free Author’s files. While exploiting this vulnerability, he collected 10 different Bitcoin addresses, and BleepingComputer also collected another 10 addresses, so that he can learn about the 20 Bitcoin addresses currently used by the Qlocker ransomware group. 

So far, the 20 bitcoin addresses shown below have received a total of 5.25773523 bitcoins in ransom. This amount is approximately equivalent to US$258,494.

If we divide the number of bitcoins earned by the 0.01 BTC that each victim needs to pay, so far, approximately 525 victims have paid the ransom.

Unfortunately, as users make the difficult decision to pay to restore their files, ransoms keep popping up, so this number is likely to increase throughout the weekend to next week.

The blackmail activity is still ongoing, and new victims appear every day. Therefore, all QNAP users must update the latest versions of multimedia consoles, media streaming add-ons and hybrid backup synchronization applications to fix vulnerabilities and defend against these ransomware attacks.