Ransomware has become one of the most lucrative ways to monetize computer attacks. They enter computers, encrypt user files and demand a ransom to unlock it. That’s why devices such as NAS, especially intended for backup or a large number of files that want to be preserved, are a new and attractive goal.
QNAP NAS devices have become the attractive target of a new ransomware called eCh0raix.
Anomali’s computer security researchers have been the discoverers of a new ransomware family, dubbed eCh0raix, which targets QNAP NAS connected to the network. As explained, the infection encrypts the file extensions present in the storage devices using AES encryption, adds the extension .encrypt to the files that are blocked and finally shows a ransom note.
Brute Force and Vulnerabilities
According to the research, eCh0raix emerged last June. Attackers access the NAS of QNAP, a company that has had to face several vulnerabilities in recent years, through unsafe ports and the use of brute force when it comes to circumvent security measures and find out more access credentials weak.
The rogueware is written and compiled in the Go programming language and is very simple: its source code has less than 400 lines. The note that is shown to those affected is the following (originally in English and with misprints, which makes researchers suspect that its creators are not English speakers):
“All your data has been blocked (encrypted)
How to unlock (decrypt) the instruction located on this TOR website:
http://sg3dwqfpnr4sl5hh.onion/order/[bitcoin address]Use the TOR browser to access the sites .onion website
DO NOT delete this file and DO NOT delete the last line of this file! [Base64 encoded encrypted data] “
The main recommendation for the users of the QNAP NAS in particular, and of this type of device in general, is that they keep them isolated by preventing external access to it as much as possible.
Nor should we forget the need to keep them up-to-date with robust log- in credentials in order to make brute-force attacks more complicated. All precautions, we know, are few.