New Ransomware named eCh0raix Targets QNAP NAS Devices

cyber-attack prevention articles

Security researchers have discovered a new ransomware named eCh0raix targeting QNAP NAS(Network Attached Storage ) devices.

The new ransomware was discovered by security researchers at Anomali targeting poorly protected or insecure QNAP NAS devices.

The ransomware written in go programming language and contains fewer than 400 lines of source code.

The ransomware compromises the devices either by brute-forcing weak credentials or exploiting known vulnerabilities.

Once infected, the ransomware connects with command and control server located on Tor using a SOCKS5 Tor proxy.

In the next step, the ransomware encrypts all files using the AES-256 secret key generated with Cipher Feedback Mode (CFB) and appends a .encrypted extension to all the files.

While encrypting it skips the files containing any of the below strings listed below:

  • /proc
  • /boot/
  • /sys/
  • /run/
  • /dev/
  • /etc/
  • /home/httpd
  • /mnt/ext/opt
  • .system/thumbnail
  • .system/opt
  • .config
  • .qpkg
eCh0raix
File types encrypted by eCh0raix

The ransomware also created a ransom note named README_FOR_DECRYPT.txt which contains a link to a Tor site, a bitcoin address, and users encrypted private encryption key.

If you click the Tor site link, the user will be redirected to a site showing a bitcoin address and the ransom amount to be paid to decrypt the files.

According to researchers, the attackers were discovered to be asking a ransom amount of around 0.05-0.06 BTC to decrypt the files.

Researchers also noted, before encryption the ransomware scan a specific list of processes such as apache2,httpd,nginx,mysqld,mysqd,php-fpm and attempts to kill it.

During execution, the ransomware also performs language checks. if the infected device situated in countries like Belarus, Ukraine, or Russia it terminates the process and exits without encrypting the files.

For more details, you can visit the analysis published by Anomali researchers here.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin, and Twitter.

You may be interested in reading: New GandCrab Ransomware Campaign Targets MySQL Servers on Windows

Comments

Please rate this content