Threat Database Ransomware QNAPCrypt Ransomware

QNAPCrypt Ransomware

Usually, ransomware threats tend to aim at infecting as many systems as possible often via ransom spam email campaigns. However, the authors of the QNAPCrypt Ransomware have taken a different approach. They are very picky when it comes to targets and the only systems that this Trojan attack is NAS (Network-Attached Storage) devices, which are manufactured by the QNAP company – a Taiwanese corporation, which specializes in the development of NAS products. It is understandable why the authors of the QNAPCrypt Ransomware have targeted NAS servers, they are a very juicy target as they used by corporations and institutions and often contain important, sensitive data. This makes it much more ossible that the victims would end up paying up the ransom fee.

Targets Linux

The QNAPCrypt Ransomware targets systems running Linux. The exact propagation method of the QNAPCrypt Ransomware is not yet known. However, it has been confirmed that in several cases, an unsecured SSH (Secure Shell) service has been the backdoor that the QNAPCrypt Ransomware has exploited to infiltrate the targeted system.

High Ransom Fee

Once the QNAPCrypt Ransomware manages to compromise the system, it will start locking all the files, which are located on the targeted NAS server. All the files which undergo the encryption of the QNAPCrypt Ransomware will have their name altered as this Trojan adds a ‘.encrypt’ extension at the end of the filename. Next, the QNAPCrypt Ransomware drops a ransom note named ‘README_FOR_DECRYPT.txt,’ The victim is required to download and install the TOR browser as this is the only browser, which would allow them to access the Deep Web which is where the attackers are hosting their services. The QNAPCrypt Ransomware designates a different Bitcoin wallet for every victim. The ransom fee varies between 0.45 (~$4,600 at the time of writing) and 0.55 Bitcoin (~$5,600 at the time of writing).

Attacks Halted Temporarily

There is a weak spot in the QNAPCrypt Ransomware that malware experts did not fail to notice. Instead of generating new Bitcoin wallets for each victim, the attackers used a pre-made list of already existing Bitcoin wallets. The researchers launched over a thousand attacks with QNAPCrypt Ransomware on fake servers set up by them. This way, the ransomware used up all of the Bitcoin wallets registered by the attackers, therefore preventing it from being able to execute its attacks for now. It is very likely that this is only a temporary halt of the campaigns involving the QNAPCrypt Ransomware. The authors of this threat seem highly skilled and will likely find a workaround and continue their operations.

We advise you strongly to refrain from paying the authors of the QNAPCrypt Ransomware. Instead, you should try to clear your system using a reputable anti-malware application. Then, you can try to get some of the files back using a third-party data-recovery application.


Most Viewed