A new wave of ech0raix ransomware attacks targets QNAP NAS devices

Pierluigi Paganini December 27, 2021

A new wave of ech0raix ransomware attacks is targeting QNAP network-attached storage (NAS) devices.

The threat actors behind the ech0raix ransomware are targeting NAP network-attached storage (NAS) devices. Users reported numerous compromises of their devices a few days before Christmas.

According to BleepingComputer, forum users reported an intensification of the attacks since December 20, the analysis of submissions to the ID ransomware service for this specific threat started to increase on December 19 and reached a peak on December 20.

At this time, it is not clear how threat actors compromised the QNAP devices, some users claim that attackers exploited a flaw in the Photo Station software to hack them.

The attackers first create a user in the administrator group, then use it to encrypt the content of the NAS.

Experts noticed that the threat actor behind this campaign mistyped the extension for the ransom note using the “.TXTT” extension.

ech0raix ransomware operators demand a ransom raising from .024 ($1,200) up to .06 bitcoins ($3,000).

“It is important to note that there is a free decryptor for files locked with an older version (before July 17th, 2019) of eCh0raix ransomware. However, there is no free solution to decrypt data locked by the latest variants of the malware (versions 1.0.5 and 1.0.6).” reported BleepingComputer.

In August, a new variant of the eCh0raix ransomware started infecting Network-Attached Storage (NAS) devices from Taiwanese vendors QNAP and Synology.

The eCh0raix ransomware has been active since at least 2019, when eExperts from security firms Intezer and Anomali separately discovered sample of the ransomware targeting Network Attached Storage (NAS) devices.

NAS servers are a privileged target for hackers because they normally store large amounts of data.The ransomware was targeting poorly protected or vulnerable NAS servers manufactured by QNAP, threat actors exploited known vulnerabilities or carried out brute-force attacks.

The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

In May, QNAP warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

Independent experts observed a surge in eCh0raix infection reports between April 19 and April 26.

In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.

In 2019, Anomali researchers reported a wave of eCh0raix attacks against Synology NAS devices, threat actors conducted brute-force attacks against them.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ech0raix)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment