# AgeLocker ransomware targets QNAP NAS devices, steals data **[bleepingcomputer.com/news/security/agelocker-ransomware-targets-qnap-nas-devices-steals-data/](https://www.bleepingcomputer.com/news/security/agelocker-ransomware-targets-qnap-nas-devices-steals-data/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) September 23, 2020 03:37 PM 2 QNAP NAS devices are being targeted in attacks by the AgeLocker ransomware, which encrypts the device's data, and in some cases, steal files from the victim. [AgeLocker is ransomware that utilizes an encryption algorithm called Age (Actually Good](https://docs.google.com/document/d/11yHom20CrsuX8KQJXBBw04s80Unjv8zCg_A7sPAX_9Y/preview) Encryption) designed to replace GPG for encrypting files, backups, and streams. [In July 2020, we reported about a new ransomware called AgeLocker that was utilizing this](https://www.bleepingcomputer.com/news/security/new-agelocker-ransomware-uses-googlers-utility-to-encrypt-files/) algorithm to encrypt victims' files. When encrypting files, it would prepend a text header to the encrypted data that starts with the URL 'age-encryption.org,' as shown below. ----- **AGE encrypted file** ## AgeLocker now targets QNAP NAS devices Since the end of August 2020, AgeLocker, or another ransomware utilizing the same encryption, has been targeting publicly exposed QNAP NAS devices and encrypting their files. After a [victim in the BleepingComputer forums uploaded an encrypted file to ID](https://www.bleepingcomputer.com/forums/t/732099/qnap-ransomware-unknown-extension-file/) [Ransomware, Michael Gillespie could determine that it was encrypted with the Age](https://twitter.com/demonslay335) encryption. Gillespie also confirmed that AgeLocker had picked up in activity towards the end of August as they continued to target QNAP devices worldwide. ----- **ID Ransomware submissions** When the ransomware encrypts files, it will leave behind a ransom note named **HOW_TO_RESTORE_FILES.txt that tells the victim that their QNAP device was** specifically targeted in the attack. "Unfortunately a malware has infected your QNAP and a large number of your files has been encrypted using a hybrid encryption scheme." **AgeLocker-QNAP Ransom Note** In one submission to ID-R, Michael Gillespie reports that the attackers state they first stole unencrypted files that contain "medical data scans backups etc " ----- It is unknown how much they are demanding as a ransom or how the attackers are gaining access to the QNAP devices. Unfortunately, there is no way to recover files encrypted by AgeLocker for free. ## How to secure an encrypted QNAP NAS device [QNAP has previously been targeted by the eCh0raix Ransomware, which exploited](https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-campaign-targets-qnap-nas-devices/) vulnerabilities in the device to encrypt data. At the time, [QNAP provided the following steps to make sure you are running the latest](https://www.qnap.com/en/security-advisory/qsa-20-02) firmware and vulnerabilities have been patched: 1. Log on to QTS as administrator. 2. Go to Control Panel > System > Firmware Update. 3. Under Live Update, click Check for Update. QTS downloads and installs the latest available update. **Tip: You can also download the update from the QNAP website. Go** to Support > Download Center and then perform a manual update for your specific device. QNAP also suggests users update the Photo Station software with the following steps: 1. Log on to QTS as administrator. 2. Open the App Center, and then click . A search box appears. 3. Type “Photo Station,” and then press ENTER. The Photo Station application appears in the search result list. 4. Click Update. A confirmation message appears. **Note: The Update button is not available if you are using the latest version.** 5. Click OK. The application is updated. Finally, all QNAP owners should go through the following checklist to further secure their NAS and check for malware: - Change all passwords for all accounts on the device - Remove unknown user accounts from the device - Make sure the device firmware is up-to-date, and all of the applications are also updated - Remove unknown or unused applications from the device - Install QNAP MalwareRemover application via the App Center functionality - Set an access control list for the device (Control panel -> Security -> Security level) ### Related Articles: ----- [QNAP alerts NAS customers of new DeadBolt ransomware attacks](https://www.bleepingcomputer.com/news/security/qnap-alerts-nas-customers-of-new-deadbolt-ransomware-attacks/) [QNAP warns of ransomware targeting Internet-exposed NAS devices](https://www.bleepingcomputer.com/news/security/qnap-warns-of-ransomware-targeting-internet-exposed-nas-devices/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [Quantum ransomware seen deployed in rapid network attacks](https://www.bleepingcomputer.com/news/security/quantum-ransomware-seen-deployed-in-rapid-network-attacks/) [QNAP urges customers to disable UPnP port forwarding on routers](https://www.bleepingcomputer.com/news/security/qnap-urges-customers-to-disable-upnp-port-forwarding-on-routers/) [AgeLocker](https://www.bleepingcomputer.com/tag/agelocker/) [Data Exfiltration](https://www.bleepingcomputer.com/tag/data-exfiltration/) [NAS](https://www.bleepingcomputer.com/tag/nas/) [QNAP](https://www.bleepingcomputer.com/tag/qnap/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/us-fitness-chains-suffer-data-breach-affecting-600k-customers/) [Next Article](https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/) ### Comments [Andre_M - 1 year ago](https://www.bleepingcomputer.com/forums/u/1183114/andre-m/) Did somebody has got their data back by paying ransom or somehow else? ----- [Andre_M - 1 year ago](https://www.bleepingcomputer.com/forums/u/1183114/andre-m/) hackers gave me decryptor after some negotiation. After 48 hours (4TB of DATA) all QNAP Server was decrypted. More details here: https://www.bleepingcomputer.com/forums/t/726030/agelockerransomware-support-topic/?p=5091353 Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----