New ransomware strain dubbed ‘eCh0raix’ targets QNAP NAS devices

• The QNAP NAP devices are compromised by brute-forcing weak credentials and exploiting known vulnerabilities.
• The impacted devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.

Researchers from Anomali uncovered a new ransomware strain dubbed ‘eCh0raix’ that targets QNAP Network Attached Storage (NAS) devices used for backups and file storage.

What is eCh0raix?

• This ransomware is written in Go language and is used to infect and encrypt documents on QNAP NAS devices.
• The QNAP NAP devices are compromised by brute-forcing weak credentials and exploiting known vulnerabilities.
• The impacted devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.

Researchers analyzed the eCh0raix samples and noted that it uses the hardcoded public key, with a unique key for each target. The ransomware’s C&C server is located on Tor, however, it does not contain any Tor client to connect to it. Instead, the ransomware uses a SOCKS5 proxy that connects in order to communicate with the C&C server. The ransomware operators also created an API that can be used to query for various information.

How does the ransomware work?

• Once the QNAP NAS device is compromised and eCh0raix is executed, the ransomware will perform language checks to ensure that the device is from certain CIS countries.
• If the device is from Belarus, Ukraine, or Russia, it will not encrypt any files.
• The ransomware will then search for and kill the process such as apache2, httpd, nginx, mysqld, mysqd, and php-fpm, using service stop %s or systemctl stop %s commands.
• eCh0raix is known to encrypt Microsoft Office and OpenOffice documents, PDFs, text files, archives, databases, photos, music, video, and image files using an AES in Cipher Feedback Mode (CFB) secret key created from an AES-256 key generated locally.
• This AES key is then encrypted with the downloaded or embedded public RSA key and stored in base64 format in the ransom note.
• Upon encryption, the ransomware will append the .encrypt extension to the encrypted file's name.

Worth noting

When selecting files to encrypt, the ransomware skips any files where the absolute path for the file contain any of the following strings: '/proc', '/boot/', '/sys/', '/run/', '/dev/', '/etc/', '/home/httpd', '/mnt/ext/opt', '.system/thumbnail', '.system/opt', '.config', and '.qpkg'.

Therefore, it essentially skips all the system files and focuses on the user's files.

What does the ransom note say?

The ransomware creates a ransom note named ‘README_FOR_DECRYPT.txt’. The ransom note includes a link to a Tor site, an associated bitcoin address, and the users encrypted private encryption key. Once the users go to the Tor payment site, they will be shown a bitcoin address and the ransom amount to be paid. The Tor site will notify users once it receives the payment, after which users can download the decryptor.

“All your data has been locked(crypted).

How to unclock(decrypt) instruction located in this TOR website: http[:]//sg3dwqfpnr4sl5hh[.]onion/order/[Bitcoin address]

Use TOR browser for access .onion websites.
https[:]//duckduckgo[.]com/html?q=tor+browser+how+to

Do NOT remove this file and NOT remove last line in this file!
[base64 encoded encrypted data],” the ransom note read, Anomali researchers reported.