eCh0raix Ransomware Targeting QNAP Devices
The newly discovered ransomware family targets the QNAP network attached storage (NAS) devices. This malicious program, known by security researcher Anomali as eCh0raix (identified by Trend Micro as Ransom.Linux.ECHORAIX.A), was developed for ransomware attacks similar to those of Ryuk or LockerGoga.
A NAS device that is connected to a network acting as file storage and backup system or located in a central location where users can easily access the data. They are a measurable and cost-effective solution for many businesses.
How eCh0raix’s works
eCh0raix is written in Go/Golang, a programming language increasingly used to develop malware. This ransomware- Ch0raix determine the location of the NAS devices by performing language checks and cancels out if it is located in some Commonwealth countries such as Ukraine, Belarus, and Russia. eCh0raix encrypts documents and text files, PDF files, files, and databases as well as multimedia files.
The ransomware demands a ransom of 0.05 – 0.06 bitcoin (around US$567 as of July 11, 2019), paid via a site hosted in Tor, in exchange for the necessary decrypt key. Bleeping Computer has reported that the decryptors seem to be available for Windows and macOS. Affected QNAP NAS devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.
Ransomware demands 0.05 to 0.06 bitcoin, which are paid via Tor-hosted Web sites in exchange for the required decryption key. Decrypters for Windows and macOS seem to be available, according to BleepingComputer.
Experts have not been able to know the exact infection vector, but the message on the Bleeping Computer forum reads that infected NAS devices do not have the latest patches, with weak passwords. It is believed that people behind eCh0raix used brute-force to exploit the vulnerabilities of their specific NAS devices. The researchers also discovered that eCh0raix, unlike the normal ransomware is designed for targeted attacks. For example, in the offline version of eCh0raix, a coded encryption key for a particular purpose is embedded and the decryption key is uniquely assigned to each key.
Targeted ransomware attack
eCh0raix is not the first family of ransomware to target NAS devices, but a threat for file encryption designed specifically for this purpose. Although ransomware activities decreased in 2019, they targeted ransomware attacks was very much in the news. For example, with LockerGoga, Norsk Hydro lost about $ 40 million, while Ryuk was used to block the press activity in the United States. Ransomware also suspended some government services in Baltimore following an alleged attack costing them $ 18.2 million.
Many threats use insecure systems. In the case of eCh0raix, these are weak password or vulnerabilities. For example, Anomali researchers discovered that their Internet analytics in the United States had generated more than 19,000 QNAP NAS devices with direct access to the Internet. NAS devices are generally not protected by anti-malware solutions, making them highly vulnerable.
Backup NAS devices
QNAP Systems, the NAS device manufacturer targeted by eCh0raix, has issued recommendations for the prevention of ransomware software, such as, enabling the QNAP snapshot feature that can backup and restore files. To further reduce the number of attacks on NAS devices, users and businesses must apply best practices, including:
- Update the NAS device firmware to fix exploitable vulnerabilities, and change the default credentials or add the authentication and authorization mechanism to access the NAS device.
- Make sure other systems or devices, including routers connected to or integrated with NAS devices, are also updated.
- Minimal Privilege Policy Compliance: Enable features or components only when necessary or use a VPN to access NAS devices over the Internet.
- Enable the built-in security features of NAS devices. For example, protecting access to the QNAP network helps to prevent brute force attacks or similar disruptions.
Julia Sowells946 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.