QSnatch Malware

A new strain of malware called QSnatch (also known as ‘Derek’) looks for QNAP NAS devices that are potentially vulnerable to QSnatch malware, if not updated with the latest security fixes you could be infected. This was reported from the UK National Cyber Security Centre.


Thousands of devices worldwide with a particularly high number of infections in North America and Europe. Once a device has been infected, attackers can prevent administrators from successfully running firmware updates.

“Hackers have infected thousands of network-attached storage (NAS) devices from Taiwanese vendor QNAP with a new strain of malware named QSnatch.”

The malware’s code revealed the following capabilities:

  • Modify OS timed jobs and scripts (cronjob, init scripts)
  • Prevent future firmware updates by overwriting update-source URLs
  • Prevents the native QNAP MalwareRemover App from running
  • Extracts and steals usernames and passwords for all NAS users

How to protect your QNAP NAS storage device?

  • Make sure you have updated your devices with the latest patches
  • Change your passwords
  • Remove any unwanted/unknown user accounts
  • Install QNAP MalwareRemover application via the App Center functionality

Global distribution of infections

Analysis shows a significant number of infected devices. In mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 3,900 were in the UK and 7,600 were in the US. Figure 1 below shows the location of these devices in broad geographic terms.