This week, QNAP NAS (Network-Attached Storage) device users reported that their systems were targeted by the infamous eCh0raix ransomware, also called QNAPCrypt.
The perpetrators seem to have intensified their activity about a week before Christmas. QNAP and Synology NAS system users reported eCh0raix/QNAPCrypt attacks regularly, but the frequency of the reports spiked around Dec. 20.
Security experts are still unclear on the initial vector of the attack. Some users admit they failed to secure the device properly, while others blame QNAP’s Photo Station vulnerability.
The eCh0raix/QNAPCrypt ransomware reportedly creates a new user in the administrator group, enabling it to encrypt all documents on the NAS device.
According to recent posts in a BleepingComputer forum thread, the threat actor focused on encrypting pictures and documents. Some of the users relied on QNAP NAS devices for business purposes.
Another point that sets this ransomware campaign apart from other eCh0raix attacks is that the perpetrators misspelled the extension of the ransom text document; instead of using the regular TXT extension, the threat actor used TXTT.
The ransomware demands ranged from .024 BTC to 0.06 BTC (roughly $1,200 – $3,000 currently) during recent attacks, including this campaign. Presumably, some QNAP NAS users had to pay the ransom, as they lacked backup options and had no other way to recover the encrypted content.
Users with compromised QNAP NAS devices can find a free tool for decrypting files locked by older versions of eCh0raix/QNAPCrypt (before July 17, 2019). However, there’s currently no free tool to counter the effects of recent versions of this threat actor (1.0.5 and 1.0.6).
To protect their QNAP NAS device against this ransomware campaign, users are advised to follow QNAP’s recommendations, which include better user management, installing a firewall, and updating apps frequently to their latest version.
Recently, QNAP released a statement warning customers about a NAS bitcoin mining malware that could target their devices. Experts noticed a considerable CPU spike in compromised NAS devices; a process named [oom_reaper] hogged as much as 50% of the total CPU usage.