Threat actors behind the eCh0raix Ransomware have launched a new campaign aimed at infecting QNAP storage devices.
The eCh0raix ransomware was appeared in the threat landscape in June 2019 by experts at security firms Intezer and Anomali.
The ransomware targets poorly protected or vulnerable NAS servers manufactured by Taiwan-based QNAP Systems, attackers exploits known vulnerabilities or carry out brute-force attacks.
The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.
On June 1, BleepingComputers observed a surge in the number of users reporting eCh0raix infections in its forums.
The following graph shows the submissions to the ransomware identification site ID-Ransomware.
Hackers are targeting QNAP devices attempting to exploit well-known vulnerabilities or by brute-forcing weak passwords.
QNAP released a security dvisory for the following NAS that could be exploited by attackers to inject malicious code or perform remote code execution. An attacker could trigger these issue to install the ransomware on vulnerable devices.
QNAP already addressed the vulnerabilities issues in the following QTS versions:
Upon accessing QNAP NAS devices, the attackers deploy the ransomware, which start encrypting the files on the device.
Crooks demand $500 worth of bitcoin to decrypt the files, the instructions to pay the ransom are included in the note “README_FOR_DECRYPT.txt” that is dropped on the device.
Experts warn that unlike previous versions of the eCh0raix ransomware, this latest doesn’t allow victims to recover files for free.
Users that have enabled QNAP’s block-based snapshot feature in the past, can recover the files using the snapshots.
(SecurityAffairs – eCh0raix, cybersecurity)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.