[SECURITY ADVISORY] AgeLocker Ransomware - QSA-21-15 - 29th April 2021

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

[SECURITY ADVISORY] AgeLocker Ransomware - QSA-21-15 - 29th April 2021

Post by Toxic17 »

Here we go again!

https://www.qnap.com/en-us/security-advisory/qsa-21-15

AgeLocker Ransomware
  • Release date: April 29, 2021
  • Security ID: QSA-21-15
  • Severity: High
  • Affected products: QNAP NAS running QTS 4.3.x
  • Status: Investigating
Summary
The QNAP security team has detected ransomware in the wild known as AgeLocker.

Our initial investigation has found that devices infected by the ransomware typically exhibit the following characteristics and symptoms:
  • The affected devices run QTS 4.3.x.
  • The file name of the ransom note is HOW_TO_RESTORE_FILES.txt.
  • Encrypted files are hidden and their file names start with a period (.).
  • The extension of the encrypted files is a random meaningless string (for example, “.udUS”, “WD51”).
  • The ransomware empties system event logs and system connection logs in System Logs.
Recommendation
To secure your device, we strongly recommend regularly updating QTS and all installed applications to their latest versions to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

To further secure your device, do not expose your NAS to the internet. If you must connect your NAS to the internet, we highly recommend using a trusted VPN or a myQNAPcloud link.

Updating QTS
  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Updating All Installed Applications
  1. Log on to QTS as administrator.
  2. Go to App Center.
  3. Select My Apps.
  4. Beside Install Updates, click All.
    A confirmation message appears.
  5. Click OK.
    QTS updates all your installed applications to their latest versions.
Revision History:
V1.1 (May 11, 2021) - Initial investigation results added
V1.0 (April 29, 2021) - Published

Prior to this, AgeLocker was a known QNAP ransomware from last year: https://www.qnap.com/en-us/security-advisory/qsa-20-06
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY ADVISORY] AgeLocker Ransomware

Post by Toxic17 »

looks like QNAP covering all bases - "update everything and hope you dont get infected"

Waiting for what next.....
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
User avatar
Guapo81
Know my way around
Posts: 159
Joined: Tue Jun 21, 2011 4:22 pm
Location: Netherlands

Re: [SECURITY ADVISORY] AgeLocker Ransomware

Post by Guapo81 »

Toxic17 wrote: Thu Apr 29, 2021 9:41 pm looks like QNAP covering all bases - "update everything and hope you dont get infected"

Waiting for what next.....
Big question, is this about the same infection, that was reported last year?;

https://www.bleepingcomputer.com/news/s ... eals-data/

Or is it something new again?

One would expect that people hit by this would already report it, but from the looks of it, not much to find about it so far...
QNAP TS-h886-64G 2x Samsung 970PRO NVMe SSD (RAID1, System), 2x Samsung 860 PRO SSD (RAID1, VM) 4x Seagate EXOS X16 16TB (RAID5, Data) - FW: QuTS-hero
QNAP TVS-682-i3-32G 4x HGST HUH728060ALN600 (RAID5, Backup) - FW: QTS
QNAP TVS-463 4x Seagate ST2000VN000 (RAID5, Surveillance, Backup) - FW: QTS
Former units: TS-469Pro, TS-459ProII, TS-269Pro, Qgenie
elvisimprsntr

Re: [SECURITY ADVISORY] AgeLocker Ransomware - QSA-21-15 - 29th April 2021

Post by elvisimprsntr »

To further secure your device, do not expose your NAS to the internet. If you must connect your NAS to the internet, we highly recommend using a trusted VPN or a myQNAPcloud link.
Unless myQNAPcloud is the vulnerability!
ColHut
Know my way around
Posts: 248
Joined: Sat Oct 14, 2017 12:13 am

Re: [SECURITY ADVISORY] AgeLocker Ransomware - QSA-21-15 - 29th April 2021

Post by ColHut »

elvisimprsntr wrote: Thu Apr 29, 2021 9:59 pm
To further secure your device, do not expose your NAS to the internet. If you must connect your NAS to the internet, we highly recommend using a trusted VPN or a myQNAPcloud link.
Unless myQNAPcloud is the vulnerability!
I actually think the above is the most honest advice on security they have given in sometime.

They just need to inject all their glossy product pages with a similar warning.

Regards.
pbrunnen
Starting out
Posts: 21
Joined: Wed Sep 14, 2011 6:40 am

Re: [SECURITY ADVISORY] AgeLocker Ransomware - QSA-21-15 - 29th April 2021

Post by pbrunnen »

ColHut wrote: Sat May 01, 2021 12:55 am I actually think the above is the most honest advice on security they have given in sometime.

They just need to inject all their glossy product pages with a similar warning.
Yea, but the fact that QNap is not being transparent about how these infections are happening makes me both uneasy and suspicious.

Like elvisimprsntr said, maybe myQNAPcloud is the culprit in which case having your NAS port forwarded to the Internet is irrelevant to this vector.

I've never had a NAS port-forwarded to the Internet for any reason, but I've just blocked all my QNap boxes for myself and all my customers from *all* outbound Internet activity except udp/ntp. Not that I've ever setup or used myQNAPcloud, but I don't trust QNap at all anymore.
upshifted
New here
Posts: 5
Joined: Wed May 21, 2014 10:44 am

Re: [SECURITY ADVISORY] AgeLocker Ransomware - QSA-21-15 - 29th April 2021

Post by upshifted »

It would increase my comfort if for when there is a situation like this where there is no known, confirmed, safe mitigation, that this kind of advisory could be updated every two days to let us know what is going on.
ColHut
Know my way around
Posts: 248
Joined: Sat Oct 14, 2017 12:13 am

Re: [SECURITY ADVISORY] AgeLocker Ransomware - QSA-21-15 - 29th April 2021

Post by ColHut »

FWIW I seem to have ducked the current ransomware, was using myqnapcloud for the nas to nas backups. Now switching to QVPN (router based vpn not an option). There were ports forwarded for what I thought were important things , now turned off.
YMMV.

Regards
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY ADVISORY] AgeLocker Ransomware - QSA-21-15 - 29th April 2021

Post by Toxic17 »

Updated initial post with "V1.1 (May 11, 2021) - Initial investigation results added" changes
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Post Reply

Return to “Users' Corner”