This new ransomware is targeting network attached storage devices

NAS devices are often used to store critical data and back-ups - but many are exposed to the open internet and the cybercriminals behind eCh0raix are taking advantage.
Written by Danny Palmer, Senior Writer on

A newly discovered form of ransomware is targeting network storage devices by brute-forcing weak credentials and exploiting known vulnerabilities in their systems.

Dubbed eCh0raix after a string of code, the new form of file-locking malware emerged in June and has been detailed by cybersecurity researchers at Anomali. The ransomware specifically targets QNAP network attached storage (NAS) devices produced by Taiwanese firm QNAP systems, which has offices in 16 countries and customers around the world.

Several vulnerabilities have been discovered in QNAP NAS devices in recent years, although the company has patched them after they've been discovered and disclosed. However, many organisations struggle to apply patches in a timely manner.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

The attacks are opportunistic, with the initial infection coming via unsecured, internet-facing ports and the use of brute-force attacks to bypass weak login credentials. NAS devices make appealing targets for cybercriminals dealing in ransomware, because they're used to store critical data and backups – but despite this, the devices don't tend to be equipped with security software.

"Publicly exposed systems and devices expand overall attack surfaces and increase the potential for vulnerabilities to be exposed and exploited," Joakim Kennedy, threat intelligence manager in the Anomali threat research team, told ZDNet.

"Ransomware attacks are going to continue as a way for threat actors to attempt to monetize their efforts and to disrupt operations for other objectives."

Written in the Go programming language and described as very simple – the source code is fewer than 400 lines - eCh0raix checks to see if the files are already encrypted, before reaching out to a command-and-control server to begin the encryption process and create an AES-256 encryption key to lock the files with a .encrypt extension.

Users are presented with a ransom note informing than that all their data has been locked and directing them to a Tor website to make the ransom payment in bitcoin – users are also warned not to tamper with the encrypted data.

Researchers suggest spelling errors in the ransom note indicate that those behind the ransomware aren't native English speakers.

In order to protect NAS devices against ransomware attacks, it's recommended that users restrict external access to them so that they can't be found from the outside internet. It's also recommended that security patches are applied and strong credentials are employed to protect systems from brute-force attacks.


Editorial standards