eCh0raix Ransomware Targeting QNAP Devices

How eCh0raix’s works

eCh0raix is written in Go/Golang, a programming language increasingly used to develop malware. This ransomware- Ch0raix determine the location of the NAS devices by performing language checks and cancels out if it is located in some Commonwealth countries such as Ukraine, Belarus, and Russia. eCh0raix encrypts documents and text files, PDF files, files, and databases as well as multimedia files. It is important to know everything about ransomware removal and best ransomware Protection and how to stop ransomware.

The ransomware demands a ransom of 0.05 – 0.06 bitcoin (around US$567 as of July 11, 2019), paid via a site hosted in Tor, in exchange for the necessary decrypt key. Bleeping Computer has reported that the decryptors seem to be available for Windows and macOS. Affected QNAP NAS devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.

Ransomware demands 0.05 to 0.06 bitcoin, which are paid via Tor-hosted Web sites in exchange for the required decryption key. Decrypters for Windows and macOS seem to be available, according to BleepingComputer.

Experts have not been able to know the exact infection vector, but the message on the Bleeping Computer forum reads that infected NAS devices do not have the latest patches, with weak passwords. It is believed that people behind eCh0raix used brute-force to exploit the vulnerabilities of their specific NAS devices. The researchers also discovered that eCh0raix, unlike the normal ransomware is designed for targeted attacks. For example, in the offline version of eCh0raix, a coded encryption key for a particular purpose is embedded and the decryption key is uniquely assigned to each key.

Targeted ransomware attack

eCh0raix is not the first family of ransomware to target NAS devices, but a threat for file encryption designed specifically for this purpose. Although ransomware activities decreased in 2019, they targeted ransomware attacks was very much in the news. For example, with LockerGoga, Norsk Hydro lost about $ 40 million, while Ryuk was used to block the press activity in the United States. Ransomware also suspended some government services in Baltimore following an alleged attack costing them $ 18.2 million.

Many threats use insecure systems. In the case of eCh0raix, these are weak password or vulnerabilities. For example, Anomali researchers discovered that their Internet analytics in the United States had generated more than 19,000 QNAP NAS devices with direct access to the Internet. NAS devices are generally not protected by anti-malware solutions, making them highly vulnerable.

Backup NAS devices

QNAP Systems, the NAS device manufacturer targeted by eCh0raix, has issued recommendations for the prevention of ransomware software, such as, enabling the QNAP snapshot feature that can backup and restore files. To further reduce the number of attacks on NAS devices, users and businesses must apply best practices, including:

Update the NAS device firmware to fix exploitable vulnerabilities, and change the default credentials or add the authentication and authorization mechanism to access the NAS device.

Make sure other systems or devices, including routers connected to or integrated with NAS devices, are also updated.

Minimal Privilege Policy Compliance: Enable features or components only when necessary or use a VPN to access NAS devices over the Internet.

Enable the built-in security features of NAS devices. For example, protecting access to the QNAP network helps to prevent brute force attacks or similar disruptions.

Also, Read:

TrickBot’s “TrickBooster” Update Compromised 250M Emails

July 15, 2019
0

eCh0raix Ransomware Targeting QNAP Devices

How eCh0raix’s works

Targeted ransomware attack

Backup NAS devices

Google’s Leaked Recordings Violates Data Security Policies

TrickBot’s “TrickBooster” Update Compromised 250M Emails

Leave a Comment Cancel reply