QNAP NAS vulnerabilities exploited to deploy ransomware
Vulnerabilities in QNAP Network Attached Storage (NAS) devices are being actively exploited to deploy ransomware. The encrypted files have a ‘.7z’ extension and require a password to decrypt.
QNAP has released updates to affected software, as well as its malware scanning tool to detect this activity. CERT NZ advises all organisations with QNAP NAS devices to update and run the malware scanner immediately, and then apply all other software updates.
QNAP NAS devices running QTS operating system or add-ons with the following versions.
Hybrid Backup Sync versions before:
- 16.0.0415 for QTS 4.5.x
- 3.0.210412 for QTS 4.3.x
- 16.0.0419 for QuTS hero and QuTScloud
Media Streaming add-on versions before:
Multimedia Console versions before:
QTS versions before:
- 220.127.116.116 Build 20210202
- 18.104.22.1680 Build 20210322
- 4.2.6 Build 20210327
- QuTS hero h22.214.171.1241 build 20201119
What to look for
How to tell if you're at risk
If you have a QNAP NAS devices and have not yet applied the latest updates to:
- HBS 3,
- Multimedia Console,
- Media Streaming add-on, or
- QTS operating system.
How to tell if you're affected
Affected QNAP NAS devices will have files encrypted in a .7z format and a ransom note will be present on your system labelled “!!!READ_ME.txt”
QNAP has published a support article External Link about how to detect and respond to this incident.
What to do
These steps apply for both prevention and mitigation.
Note: Do not restart your QNAP NAS device until step 3, as if there is ransomware running, you may not be able to recover the encryption key and your data.
- Make sure that the device is not exposed to the internet, particularly the web interface or file shares.
- Update and run QNAP Malware Remover. The Malware Remover may be able to recover the password required to recover your encrypted files. If Malware Remover finds the ransomware, it will attempt to recover the password.
- Once the device is clear of ransomware, update the QTS operating system and all installed add-ons. This is when you can restart your device.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on
027 442 2141.