www.belgium.be Logo of the federal government

Ransomware Targeting QNAP NAS devices

Advisory #2020-031
Affected software: 
QTS Photo Station




Ransomware like AgeLocker can leave all your files encrypted and leaked to the ransomware operator. They may ask money to retrieve your files, extort you into exposing your data, or leave your data and device inaccessible.


A recent wave of ransomware has been targeting QNAP. The most recent wave is caused by the AgeLocker ransomware, which steals your data, and then encrypts your device, asking for a ransom. No free decryption tool exists as of yet.
It is currently not known how the attackers break into the devices, but researchers suspect attackers may use similar methods as the recent eCh0raix ransomware, which exploited vulnerabilities in the QTS Photo Station app.

Recommended Actions

* Ensure the systems firmware and all applications running on the device are always at the latest version.
* Ensure none of the passwords are left default or blank. Make sure you have a strong password policy
* Remove unknown and unused user accounts
* Remove unknown and unused applications from the device.
* Install the QNAP MalwareRemover application.
* Change default ports
* Do not make your QNAP device accessible from the internet. In case the device has to be publicly accessible, consider placing it behind a VPN, and using strict access control