Qlocker is a ransomware strain that targeted QNAP network-attached storage (NAS) devices in a large-scale campaign beginning on 2021-04-19. It primarily affected internet-exposed QNAP systems and abused vulnerabilities in QNAP applications to remotely launch the built-in 7-Zip utility, placing victim files into password-protected .7z archives rather than using a custom encryption routine. Affected users were left with a ransom note named "!!!READ_ME.txt" containing a unique client key and instructions to access a Tor payment site, where operators demanded 0.01 BTC (reported as roughly $550 at the time) in exchange for the per-victim archive password. The password was unique to each victim and could not be reused across devices.
High-confidence reporting in the content states QNAP believed the campaign exploited CVE-2020-36195, an SQL injection vulnerability in Multimedia Console and the Media Streaming Add-on, and also referenced CVE-2021-28799 in HBS 3 Hybrid Backup Sync as potentially involved. QNAP reported fixes for CVE-2020-36195 and CVE-2020-2509 on 2021-04-16, and advised users to update Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync, install and run the latest Malware Remover, and avoid rebooting already-affected devices. During active attacks, numerous "7z" processes could be observed, and QNAP Malware Remover was described as quarantining scripts such as /tmp/qnap/r.py and /tmp/qnap/re.sh. The content also notes a possible recovery avenue on non-rebooted devices by extracting the archive password from /mnt/HDA_ROOT/7z.log, or from /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/7z.log after Malware Remover activity.
The campaign was widely reported as infecting hundreds of QNAP devices per day. Qlocker is consistently associated with QNAP-focused ransomware activity and is mentioned alongside other operations such as DeadBolt, Checkmate, and eCh0raix as part of the broader pattern of ransomware targeting vulnerable QNAP NAS appliances.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
QNAP NASの脆弱性悪用事例として過去の比較対象として言及されたランサムウェア。
Ransomware operation reported targeting QNAP NAS devices.
Ransomware targeting QNAP NAS devices; it places victims’ files into password-protected 7zip archives and demands a ransom payment for recovery.
Ransomware targeting QNAP NAS devices that abuses built-in 7-Zip to place victim files into password-protected .7z archives and drops a !!!READ_ME.txt ransom note directing victims to a Tor payment site to obtain the archive password.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.