New ransomware strain eCh0raix targets QNAP NAS devices

Malware takes advantage of unpatched backup and storage systems

A new ransomware strain is infecting QNAP Network Attached Storage (NAS) devices by brute-forcing weak credentials, researchers have warned.

The attack, dubbed eCh0raix, can infect and decrypt documents on systems, developed by QNAP, that are exposed to the internet.

It exploits known vulnerabilities, the research team from Anomali said, relying on unpatched devices.

The attack brute-forces weak credentials, delivering a malicious payload to encrypt the targeted file extensions on the NAS devices.

After connecting to the C2 server, the ransomware then delivers a ransom note, a public key, and allows the attackers to gain real-time insight on the malware’s activity.

It isn’t clear how many devices have been affected, but both consumer and enterprise models are being targeted, researchers told The Daily Swig.

Interestingly, researchers said that the threat actor appears to be scanning for any devices exposed on the internet – but is disregarding those located in Russia, Ukraine, and Belarus.

A typo in the ransom note – ‘unclock’ – has left researchers to believe that the threat actors behind the campaign may not be native-English speakers.

The team first discovered the ransomware during a data collection exercise.

“The initial triaging suggested it was built for QNAP devices. It was compiled in a folder called ‘qnap_crypt_worker’,” Joakim Kennedy, Anomali threat intelligence manager, told The Daily Swig.

“It’s a combination we usually don’t see, so we decided to look at the sample deeper. Ransomware can cause huge disruptions to enterprises and individuals.

“We wanted to analyze it to hopefully reduce its potential impact on victims. By sharing the research, we also hope to disrupt the adversaries,” Kennedy said.

The attack appears to use a hardcoded public key with a unique key for each target – though this doesn’t mean that any QNAP users can afford to relax, whether they are likely to be targeted or not.

“Any organizations or individuals should be concerned if they have QNAP devices accessible over the internet that are not patched or which have weak credentials,” Kennedy warned.

“If you have a QNAP device, you now know there is an active threat against it. You can take action to mitigate the threat.

“If you are not a QNAP owner, you can still use this intelligence proactively. It is now known that there is a threat targeting NAS devices exposed to the Internet.

“The actor may target different NAS products further down the line. Organizations now have the opportunity to protect their NAS devices by using our suggested mitigations, before they are attacked.”

Taiwanese company QNAP has offered some advice to mitigate against ransomware attacks and recover data in the event of an attack.