After earning $350,000 within a month by exploiting vulnerabilities in QNAP NAS devices the Qlocker ransomware gang has shut down its operation. From 19th April, QNAP and NAS device owners globally suddenly found that their device’s files were directly replaced by password-protected 7-zip archives.

Furthermore to encoded files, QNAP owners found a !!!READ_ME.txt ransom note analyzes that all files were encoded and need to go through the Tor site first to pay a ransom to access the files.

To access the password of the files the Tor site identify the attackers as Qlocker and demanded .01 bitcoins (cryptocurrency), or money of about $550.

Later, it was found that the threat attackers conducted the attacks using recently disclosed QNAP vulnerabilities that permit threat actors to encode the victim’s files using the built-in 7-zip application remotely. Using such a simple approach permits them to encode thousands of devices in a month.

Why Qlocker shut down the operation?

Approaching the possible sign of their shutdown, Qlocker Tor sites start displaying a message which states that “The site will be closed soon.”

Qlocker gang starts a bait-and-switch tactic recently when it came to ransom payments.

Sufferer reported that after paying the demanded ransom of .01 bitcoins and submitting the transaction ID on the Qlocker Tor site, the site would say that they have to pay an additional ransom of about .02 bitcoins to get their files back.

During their bait-and-switch, the Qlocker site would state that “Bitcoin is getting harder to find, time waits for nothing. The new price is 0.03.”

Ultimately the given site shut down, but another Qlocker Tor site arrived a day or so later. According to a survey, the victims said that all the Qlocker Tor sites are unavailable or inaccessible, and victims don’t have another way to pay the demanded money to the Qlocker gang.

Due to the DarkSide ransomware attack on Colonial Pipeline and the successive enhance of pressure by US law administrate, the DarkSide ransomware Shut down, and Revil has going to restrict their targets.

Since then all the other operations of ransomware’ Tor sites have gone offline, along with Ako/Ramzy and Everest. But it’s not clear that the shutdown of the Qlocker sites is related to fear of increased law of administrative activity.

How the Money Followed?

Rather than asking for millions of dollars to recover files, the Qlocker gang priced their ransom demands at only $500, by which many businesses paying the ransom to recover the files.

 The fixed set of Bitcoin addresses were rotated through the victims during the Qlocker ransomware operation, it has been possible to track the number of bitcoins in ransom payments.

From a survey, it concludes that twenty-two Qlocker Bitcoin addresses are found and 8.93258497 bitcoins are paid in ransomware. For today that is worth about $353,708, but before a week Bitcoin crashed and that same count of bitcoins become worth $450,000.

So if we want to find the exact number of victims then it comes out to approximately 893 victims who successfully paid their ransom by just dividing the ransom payment of .01 bitcoins. This amount might be larger if the Qlocker gang used various bitcoin addresses.