A Ransomware Group Made $260,000 in 5 Days

A ransomware group made $260,000 by remotely encrypting files on QNAP computers using the 7zip archive software in an interval of five days. After a ransomware operation called Qlocker exploited vulnerabilities on their computers, QNAP NAS users all over the world discovered their files had been encrypted as of Monday. 

While most ransomware groups spend a significant amount of time developing their malware to make it powerful, feature-rich, and safe, the Qlocker gang didn’t have to do so. Rather, they scanned for QNAP devices that were connected to the Internet and manipulated them with the recently disclosed flaws. 

The threat actors were able to use these exploits to remotely run the 7zip archival utility and password secure all of the files on the victims’ NAS storage devices. Using a time-tested encryption algorithm built into the 7zip archive utility, they were able to encrypt over a thousand devices in just five days. To access all of a victim’s computers and not leak their stolen data, enterprise-targeting ransomware usually demands ransom payments ranging from $100,000 to $50 million. 

Qlocker, on the other hand, chose a different audience: customers and small-to-medium-sized businesses that use QNAP NAS computers for network storage. The threat actors seem to have a good understanding of their goals since their ransom demands were just 0.01 Bitcoins or around $500 at today’s Bitcoin rates. 

Since the Qlocker ransomware uses a series of Bitcoin addresses that are rotated around, BleepingComputer collected the addresses and tracked their payments. Security researcher Jack Cable discovered a short-lived bug that allowed him to recover passwords for 55 victims for free. He gathered ten separate Bitcoin addresses that the threat actors were rotating with victims when using this bug and shared them with BleepingComputer. 

BleepingComputer has since collected an additional ten bitcoin addresses, bringing the total number of bitcoin addresses used by the Qlocker threat actors to 20. The 20 bitcoin addresses have received ransom payments totaling 5.25735623 Bitcoins at this time which equates to around $258,494 in today’s money. Unfortunately, as users make the difficult decision to pay a ransom to retrieve their files, the number of ransoms will likely rise over the weekend and into the next week. 

This ransomware campaign is still active, with new victims being reported daily. To patch the vulnerabilities and defend against these ransomware attacks, all QNAP users must upgrade the latest versions of the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync software. Users can also protect their NAS devices so that potential attacks are more difficult to carry out.