A jump in the number of ransomware eCh0raix attacks on QNAP NAS device systems has been reported by users. The ransomware is also known as QNAPCrypt.
The cybercriminals behind eCh0raix seem to have stepped up their activities a week before Christmas break. They target devices with administrator privileges to take over.
The number of eCh0raix cyber attacks affecting NAS QNAP devices is on the rise
as per BleepingComputer, Began using users of advertising forums that run QNAP and Synology NAS systems Report More eCh0raix attacks around December 20th.
God ID ransom service Also confirms the increased number of cyber attacks between December 19 and December 26.
Some users say they have not kept their devices properly secured, others believe that the vulnerability of QNAP’s Photo Station has allowed attacks on NAS devices to increase. However, at present, the primary infection vector is unclear.
How an eCh0raix Attack Evolves
According to the same publication mentioned above, the threat factors behind eCh0raix ransomware manage to perform file encryption on NAS systems using a user they create in the management group. QNAP users say photos and documents have been encrypted.
Another uniqueness of this malicious campaign lies in the fact that the extension associated with the ransom certificate does not appear to be typed, since the “.TXTT” extension was used. This extension does not affect the display of instructions, however, some users may need to open the ransom note with certain software like Notepad.
BleepingComputer says that in recent cyber attacks, hackers have demanded payments ranging from 024 ($ 1,200) to 0.06 Bitcoin ($ 3,000). Because not every user had a backup solution installed, some had to pay the ransom to get their files back.
Files locked with a version of this ransomware strain before July 17, 2019 have a free decoder available, but for the latest versions of eCh0raix (1.0.5 and 1.0.6), no free decoder has been released at this time.
About eCh0raix ransomware
The ransomware eCh0raix is aimed at NAS devices for a long time and was first spotted in July 2019, operating as a ransomware model as a service.
In May of this year, QNAP released Advice Inform users about the ransomware strain affecting its devices, especially those that have run outdated QTS firmware or have weak passwords.
Then, in August 2021, a new ransom version of eCh0raix was discovered affecting Synology and QNAP devices. This version has exploited vulnerabilities under the so-called CVE CVE-2021-28799, Using a backdoor account to gain access to encrypted credentials using coarse force attacks.
Reduction measures provided by QNAP
QNAP has a Guideline On its website with general measures to improve NAS security. Among these, the company recommends removing unknown or suspicious devices or applications, disabling the automated router, avoiding opening default Internet port numbers and changing passwords for all accounts. Besides, the organization also advises that the installed QTS applications be updated to the latest version. The steps on how to perform these steps to properly maintain QNAP devices are provided in the same post.
If you liked this article, follow us LinkedIn, Twitter, Facebook, YouTube, And Instagram For more news and topics on cyber security.
