Home Malware Programs Ransomware QNAPCrypt Ransomware

QNAPCrypt Ransomware

Posted: July 15, 2019

The QNAPCrypt Ransomware is a file-locking Trojan for Linux that encrypts media and holds it for ransom with a text-based warning message. The QNAPCrypt Ransomware campaigns are concentrating on attacks of opportunity against unsecured servers and network-attached storage devices, which criminals can break into through brute force or software exploits. Users should monitor their backups for weaknesses that would open them up to a remote attacker and use anti-malware services for eliminating the QNAPCrypt Ransomware if it's identifiable.

Trojan Troubles for Chinese Data Storage

The products of the network-attached storage company of QNAP are priority targets for a new Trojan whose attacks are comparable to those of Ransomware-as-a-Service families like the Scarab Ransomware or the Globe Ransomware. The QNAPCrypt Ransomware's environmental specialty of Linux is less traditional than the choice of Windows but shows that threat actors are eagerly exploiting any 'underserved' market for ransom, in an attempt at gaining an advantage over well-established competitors. Security mistakes by the victims are, as malware experts often find, the open door that invites the QNAPCrypt Ransomware into their data.

Threat actors are spreading the QNAPCrypt Ransomware by compromising login credentials by brute-forcing – a technique that involves 'guessing' large numbers of user/password combinations – and employing complementary software vulnerabilities. After getting manual access to the NAS device, the QNAPCrypt Ransomware Trojan blocks dozens of media formats with RSA-secured, AES encryption. It also appends an 'encrypted' extension into their names, after any preexisting one.

Because the QNAPCrypt Ransomware targets backup devices, rather than ordinary computers, it doesn't display a pop-up alert. It does, however, give the victim a text-based ransom warning. Although asking for a Bitcoin payment for the decryptor is standard, malware experts highlight the QNAPCrypt Ransomware's use of an unconventional wallet-organizing method: it uses a different payment account per victim that it bases off of a campaign-specific ID. Using a vulnerability in this setup, the Intezer anti-malware company flooded the threat actor's C&C with simulations of victims that resulted in a shutdown of the campaign.

Unfortunately, the QNAPCrypt Ransomware's threat actors are responding to these disruptions by reworking the QNAPCrypt Ransomware's wallet-generation methodology, and the Trojan is, once again, functional.

Extortionists Catching You Napping

The QNAPCrypt Ransomware is specific to QNAP-brand NAS devices, although it isn't the first Trojan of its type that blocks files on similar storage hardware. Readers might compare it with the Basilisque Ransomware, which also uses AES encryption for sabotaging network-attached storage, or the Cr1ptT0r Ransomware, which uses exploits for D-Link products. Most of these incidents are entirely preventable, as long as users persist in abiding by security practices like using appropriate passwords, turning off RDP, and installing security updates.

There is no solution for unlocking or decrypting files freely after a QNAPCrypt Ransomware attack. Since the combination of AES and RSA encryption it uses is secure unless new bugs or database leaks become relevant, users will have no choices but to risk paying a potentially fruitless ransom or using a second form of backup for recovering media. The QNAPCrypt Ransomware sabotages most of the commonly-used formats, including ZIP archives, Word documents, MP3 music, JPG pictures and dozens of others.

Malware experts recommend updating security solutions for deleting the QNAPCrypt Ransomware safely since this Trojan is successful at avoiding old threat-detecting metrics.

The best way of stopping a Trojan is at one's front door, as QNAP customers are learning, like everyone else. A container for storing your belongings is only as useful as the lock that's securing it.

Loading...