QNAPCrypt Ransomware

QNAPCrypt Ransomware Description

Usually, ransomware threats tend to aim at infecting as many systems as possible often via ransom spam email campaigns. However, the authors of the QNAPCrypt Ransomware have taken a different approach. They are very picky when it comes to targets and the only systems that this Trojan attack is NAS (Network-Attached Storage) devices, which are manufactured by the QNAP company – a Taiwanese corporation, which specializes in the development of NAS products. It is understandable why the authors of the QNAPCrypt Ransomware have targeted NAS servers, they are a very juicy target as they used by corporations and institutions and often contain important, sensitive data. This makes it much more ossible that the victims would end up paying up the ransom fee.

Targets Linux

The QNAPCrypt Ransomware targets systems running Linux. The exact propagation method of the QNAPCrypt Ransomware is not yet known. However, it has been confirmed that in several cases, an unsecured SSH (Secure Shell) service has been the backdoor that the QNAPCrypt Ransomware has exploited to infiltrate the targeted system.

High Ransom Fee

Once the QNAPCrypt Ransomware manages to compromise the system, it will start locking all the files, which are located on the targeted NAS server. All the files which undergo the encryption of the QNAPCrypt Ransomware will have their name altered as this Trojan adds a ‘.encrypt’ extension at the end of the filename. Next, the QNAPCrypt Ransomware drops a ransom note named ‘README_FOR_DECRYPT.txt,’ The victim is required to download and install the TOR browser as this is the only browser, which would allow them to access the Deep Web which is where the attackers are hosting their services. The QNAPCrypt Ransomware designates a different Bitcoin wallet for every victim. The ransom fee varies between 0.45 (~$4,600 at the time of writing) and 0.55 Bitcoin (~$5,600 at the time of writing).

Attacks Halted Temporarily

There is a weak spot in the QNAPCrypt Ransomware that malware experts did not fail to notice. Instead of generating new Bitcoin wallets for each victim, the attackers used a pre-made list of already existing Bitcoin wallets. The researchers launched over a thousand attacks with QNAPCrypt Ransomware on fake servers set up by them. This way, the ransomware used up all of the Bitcoin wallets registered by the attackers, therefore preventing it from being able to execute its attacks for now. It is very likely that this is only a temporary halt of the campaigns involving the QNAPCrypt Ransomware. The authors of this threat seem highly skilled and will likely find a workaround and continue their operations.

We advise you strongly to refrain from paying the authors of the QNAPCrypt Ransomware. Instead, you should try to clear your system using a reputable anti-malware application. Then, you can try to get some of the files back using a third-party data-recovery application.

How Can You Detect Malware?

Download SpyHunter's Detection Scanner
to Detect Malware.
* SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.