Anomali has unveiled a new ransomware variant that is targeting network attached storage (NAS) devices made by QNAP Systems.
The ransomware, dubbed eCh0raix after a line in the code, was first spotted in June when a discussion regarding it appeared in Bleeping Computer’s forums. At this point it is not widespread and for reasons and for unknown reasons only targets QNAP Systems NAS devices, the Anomali Threat Research Team told SC Media. However, why such NAS devices are being targeted is not a mystery.
“Usually these devices are used to store backups and important files, which makes them a lucrative target for ransomware,” Anomali said.
Anomali stressed that there is nothing wrong with the security on QNAP devices, but those with weaker login credentials are susceptible.
The researchers said the threat actor appears to be scanning the internet for QNAP devices and then compromises those set up with weak passwords. The number of potentially vulnerable QNAP NAS drives is not known, Anomali said, adding the researchers have found samples compiled for ARM and Intel x86, leading us to believe it is present in both enterprise and home devices.
The malware gains entry by brute forcing the devices login credentials and then exploiting previously known vulnerabilities, Anomali researchers wrote. Once inside a device it kills nine processes then checks to see if the files have already been encrypted, and if not it changes the file extensions to .encrypt and then uses AES encryption to make the file inaccessible.
At this point the ransom note is posted:
All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this TOR website: https://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]
Use TOR browser for access .onion websites.
Do NOT remove this file and NOT remove last line in this file!
[base64 encoded encrypted data]
The ransomware code itself is very simple, containing just 400 lines and written in the Go programming language.
The ransomware reaches out to the URL https://192.99.206[.]61/d.php?s=started and then tells command and control server sg3dwqfpnr4sl5hh[.]onion via a SOCKS5 Tor proxy at 192.99.206[.]61:65000 it is up and running.