In five days, the Qlocker ransomware operation made $260,000 by encrypting QNAP devices while using the 7zip archive program. QNAP users saw their files encrypted through vulnerabilities on their devices last week.

This ransomware is unique because it wasn’t event crafted and coded by the operators. They simply scanned for QNAP devices connected to the internet and exploited them through publicly disclosed vulnerabilities. They allowed threat actors to remotely execute a 7zip archival utility and password protect files on victim storage devices.

The number of devices encrypted over the past week is estimated to be in the thousands.

The Qlocker operators understood they wouldn’t be able to request ransoms such as what is seen requested from enterprise organizations. By targeting smaller victims, they realized they should request what is feasible for the individual users to pay. It worked.

$260,000 was collected through requests of .01 bitcoin, or about $500. Through an attempt to recover passwords for some users, a security researcher tracked down the bitcoin addresses and found payments to these addresses from at least 525 victims while the number continues to grow into this week.

If your organization uses these devices, it’s important to make sure they’ve been updated to avoid this ransomware. In further efforts, engage with a security firm to monitor your devices and stay ahead of the threats you want to stop. At SpearTip, our team is on call 24/7 and ready to assist organizations in attacks. It’s apparent threat actors will attack through whatever vector leads them to financial compensation. Don’t give them the chance to take advantage of your company.

Our team will continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.