Front Page: Traficom
Front Page: Traficom
Menu

Spike in malware observations helped find over 100,000 devices infected by QSnatch across the world

Information security now!

How can individual Autoreporter observations help track globally significant malware? We have previously released information on how QSnatch works and how users can clean infected devices. Now we will tell you how we first detected the malware. QSnatch has attracted attention from Europe to Asia: at least 100,000 QSnatch infections have been detected across the world.

"QSnatch-artikkelin kuvituskuva, jossa haittaohjelmasta varoittava kolmio"

We want to begin by thanking Doina Cosovan, researcher at SecurityScorecard, for making the first QSnatch observation. Without Cosovan’s contribution, the malware could not have been found.

Something rotten in Autoreporter

A single spike of approximately 200 Autoreporter observations caught our attention on 11 October 2019. About a week later, individual incidents turned into a more steady flow of observations.

Our Chief Specialist Ilkka Sovanto began examining the malware in more detail on 22 October and started to locate and analyse the samples. Observations indicated that we were talking about Windows malware. However, they also pointed at QNAP storage devices that do not run on Windows.

At least 100,000 infections

A few hundred QSnatch observations have been reported in Finland. These infections have mainly concerned consumer devices used at home, but also some business devices have been infected. Globally, at least 100,000 QSnatch infections have been detected. For example, the German information security authority CERT-Bund has reported approximately 7,000 infections in Germany.

This means that QSnatch is an important international malware. The high number of infections indicates an automated attack. The attacker’s objective remains unclear, but it is certain that the infected storage devices contain vast amounts of valuable data to which hackers have now had access.

Active Coordination Centre + smooth international cooperation = efficient cleaning operation

The situation is not over yet. Even though the device manufacturer QNAP has released a malware removal tool, QSnatch is difficult to eradicate completely. Therefore, we will continue to analyse the malware with our international cooperation networks.

This case is a great reminder of how important malware observations are in the fight against malware infections and in ensuring the reliable functioning of Finnish information networks. Autoreporter was of great help, too. Our international networks also play a key role for example by helping us quickly communicate information on malware infections. International cooperation enables us to form a more detailed situational picture of any event.

At the beginning of November, QNAP released updated versions of their security advice and the tool Malware Remover. For more information on how QSnatch functions and how you can remove the malware from infected devices, please see our article “QSnatch - Malware designed for QNAP NAS devices”.

The original article was published on 20.07.2019 in Finnish. (External link)

Autoreporter

With the help of the Autoreporter system, we and telecommunications operators join forces in the fight against malware. The service sends automatic reports to network administrators about information security incidents detected in their networks.