QNAP NAS ransomware attack wrap-up (April 2021)

Sicherheit (Pexels, allgemeine Nutzung)[German]Users of QNAP NAS drives were, after all, victims of a widespread ransomware campaign in April 2021, in which the drive contents were encrypted. The manufacturer responded with a security patch and also provided a "cleanup tool". However, the latter was not met with enthusiasm by everyone in charge – I received feedback from IT people on several channels right away. Therefore a glean on this topic.


QNAP: Vulnerability and Qlocker attack

On April 22, 2021, QNAP published a security warning about a vulnerability in HBS 3 Hybrid Backup Sync. A vulnerability in the form of a lack of authentication allowed unauthorized third parties to access QNAP NAS drives. The vulnerability was fixed by QNAP through an update. 

However, it was probably already too late for some users, as there was a QLocker ransomware attack on QNAS devices that used exactly this vulnerability to take over and encrypt the files. QNAP had also provided assistance and a tool to remove an infection in its security alert. I addressed these issues in the blog post The QNAP disaster: Ransomware attack on NAS devices

Another fault from QNAP?

German  blog reader Joachim S., who had also pointed out the QNAP security issue to me, has sent the following text by mail as feedback to my post (thanks for that):

Somehow the incident is annoying, especially since I had a customer who only had the myqnapcloud service active, no port forwarding to QNAP. The service was more or less automatically enabled during setup, and although not used, unfortunately not disabled again.

Luck of the draw was that the files were only packed via 7z, without a key. Took a little while, but everything was back. What shocked me was that the trojan actually managed to delete the snapshots.

This indicates that the developers of QNAP have patched in the firmware and simply overlooked such issues – or?

Malware warning: Users were not amused

Blog reader Stefan K. also contacted me by mail – first on April 26, 2021, because he was alarmed by an error notification on QNAP NAS devices. Stefan wrote me:


Good day Mr. Born,

all QNAP NAS accessible to me (5 pieces) have reported the following error almost simultaneously today:


The devices are in two different locations and, with one exception, cannot be reached from the Internet.

All updates were installed immediately after the release. Encrypted files were not found.

It is possible that QNAP is only removing "old burdens" via a new malware signature.

However, the process is highly in-transparent. For example, the log does not reveal which files or directories were actually deleted.

Stefan then created a ticket with QNAP and promised to get back to me when there was an answer (so I haven't picked it up here on the blog yet). In another mail Stefan also mentioned that the NAS should not be restarted in case of an infection, because it is possible to read the key as long as the process is still running. I had touched this topic in the article linked above, and QNAP also listed it accordingly in their FAQ. The hope was that it would then be possible to decrypt the files later. Stefan got the following feedback from QNAP support on his ticket regarding the above error message: 

Dear Mr. K.,

this message was brought by Malware Remover in the last days, it was a misleading hint. Malware Remover brought this message when the updates against Qlocker were installed. Don't be put off, it is a somewhat misworded message that has not yet been corrected.

So, as Stefan suspected, it is about the installation of updates against QLocker and not about an infection. But some people's hearts must have dropped when they saw the Malware Remover message about removed files. Then on Twitter, a tweet from blog reader Hans-Peter Holzer came to my attention in response to the QNAP warning about the same issue. 

QNAP-Warnung vor Qlocker-Ransomware

Maybe it will help you – or were you as a possibly affected person aware of the above outlined processes / facts from the beginning?

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *