eCh0raix ransomware is back and targets QNAP NAS devices again

June 6, 2020  By Pierluigi Paganini


eCh0raix Ransomware operators are back after months of apparent inactivity, now are targeting QNAP storage devices in a new campaign.

Threat actors behind the eCh0raix Ransomware have launched a new campaign aimed at infecting QNAP storage devices.

The eCh0raix ransomware was appeared in the threat landscape in June 2019 by experts at security firms Intezer and Anomali.

The ransomware targets poorly protected or vulnerable NAS servers manufactured by Taiwan-based QNAP Systems, attackers exploits known vulnerabilities or carry out brute-force attacks.

The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

On June 1, BleepingComputers observed a surge in the number of users reporting eCh0raix infections in its forums.

The following graph shows the submissions to the ransomware identification site ID-Ransomware.

Source Bleeping Computer

Hackers are targeting QNAP devices attempting to exploit well-known vulnerabilities or by brute-forcing weak passwords.

QNAP released a security dvisory for the following NAS that could be exploited by attackers to inject malicious code or perform remote code execution. An attacker could trigger these issue to install the ransomware on vulnerable devices.

QNAP already addressed the vulnerabilities issues in the following QTS versions:

  • QTS 4.4.2.1270 build 20200410 and later
  • QTS 4.4.1.1261 build 20200330 and later
  • QTS 4.3.6.1263 build 20200330 and later
  • QTS 4.3.4.1282 build 20200408 and later
  • QTS 4.3.3.1252 build 20200409 and later
  • QTS 4.2.6 build 20200421 and later

Upon accessing QNAP NAS devices, the attackers deploy the ransomware, which start encrypting the files on the device.

Crooks demand $500 worth of bitcoin to decrypt the files, the instructions to pay the ransom are included in the note “README_FOR_DECRYPT.txt” that is dropped on the device.

Experts warn that unlike previous versions of the eCh0raix ransomware, this latest doesn’t allow victims to recover files for free.

Users that have enabled QNAP’s block-based snapshot feature in the past, can recover the files using the snapshots.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – eCh0raix, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Maze Ransomware leaks files of ST Engineering group

 ST Engineering is the last victim of the Maze Ransomware operators that published their data on their leak website. ST...