May 28, 2023

After remaining relatively quiet over the past few months, the threat actors behind the eCh0raix Ransomware have launched a brand new campaign targeting QNAP storage devices.

eCh0raix was first seen in June 2019, after victims began reporting ransomware attacks in a forum topic on BleepingComputer.

On June 1st, 2020, there has been a sudden surge of eCh0raix victims seeking help in our forums and submissions to the ransomware identification site ID-Ransomware.

The threat actors are gaining access to QNAP devices through known vulnerabilities or by brute-forcing weak passwords used on the device.

Once the attackers gain access, they install the ransomware, which encrypts the files stored on the device and appends the .encrypt extension to the file name.

When done, a victim will be left with a ransom note named README_FOR_DECRYPT.txt that contains a link to a Tor payment site. This site then demands approximately $500 to get a decryptor.

One victim reported finding strangely named QNAP apps in their device’s AppCenter after being encrypted.

It is unknown if these are malicious packages installed by the threat actors or custom-loaded packages that were encrypted and are no longer being read correctly.

While a decryptor was released by security expert BloodDolly to decrypt previous versions for free, the ransomware developer has since fixed its code weakness.

There is currently no way to recover files for free unless you have enabled QNAP’s Snapshot service.

If you have enabled QNAP’s block-based snapshot feature in the past, you can use the snapshots to recover your data.

What should QNAP NAS owners do to protect themselves?

1.Update QTS to the latest version.
Install and update Security Counselor to the latest version.
2.Use a stronger admin password.
3.Enable Network Access Protection to protect accounts from brute force attacks.
4.Disable SSH and Telnet services if you are not using them.
5.Avoid using default port numbers 443 and 8080.
6.Enable QNAP’s snapshot service

To add to QNAP’s advisory, do not connect your NAS device to the Internet .

1 thought on “eCh0raix.. Comes Again

Leave a Reply

%d bloggers like this: