A newly variant of the eCh0raix ransomware is able to infect Network-Attached Storage (NAS) devices from Taiwanese vendors QNAP and Synology.
The eCh0raix ransomware has been active since at least 2019, when eExperts from security firms Intezer and Anomali separately discovered sample of the ransomware targeting Network Attached Storage (NAS) devices.
NAS servers are a privileged target for hackers because they normally store large amounts of data.The ransomware was targeting poorly protected or vulnerable NAS servers manufactured by QNAP, threat actors exploited known vulnerabilities or carried out brute-force attacks.
The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.
The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.
Independent experts observed a surge in eCh0raix ransomware infection reports between April 19 and April 26.
In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.
In 2019, Anomali researchers reported a wave of eCh0raix attacks against Synology NAS devices, threat actors conducted brute-force attacks against them.
Now researchers from Palo Alto Networks’ Unit 42 discovered a new variant that, for the first time ever, supports NAS devices from both vendors.
“Unit 42 researchers have discovered a new variant of eCh0raix ransomware targeting Synology network-attached storage (NAS) and Quality Network Appliance Provider (QNAP) NAS devices. To achieve this, attackers are also leveraging CVE-2021-28799 to deliver the new eCh0raix ransomware variant to QNAP devices.” reads the report published by Palo Alto Researchers. “While eCh0raix is known ransomware that has historically targeted QNAP and Synology NAS devices in separate campaigns, this new variant is the first time we’ve seen it combining functionality to target both QNAP and Synology NAS devices, demonstrating that some ransomware developers are continuing to invest in optimizing the tools used to target devices common in the small office and home office (SOHO).”
Palo Alto researchers said that some 250,000 QNAP and Synology NAS devices are exposed to Internet, according to data from the Cortex Xpanse platform.
The ransomware gang behind the attacks exploit the CVE-2021-28799 vulnerability in QNAP NAS to access them, while target Synology NAS devices with brute-force attacks.
Once compromised the device, threat actors employed it in a botnet used in attacks aimed at Linux systems, including Synology NAS.
Researchers provided the following recommendations for protecting home offices from ransomware attacks:
(SecurityAffairs – hacking, NAS)