New eCh0raix ransomware now hitting QNAP NAS drives
Anomali has unveiled a new ransomware variant that is
targeting network attached storage (NAS) devices made by QNAP Systems.
The ransomware, dubbed eCh0raix after a line in the code,
was first spotted in June when a discussion regarding it appeared in Bleeping
Computer’s forums. At this point it is not widespread and for reasons and for unknown
reasons only targets QNAP Systems NAS devices, the Anomali Threat Research Team
told DigitalMunition. However, why such NAS devices are being targeted is not a
mystery.
“Usually these devices are used to store backups and important files, which makes them a lucrative target for ransomware,” Anomali said.
Anomali stressed that there is nothing wrong with the security on QNAP devices, but those with weaker login credentials are susceptible.
The researchers said the threat actor appears to be scanning
the internet for QNAP devices and then compromises those set up with weak
passwords. The number of potentially vulnerable QNAP NAS drives is not known,
Anomali said, adding the researchers have found samples compiled for ARM and
Intel x86, leading us to believe it is present in both enterprise and home
devices.
The malware gains entry by brute forcing the devices login
credentials and then exploiting previously known vulnerabilities, Anomali
researchers wrote. Once inside a device it kills nine processes then checks to
see if the files have already been encrypted, and if not it changes the file extensions
to .encrypt and then uses AES encryption to make the file inaccessible.
At this point the ransom note is posted:
All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this TOR website:
http://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to
Do NOT remove this file and NOT remove last line in this file!
[base64 encoded encrypted data]
The ransomware code itself is very simple, containing just
400 lines and written in the Go programming language.
The ransomware reaches out to the URL
http://192.99.206[.]61/d.php?s=started and then tells command and control
server sg3dwqfpnr4sl5hh[.]onion via a SOCKS5 Tor proxy at 192.99.206[.]61:65000
it is up and running.
Gloss