QNAP NAS vulnerabilities exploited to deploy ransomware

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

10:15am, 29 April 2021

TLP Rating: Clear

QNAP NAS vulnerabilities exploited to deploy ransomware

Vulnerabilities in QNAP Network Attached Storage (NAS) devices are being actively exploited to deploy ransomware. The encrypted files have a ‘.7z’ extension and require a password to decrypt.

QNAP has released updates to affected software, as well as its malware scanning tool to detect this activity. CERT NZ advises all organisations with QNAP NAS devices to update and run the malware scanner immediately, and then apply all other software updates.

What's happening

Systems affected

QNAP NAS devices running QTS operating system or add-ons with the following versions.

Hybrid Backup Sync versions before:

  • 16.0.0415 for QTS 4.5.x
  • 3.0.210412 for QTS 4.3.x
  • 16.0.0419 for QuTS hero and QuTScloud

Media Streaming add-on versions before:

  • 430.1.8.10

Multimedia Console versions before:

  • 1.3.4

QTS versions before:

  • 4.5.2.1566 Build 20210202
  • 4.3.6.1620 Build 20210322
  • 4.2.6 Build 20210327
  • QuTS hero h4.5.1.1491 build 20201119

What to look for

How to tell if you're at risk

If you have a QNAP NAS devices and have not yet applied the latest updates to:

  • HBS 3,
  • Multimedia Console,
  • Media Streaming add-on, or
  • QTS operating system.

How to tell if you're affected

Affected QNAP NAS devices will have files encrypted in a .7z format and a ransom note will be present on your system labelled “!!!READ_ME.txt”

QNAP has published a support article External Link about how to detect and respond to this incident.

What to do

Prevention

These steps apply for both prevention and mitigation.

Note: Do not restart your QNAP NAS device until step 3, as if there is ransomware running, you may not be able to recover the encryption key and your data. 

  1. Make sure that the device is not exposed to the internet, particularly the web interface or file shares.
  2. Update and run QNAP Malware Remover. The Malware Remover may be able to recover the password required to recover your encrypted files. If Malware Remover finds the ransomware, it will attempt to recover the password.
  3. Once the device is clear of ransomware, update the QTS operating system and all installed add-ons. This is when you can restart your device. 

More information