Cyber Crime

Experts warn of a new eCh0raix ransomware campaign targeting QNAP NAS

Experts warn of a new ech0raix ransomware campaign targeting QNAP Network Attached Storage (NAS) devices.

Bleeping Computer and MalwareHunterTeam researchers, citing user reports and sample submissions on the ID Ransomware platform, warn of a new wave of ech0raix ransomware attacks targeting QNAP Network Attached Storage (NAS) devices.

The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

The ransomware has been active since at least 2019, the last wave of ech0raix attacks was discovered in December 2021, at the time ransomware operators were demanding a ransom raising from .024 ($1,200) up to .06 bitcoins ($3,000).

In August 2021, another variant of the eCh0raix ransomware started infecting Network-Attached Storage (NAS) devices from Taiwanese vendors QNAP and Synology.

In May 2021, QNAP warned customers of threat actors that are targeting its NAS devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords. Independent experts observed a surge in eCh0raix infection reports between April 19 and April 26, 2021.

Now the experts observed a surge in the number of submissions to the ID Ransomware service and many users reported eCh0raix infections in the BleepingComputer forums.

“Although only a few dozen ech0raix samples have been submitted, the actual number is successful attacks is most likely higher since only some of the victims will use the ID Ransomware service to identify the ransomware that encrypted their devices.” reported BleepingComputer.

Source BleepingComputer

In May, the company issued the alert in response to a new wave of DeadBolt ransomware attacks targeting NAS devices using QTS 4.3.6 and QTS 4.4.1. The Taiwanese vendor asked users to install the latest update on their NAS devices and avoid exposing them on the Internet.

“QNAP® Systems, Inc. recently detected a new attack by the DEADBOLT Ransomware. According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series.” reads the advisory published by the company. “QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet.”

Since January, DeadBolt ransomware operators are targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the content of the infected systems.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

Java-based malware targets Minecraft users via fake cheat tools, utilizing the Stargazers Ghost Network distribution-as-a-service…

2 hours ago

Healthcare services company Episource data breach impacts 5.4 Million people

Data breach at Healthcare services company Episource exposes personal and health data of over 5.4…

16 hours ago

Watch out, Veeam fixed a new critical bug in Backup & Replication product

Veeam addressed a new critical flaw in Backup & Replication product that could potentially result…

23 hours ago

U.S. CISA adds Linux Kernel flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Linux Kernel vulnerability to its Known Exploited Vulnerabilities…

1 day ago

News Flodrix botnet targets vulnerable Langflow servers

Attackers exploit CVE-2025-3248 in Langflow servers to deliver Flodrix botnet via downloader scripts, Trend Research…

1 day ago

U.S. CISA adds Apple products, and TP-Link routers flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple products, and TP-Link routers flaws to…

2 days ago

This website uses cookies.