With the support of modesty and a daily archiver, a cybercriminal collective made a quarter of a million dollars in five days

To target unprotected QNAP network drives, cybercriminals used the standard 7zip archiver. Many of the victims promised to pay the $ 500 requested by the perpetrators.

There’s nothing fancy about it:


cyber-neighborhood Encrypting data using an ordinary archiver won Qlocker $ 260 thousand in five days. For this form of ransom, the perpetrators wanted a very small amount of 0.01 bitcoin, which is around $ 500 at the current exchange rate.

Normally, such gangs build advanced encryption software, but in this situation, the attackers simply chose not to bother.

QNAP NAS was their goal. The manufacturer of these devices recently revealed the detection and elimination of a backdoor account that had existed in the software shell due to programmers’ supervision. It was possible to gain access to it if you knew the necessary set of login-passwords. CVE-2021-28799 was assigned to the flaw. This has been fixed by a new QNAP update.

However, there are already a lot of insecure and externally available drives on the Internet that haven’t been updated. They were pursued by the Qlocker party. The above-mentioned flaw was mainly exploited. In addition, the attackers took advantage of the CVE-2020-36195 loophole, a “patch” in the QNAP multimedia add-on for network drives that enables SQL injection.

User files were archived remotely using the 7zip tool in both scenarios, and the folder was password-protected, for which the attackers requested a ransom.

Calculation error:

Many people opted to pay this price to restore access to their files, proving that the cybercriminals’ estimate was right. From the start of the campaign on April 19, 2021, Qlocker participants created multiple bitcoin wallets, which Bleeping Computer experts watched for several days.

The cybercriminals made a total of 5.26 bitcoins, or around $ 258,000.

“The scheme is working,” says Mikhail Zaitsev, an information security specialist at SEC Consult Services, “but only because the owners of QNAS network drives are sluggish.” – The attackers took advantage of bugs that had already been patched. In reality, any archiver can be used as an encryptor, but only if the attackers have access to the target system and the requisite privileges. It goes without saying that this incident would have a significant impact on something, and that all encryption classes will turn to using traditional archiving utilities.