December 1, 2023

Researchers are warning of a new wave of ech0raix ransomware attacks targeting QNAP Network Attached Storage (NAS) devices based on the sample file submissions on the ID ransomware platform.

The ransomware QNAPCrypt and eCh0raix is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

Active since 2019, the last wave of ech0raix attacks was discovered in December 2021, at the time ransomware operators were demanding a ransom raising from .024 ($1,200) up to .06 bitcoins ($3,000).


In August 2021, another variant of the eCh0raix ransomware started infecting Network-Attached Storage (NAS) devices from Taiwanese vendors QNAP and Synology.

In May 2021, QNAP warned customers of threat actors that are targeting its NAS devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords. Independent experts observed a surge in eCh0raix infection reports between April 19 and April 26, 2021.

Though a few dozen ech0raix samples have been submitted, the actual number is successful attacks is most likely higher since only some of the victims will use the ID Ransomware service to identify the ransomware that encrypted their devices.

In May, the company issued the alert in response to a new wave of DeadBolt ransomware attacks targeting NAS devices using QTS 4.3.6 and QTS 4.4.1. The Taiwanese vendor asked users to install the latest update on their NAS devices and avoid exposing them on the Internet.


Since January, DeadBolt ransomware operators are targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the content of the infected systems.

Leave a Reply

%d bloggers like this: