AgeLocker Ransomware attacks QNAP NAS drives

[German]A brief warning for users who have QNAP NAS drives in use. The AgeLocker ransomware seems to target such drives that are accessible via the Internet and encrypts their contents. In some cases, files are also taken off for further blackmailing. The problem is, however, that little is known about which versions of the NAS operating system QTS are vulnerable.


After all, QNAP's NAS drives are a popular target for malware and ransomware. I had some blog posts on this topic in the last months (see the article at the end of this page). Now there seems to be a new malware variant called AgeLocker that infects such drives. The name comes from the used encryption algorithm called Age (Actually Good Encryption) which is supposed to replace GPG for encrypting files, backups and streams. The ransomware did not appear until July 2020, as Bleeping Computer reported in this article. When encrypting files, the encrypted data is preceded by a text header starting with the URL ''.

AgeLocker ransomware infection on QNAP NAS

Now the ransomware has attracted attention because it infects NAS drives from QNAP. Since late August 2020, AgeLocker or another ransom software using the same encryption has been targeting publicly accessible QNAP NAS devices and encrypting their files. Bleeping Computer picked up the case here after a reader posted a ransomware infection on their forum. However, their forum post has been deleted in the meantime. Security researcher Michael Gillespie found out that the file was encrypted with the Age algorithm. 

QNAP warns about Age-Ransomware

Now the manufacturer QNAP has issued a security warning against ransomware that uses the Age algorithm for encryption. In the security warning of 25 September 2020 it says:

The AgeLocker Ransomware has been reported to target QNAP NAS, Linux, and macOS devices. This new ransomware attempts to encrypt the files of victims by using the "Age" encryption tool. QNAP Product Security Incident Response Team (PSIRT) has found evidence that the ransomware may attack earlier versions of Photo Station. We are thoroughly investigating the case and will release more information as soon as possible.

This is of course very unspecific information. Neither is it known which vulnerabilities AgeLocker attacks, nor which versions of the NAS operating system QTS are attackable or which versions are protected. My guess is that the above mentioned infection, which went to Miachel Gillespie via bleeping computers, is now present at QNAP and is being investigated by QNAP. At the moment, owners of QNAS stations are advised to install the latest firmware and to keep their systems offline. Another problem with QNAS could be that the manufacturer reactivates features disabled by the user during software updates.

Similar articles:
QNAP Security Advisory about eCh0raix Ransomware


Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security, Software and tagged , , , . Bookmark the permalink.

2 Responses to AgeLocker Ransomware attacks QNAP NAS drives

  1. Andre says:

    I got this on my QNAP NAS HS-251 few days ago.
    Not sure when it happened because I rarely use the server.
    At some point few years ago I was playing with Photo Station App in order to make available photos for family online and forgot to disable it.

    Now hackers demanding a ransom, which is not that big,
    but I don't know if I should pay it or leave it forever?

    Has anybody paid ransomware, how was you sure that you will get all back all photos?

Leave a Reply

Your email address will not be published. Required fields are marked *