www.belgium.be Logo of the federal government

Ransomware operators actively targeting vulnerable QNAP NAS appliances

Advisory #2021-009
Affected software: 
QNAP NAS appliances running HBS 3 Hybrid Backup Sync
QNAP NAS running Multimedia Console or the Media Streaming add-on
Improper Authorization , SQL Injection



Ransomware operators are actively targeting vulnerable QNAP devices since 19 april 2021.


The attackers are using the following tactics, techniques and procedures.
The attacker exploits the vulnerable device and extracts files from the vulnerable system in password-protected archives ending with the 7.z extension. Without the password the files are unreadable for the victim. This password is unique to the victim and cannot be used on other victims' devices.
After QNAP devices are encrypted, users are left with a "!!!READ_ME.txt" ransom note that includes a unique client key that the victims need to enter to log into the ransomware's Tor payment site.

Recommended Actions

The CCB recommends that all users immediately install the latest Malware Remover version and run a malware scan on vulnerable QNAP NAS appliances. 
The CCB recommends to update the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps to the latest available version as well to further secure QNAP NAS from ransomware attacks. 
The data stored on NAS should be backed up or backed up again utilizing the 3-2-1 backup rule, to further ensure data integrity and security.
QNAP is urgently working on a solution to remove malware from infected devices.
QNAP warns that if a device's files have been encrypted already they should not reboot the device and instead immediately run the malware scanner.
Victims can contact the QNAP technical support at https://service.qnap.com/.