Attackers Demand Bitcoin Ransom After Encrypting Data
A new ransomware strain called eCh0raix is targeting enterprise storage devices sold by QNAP Network by exploiting vulnerabilities in the gear and bypassing weak credentials using brute-force techniques, according to the security firm Anomali.
The ransomware is targeting QNAP’s line of enterprise-grade network attached storage devices that are used for file storage and backup because these devices aren’t coupled with anti-virus software, Anomali says in a blog.
The file-locking malware first surfaced in late June, when victims reported ransom demands on the BleepingComputer forum thread. The website forum identified the affected storage devices as the QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and the QNAP TS 253B.
The infected systems were not fully patched, and others reported detections of failed login attempts, according to posts on the BleepingComputer forum as well as the Anomali blog.
QNAP is a Taiwan-based storage service company that focuses on network area storage file sharing, virtualization and surveillance applications. In the U.S., the company is believed to have 19,000 publicly facing QNAP devices, which could be susceptible to this particular strain of ransomware, the Anomali researchers note.
QNAP could not be immediately reached for comment.
This is the second time this year that malware has been discovered on QNAP’s NAS devices. In February, the company issued a security alert stating that an unknown strain of malware was disabling software updates within its devices, leaving them vulnerable to further attacks.
The new eCh0raix ransomware was written and compiled using the Go programming language, and its source code is composed of a miniscule 400 lines, according to the Anomali research.
The ransomware has been designed to carry out targeted attacks by encrypting file extensions on a network area storage device using AES encryption and by appending the “.encrypt” extension, Anomali reports.
The eCh0raix ransomware has a low detection rate in anti-virus products, the researchers note.
“It is not common for these devices to run anti-virus products, and currently the samples are only detected by two to three products on VirusTotal, which allows the ransomware to run uninhibited,” the researchers write in their blog.
In addition, the analysis of the hard-coded encryption keys of the malware samples revealed that the same decryptor would not work for all victims, the blog notes.
Those who were attacked were notified that their data was locked and were directed to make a ransom payment in bitcoin and not to meddle or tamper with the code.
Region of Origin?
In addition, the researchers examined the command-and-control server associated with the ransomware and noted that the malware checks the location of the infected NAS devices for IP addresses in Belarus, Ukraine or Russia and will then exit without further incident if a match is found.
“This technique is common amongst threat actors, particularly when they do not wish to infect users in their home country,” according to the Anomali blog.
To protect against these types of attacks, the researchers recommend that organizations restrict external access to QNAP storage devices, ensure the devices are updated with security patches and use strong credentials.
Ransomware attacks are on the rise, with attackers increasingly targeting government agencies that seem ill-prepared to cope (see: More US Cities Battered by Ransomware).
In several recent cases, including one ransomware attack that hit Lake City, Florida, it appears that these municipal governments did not have adequate backup to help recover once critical files were locked. This resulted in some communities opting to pay a ransom to get the decryption key (see: Second Florida City Pays Up Following Ransomware Attack).