QNAP NAS devices targeted in another wave of ransomware attacks

eCh0raix ransomware gang returns with a new wave of attacks against QNAP NAS devices.
Written by Catalin Cimpanu, Contributor
Image: QNAP

The operators of the eCh0raix ransomware have launched another wave of attacks against QNAP network-attached storage (NAS) devices.

The eCh0raix gang has been active since June 2019, when they first deployed a first version of their ransomware. Despite having its initial ransomware version decrypted, the group has never disappeared, deploying a newer version that security researchers couldn't crack.

The group's activity has slowed down since last summer, primarily because of competition from rival ransomware gangs targeting QNAP NAS devices, such as the Muhstik and the QSnatch groups, but also from IoT botnet operators.

However, the group has recently come back to life, and this new surge in activity can be attributed to the recent publication of a security report detailing three critical vulnerabilities impacting QNAP devices.

ZDNet covered the three vulnerabilities as part of our site's cyber-security coverage. Days after our article, this reporter began receiving support requests from desperate QNAP NAS owners looking for a way to recover files that have been encrypted by a mysterious ransomware, which turned up to be eCh0raix.

For more than two weeks, we have been redirecting QNAP owner to the Bleeping Computer forum, a PC tech support site, and one of the go-to places for ransomware victims looking for technical help.

Ever since then, we've been monitoring the forum's eCh0raix topic, and seeing a steady stream of new victims reporting ech0raix infections. Reports, however, exploded this week.

As the news branch of the Bleeping Computer site noted today, the eCh0raix gang has amped up operations since Monday. Besides a new influx of victims reporting encrypted NAS data on their forum, the site also cited statistics from ID-Ransomware, a service that lets users identify the version of ransomware that encrypted their files. ID-Ransomware also saw a similar spike that was seen on the Bleeping Computer forums.

Image via Bleeping Computer and ID-Ransomware

What QNAP users need to know

Historically, the eCh0raix gang has used both exploits and brute-force attacks. They use exploits to target vulnerabilities in old unpatched QNAP devices, and they use brute-force attacks to guess weak and common admin passwords.

While currently unconfirmed, it is very possible that the eCh0raix gang might have incorporated the recently disclosed QNAP vulnerabilities into their attacks, which might explain the sudden spike in activity. The three QNAP vulnerabilities are both easy to exploit and automate, and also provide full control over an attacked device.

QNAP NAS owners are strongly advised to update their QNAP firmware and the software of any QNAP software, app, or add-on they might be running on the device.

Similarly, QNAP device owners are also advised to change their device password to something unique and hard to guess.

Instructions on how to do both, and take other security steps, are provided in these QNAP support pages [1, 2]. Both measures would prevent the eCh0raix gang from taking over their systems and encrypting their files.

Current versions of the eCh0raix ransomware are undecryptable unless victims pay the ransom demand using a link to a dark web portal the ransomware gang leaves on the hacked NAS systems, inside a text file.

Image: ZDNet

Paying the ransom, however, is advised against, as this just makes a profit for crooks and motivates the ransomware gang to continue their attacks -- hence the reason why the eCh0raix gang did not give up after having their first version decrypted. The profits were just too good.

Currently, there are around half a million QNAP devices connected to the internet. QNAP devices, by their nature, are meant to be connected online, so taking them offline defeats the purpose of having one in the first place. Owners should look into securing their devices and avoid losing sensitive data following an attack.

Editorial standards