The security firm Intezer reported it had successfully shut down 15 active ransomware campaigns using the eCh0raix or QNAPCrypt variant with denial of service attacks.
The Intezer, which identifies the malware as QNAPCrypt while Anomali dubbed it eCh0raix, DoS operation was a bit different from a normal DoS attack. Instead of bombarding the malicious actors with traffic, the company essentially gobbled up all the pre-made bitcoin wallets created for the campaigns so the attackers could no longer use them to accept ransom payments from victims.
Intezer was able to smoke out a repository of bitcoin wallets by writing a script that simulated QNAPCrypt ransomware victims fooling the attackers into believing they had a treasure trove of potential ransom payers. This allowed the company to see how the bad guys went about creating the bitcoin wallets that would receive the ransoms.
This enabled the company to find two basic flaws. First, the bitcoin wallets being used by the attackers came from a pre-made static list with only a set number of wallets being available with each wallet being handed out whenever a computer was infected. This meant that when the pre-made wallets were fully distributed the attack could no longer proceed.
“After simulating the infection of more than 1,091 victims from 15 different campaigns, we encountered that the attackers ran out of unique Bitcoin wallets to supply to their victims. As a result, any future infection will be unsuccessful and the authors behind this malware were forced to update their implants in order to circumvent this design flaw in their infrastructure to continue with their malicious operations,” Intezer said.
However, the success of DoS campaign resulted in the cybercriminals revamping their malware to harden it from future intervention by an outside source.
The Intezer and Check Point reports on this ransomware were similar finding it attacking only QNAP made network attached storage devices, and those in quite small numbers, with the ability to go after ARM and X86 processor variants.