eCh0raix Ransomware Found Targeting QNAP Network-Attached Storage Devices

A newly uncovered ransomware family was found targeting QNAP network-attached storage (NAS) devices. Named eCh0raix (detected by Trend Micro as Ransom.Linux.ECHORAIX.A) by security researchers at Anomali, the malware was reportedly designed for targeted ransomware attacks similar to how Ryuk or LockerGoga were used. 

NAS devices are network-connected computer appliances serving as file storage and backup systems, or central locations from which users can readily access data. They are a low-cost and scalable solution for many organizations, over 80% of which are estimated to use them. 

[READ: Narrowed Sights, Bigger Payoffs: Ransomware in 2019]

eCh0raix’s Routines

eCh0raix is written in Go/Golang, a programming language increasingly abused to develop malware. eCh0raix performs language checks to determine an affected NAS device’s location, and terminates itself if it is in certain countries in the Commonwealth of Independent States (CIS) like Belarus, Ukraine, and Russia. eCh0raix encrypts documents and text files, PDFs, archives and databases, and multimedia files among others. 

The ransomware demands a ransom of 0.05 – 0.06 bitcoin (around US$567 as of July 11, 2019), paid via a site hosted in Tor, in exchange for the necessary decrypt key. BleepingComputer has reported that the decryptors seem to be available for Windows and macOS. Affected QNAP NAS devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B. 

While the exact infection vector is still unclear as of this writing, forum posts in BleepingComputer noted that the infected NAS devices do not have the latest patches and protected by weak passwords. This indicates that eCh0raix’s operators could be brute-forcing or exploiting vulnerabilities in their targeted NAS devices. The researchers also noted that eCh0raix, unlike typical ransomware families, appears to be designed for targeted attacks. For instance, eCh0raix’s offline version is embedded with hardcoded encryption keys compiled for specific targets, and unique decryption keys are associated with each. 

[RELATED NEWS: MegaCortex ransomware spotted attacking enterprise networks] 

Targeted Ransomware Attacks

eCh0raix is not the first ransomware family to target NAS devices, but is among the few, purpose-built, file-encrypting threats that have emerged this year. While 2019 has seen a decline in ransomware-related activities, they were overshadowed by incidents of targeted ransomware attacks. LockerGoga, for instance, cost Norsk Hydro an estimated US$40 million in financial losses, while Ryuk was used to hamper the operations of newspapers in the U.S. Ransomware also suspended several government services in Baltimore in an attack that reportedly cost the city $18.2 million.

Many threats take advantage of poorly secured systems. In eCh0raix’s case, they were weak credentials or vulnerabilities. Researchers at Anomali, for instance, noted that their internet scan resulted in more than 19,000 web-facing and publicly accessible QNAP NAS devices in the U.S. NAS devices aren’t usually safeguarded with anti-malware solutions, which makes them especially susceptible — and an easy target for cybercriminals. 

[Best Practices: Defending Against Ransomware]

Securing NAS Devices

QNAP Systems, the manufacturer of the NAS devices targeted by eCh0raix, has published recommendations on ransomware mitigation, such as enabling QNAP’s snapshot feature, which can help in backing up and restoring files. To further reduce the NAS device’s attack surface, users and businesses are recommended to adopt best practices including:

  • Changing default credentials or considering adding authentication and authorization mechanisms used to access NAS devices
  • Updating the NAS device's firmware to patch exploitable vulnerabilities
  • Ensuring that other systems or devices — particularly routers, which are connected to or built into NAS devices — are also updated
  • Enforcing the principle of least privilege: enable features or components only when necessary (e.g., opening a port on the router) or use a VPN when accessing NAS devices over the internet
  • Enabling the NAS device’s built-in security features; QNAP’s network access protection, for instance, helps thwart brute-force attacks or similar intrusions

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.