Cybercriminal Group Made A Quarter Of A Million Dollars In 5 Days Using A Standard Archiver
Attackers used a standard 7zip archiver to attack vulnerable QNAP network drives. The victims were asked for $500 each, and many agreed to pay.
No frills
Qlocker cyber gang made $260,000 within five days by encrypting data with an ordinary archiver. To regain access to the data, the criminals demanded a very modest sum of 0.01 bitcoin, which is about $500 at today’s exchange rate, for this kind of extortion.
Such groups usually develop specialized encryption programs, but in this case, the perpetrators clearly decided not to bother with anything like that.
QNAP network drives were their targets. Recently the developer of these devices announced that they had discovered and removed a backdoor account left in the software shell through programmers’ negligence. It was possible to access it with the right username-password combination. The vulnerability was indexed CVE-2021–28799. A recent update released by QNAP fixes it.
But there are still many vulnerable and externally accessible drives on the Internet that haven’t received any update. Qlocker group launched a hunt for them. First of all, it exploited the vulnerability above. Other than that, cybercriminals exploited CVE-2020–36195, a “bug” that allows SQL injection in a multimedia add-on for QNAP NAS.
In both cases, users’ files were remotely archived with the 7zip utility. A password was set on the archive, for which the attackers demanded ransom.
Correct calculation
The calculations were correct: many victims decided to pay this sum to gain access to their files again. Qlocker participants started several bitcoin wallets monitored by Bleeping Computer experts for several days — since the start of the campaign on April 19, 2021.
The total income of the attackers was 5.26 bitcoins, or about $258,000.
As a matter of fact, any archiver can indeed be used as an encryptor, but only if the attackers have access to the target system and the necessary powers in its context. To say that this episode will seriously affect anything and that all encryption groups will switch to using generic archiving utilities is not necessary.
Attempted countermeasures
A security expert and Stanford University student named Jack Cable discovered a vulnerability in the payment transfer scheme used by Qlocker. As it turned out, replacing one letter from lowercase to uppercase in the transaction ID, which was used by the attackers, leads to the fact that the system considers the transaction as completed, and the victim has the opportunity to get back access to their files without paying anything.
Cable helped a total of half a hundred Qlocker victims unzip their data before attackers fixed the vulnerability.
Be vigilant and careful!
