Pierluigi Paganini July 11, 2019

Malware researchers at two security firms Intezer and Anomali have discovered a new piece of ransomware targeting Network Attached Storage (NAS) devices.

Experts at security firms Intezer and Anomali have separately discovered a new piece of ransomware targeting Network Attached Storage (NAS) devices. NAS servers are a privileged target for hackers because they normally store large amounts of data.

The ransomware targets poorly protected or vulnerable NAS servers manufactured by Taiwan-based QNAP Systems, attackers exploits known vulnerabilities or carry out brute-force attacks.

The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

“We have named the ransomware QNAPCrypt, as this is the name the authors have appeared to label the malware. QNAP is a well-known vendor for selling NAS servers, which the malware was intended to infect and encrypt the containing files for ransom.” reads the analysis published by Intezer. “This malware currently has very low detection rates in all major security solutions. In addition, we can assess with high confidence that this malware was developed by the same authors of Linux.Rex. “

“The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the encrypted files.” reads the analysis published by Anomali. The ransom note created by the ransomware has the form shown below:”

"All your data has been locked(crypted). ​How to unclock(decrypt) instruction located in this TOR website: http://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address] Use TOR browser for access .onion websites. https://duckduckgo.com/html?q=tor+browser+how+to Do NOT remove this file and NOT remove last line in this file!" 

[base64 encoded encrypted data]

Like other malware, the malicous code halts the encryptions process if the hacked NAS device is located in Belarus, Ukraine, or Russia.

The good news is that experts discovered a logical weakness in the ransomware code that allowed them to temporarily halt the infections.

When the malware infects a QNAP device, it first connects to its remote command-and-control server (sg3dwqfpnr4sl5hh[.]onion) via a SOCKS5 Tor proxy at 192.99.206[.]61:65000.

The ransomware uses a different Bitcoin wallet per each infected system, the attacker’s C&C server contains a predefined list of already created bitcoin addresses.

The experts noticed that if the server runs out of unique bitcoin addresses, the ransomware halts the encryption process and wait for a new address to be provided by attackers.

“Since the authors behind this ransomware were delivering one Bitcoin wallet per victim from a static pool of already generated wallets, we could replicate the infection packets to retrieve all of the wallets until they had no further wallets under their control.” continues Intezer.”Therefore, when a genuine infection would occur, the ransom client would not be able to retrieve configuration artifacts.”

The experts at Intezer exploited the above process to create a script that allowed them to saturate the attacker’s pool of available bitcoin addresses with hundreds of virtual victims.

The experts were able to collect a total of 1,091 unique wallets ready to be delivered to new victims distributed among 15 different campaigns.

The ransomware before starting the encryption process attempts to kill a specific list of processes, including apache2, httpd, MySQL, mysql, nginx, and PostgreSQL.

Once the ransomware got its unique bitcoin wallet, it will generate a 32-character random string to create an AES-256 secret key that is used to encrypt all the files stored on NAS device. The ransomware uses an AES algorithm in Cipher Feedback Mode (CFB) and removes the original files.

Experts at Anomali speculate that researchers could write a decryptor for the ransomware because the encryption function is not entirely random.

“Malware initializes the math random page with the seed of the current time. Since it is using the math’s package to generate the secret key, it is not cryptographically random, and it is likely possible to write a decryptor,” continues Anomali.
“The threat actor targets QNAP NAS devices that are used for file storage and backups. It is not common for these devices to run antivirus products, and currently, the samples are only detected by 2-3 products on VirusTotal, which allows the ransomware to run uninhibited.”

Additional technical details, including Yara rules and IoCs are reported in the analysis published by both security firms.

Pierluigi Paganini

(SecurityAffairs – NAS ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]