QNAP NAS devices are being targeted in attacks by the AgeLocker ransomware, which encrypts the device’s data, and in some cases, steal files from the victim.

AgeLocker is ransomware that utilizes an encryption algorithm called Age (Actually Good Encryption) designed to replace GPG for encrypting files, backups, and streams.

In July 2020, we reported about a new ransomware called AgeLocker that was utilizing this algorithm to encrypt victims’ files.

When encrypting files, it would prepend a text header to the encrypted data that starts with the URL ‘age-encryption.org,’ as shown below.

https://csirt.cy/wp-content/uploads/2020/09/encrypted-file-300x261.jpg 300w, https://csirt.cy/wp-content/uploads/2020/09/encrypted-file-768x668.jpg 768w" alt="" width="770" height="670" class="size-full wp-image-7014 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

AGE encrypted file

AgeLocker now targets QNAP NAS devices

Since the end of August 2020, AgeLocker, or another ransomware utilizing the same encryption, has been targeting publicly exposed QNAP NAS devices and encrypting their files.

After a victim uploaded in a forums an encrypted file to ID Ransomware, Michael Gillespie could determine that it was encrypted with the Age encryption.

Gillespie also confirmed that AgeLocker had picked up in activity towards the end of August as they continued to target QNAP devices worldwide.

https://csirt.cy/wp-content/uploads/2020/09/id-r-300x104.jpg 300w, https://csirt.cy/wp-content/uploads/2020/09/id-r-768x267.jpg 768w" alt="" width="965" height="335" class="size-full wp-image-7016 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

ID Ransomware submissions

When the ransomware encrypts files, it will leave behind a ransom note named HOW_TO_RESTORE_FILES.txt that tells the victim that their QNAP device was specifically targeted in the attack.

“Unfortunately a malware has infected your QNAP and a large number of your files has been encrypted using a hybrid encryption scheme.”

https://csirt.cy/wp-content/uploads/2020/09/ransom-note-1-300x224.jpg 300w, https://csirt.cy/wp-content/uploads/2020/09/ransom-note-1-1024x766.jpg 1024w, https://csirt.cy/wp-content/uploads/2020/09/ransom-note-1-768x574.jpg 768w" alt="" width="820" height="613" class="wp-image-7018 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

AgeLocker-QNAP Ransom Note

In one submission to ID-R, Michael Gillespie reports that the attackers state they first stole unencrypted files that contain “medical data, scans,  backups, etc.”

It is unknown how much they are demanding as a ransom or how the attackers are gaining access to the QNAP devices.

Unfortunately, there is no way to recover files encrypted by AgeLocker for free.

How to secure an encrypted QNAP NAS device

QNAP has previously been targeted by the eCh0raix Ransomware, which exploited vulnerabilities in the device to encrypt data.

At the time, QNAP provided the following steps to make sure you are running the latest firmware and vulnerabilities have been patched:

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

QNAP also suggests users update the Photo Station software with the following steps:

1. Log on to QTS as administrator.
2. Open the App Center, and then click .
   A search box appears.
3. Type “Photo Station,” and then press ENTER.
   The Photo Station application appears in the search result list.
4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if you are using the latest version.
5. Click OK.
   The application is updated.

Finally, all QNAP owners should go through the following checklist to further secure their NAS and check for malware:

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.