eCh0raix ransomware is back and targets QNAP NAS devices again

Pierluigi Paganini June 06, 2020

eCh0raix Ransomware operators are back after months of apparent inactivity, now are targeting QNAP storage devices in a new campaign.

Threat actors behind the eCh0raix Ransomware have launched a new campaign aimed at infecting QNAP storage devices.

The eCh0raix ransomware was appeared in the threat landscape in June 2019 by experts at security firms Intezer and Anomali.

The ransomware targets poorly protected or vulnerable NAS servers manufactured by Taiwan-based QNAP Systems, attackers exploits known vulnerabilities or carry out brute-force attacks.

The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

On June 1, BleepingComputers observed a surge in the number of users reporting eCh0raix infections in its forums.

The following graph shows the submissions to the ransomware identification site ID-Ransomware.

Hackers are targeting QNAP devices attempting to exploit well-known vulnerabilities or by brute-forcing weak passwords.

QNAP released a security dvisory for the following NAS that could be exploited by attackers to inject malicious code or perform remote code execution. An attacker could trigger these issue to install the ransomware on vulnerable devices.

QNAP already addressed the vulnerabilities issues in the following QTS versions:

  • QTS 4.4.2.1270 build 20200410 and later
  • QTS 4.4.1.1261 build 20200330 and later
  • QTS 4.3.6.1263 build 20200330 and later
  • QTS 4.3.4.1282 build 20200408 and later
  • QTS 4.3.3.1252 build 20200409 and later
  • QTS 4.2.6 build 20200421 and later

Upon accessing QNAP NAS devices, the attackers deploy the ransomware, which start encrypting the files on the device.

Crooks demand $500 worth of bitcoin to decrypt the files, the instructions to pay the ransom are included in the note “README_FOR_DECRYPT.txt” that is dropped on the device.

Experts warn that unlike previous versions of the eCh0raix ransomware, this latest doesn’t allow victims to recover files for free.

Users that have enabled QNAP’s block-based snapshot feature in the past, can recover the files using the snapshots.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – eCh0raix, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment