An active ransomware campaign by Qlocker was discovered targeting QNAP devices all around the world starting from April 19. The ransomware is storing infected users’ files in password-protected 7zip archives.

What happened?

BleepingComputer reported that its Qlocker support forum is witnessing an enormous amount of activity from several victims. In addition, the ID-Ransomware service has seen an increase in submissions from victims. 
  • In this campaign, attackers are using 7-Zip to move files on QNAP devices into password-protected archives. While the files are being locked, the QNAP Resource Monitor shows various 7z processes.
  • After the ransomware finishes its operations, QNAP device files are saved in password-protected 7-Zip archives with a .7z extension. To extract these archives, victims need a password.
  • After encryption is complete, victims are left with a !!!READ_ME[.]txt ransom note. The note has a unique client key that is needed to log into the ransomware's Tor payment site.
  • As stated in Qlocker ransom notes, all victims are demanded to pay 0.01 Bitcoins, ($557.74), to get a password for their locked password-protected archives.

Exploited vulnerabilities 

QNAP believes that Qlocker operators are exploiting the CVE-2020-36195 vulnerability to execute their ransomware. On April 16, the company fixed two vulnerabilities with the following details:
  • CVE-2020-2509: A command injection vulnerability that exists in the QTS and QuTS hero.
  • CVE-2020-36195: A SQL injection vulnerability that exists in the Multimedia Console and the Media Streaming Add-On.


Qlocker ransomware is exploiting a known vulnerability that has already been patched. This indicates that several organizations using QNAP devices have not patched their firmware. It is important to always update network devices with the latest patches whenever a patch is released.

Cyware Publisher