Experts at security firms Intezer and Anomali have separately discovered a new piece of
“We have named the
“The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends
"All your data has been locked
( crypted). How to unclock (decrypt) instruction located inthis TOR website: http ://sg3dwqfpnr4sl5hh .onion/order/[Bitcoin address] Use TOR browser foraccess . onionwebsites. https://duckduckgo.com/html?q=tor+browser+how+to Do NOT remove this file and NOT remove last line in this file!"
[base64 encoded encrypted data]
The good news is that experts discovered a logical weakness in the ransomware code that allowed them to temporarily halt the infections.
When the malware infects a QNAP device, it first connects to its remote command-and-control server (sg3dwqfpnr4sl5hh
The ransomware uses a different Bitcoin wallet per each infected system, the attacker’s C&C server contains a predefined list of already created
The experts noticed that if the server runs out of unique
“Since the authors behind this ransomware were delivering one Bitcoin wallet per victim from a static pool of already generated wallets, we could replicate the infection packets to retrieve all of the wallets until they had no further wallets under their control.” continues Intezer.”Therefore, when a genuine infection would occur, the ransom client would not be able to retrieve configuration artifacts.”
The experts at Intezer exploited the above process to create a script that allowed them to saturate the attacker’s pool of available
The experts were able to collect a total of 1,091 unique wallets ready to be delivered to new victims distributed among 15 different campaigns.
The ransomware before starting the encryption process attempts to kill a specific list of processes, including apache2, httpd, MySQL, mysql, nginx, and PostgreSQL.
Once the ransomware got its unique
Experts at Anomali speculate that researchers could write a
“Malware initializes the math random page with the seed of the current time. Since it is using the math’s package to generate the secret key, it is not cryptographically random, and it is likely possible to write a
“The threat actor targets QNAP NAS devices that are used for file storage and backups. It is not common for these devices to run antivirus products, and currently, the samples are only detected by 2-3 products on VirusTotal, which allows the ransomware to run uninhibited.”
Additional technical details, including Yara rules and IoCs are reported in the analysis published by both security firms.
(SecurityAffairs – NAS ransomware, malware)