According to user feedback and sample uploads on the ID Ransomware platform, ech0raix ransomware has recently resumed targeting vulnerable QNAP Network Attached Storage (NAS) systems. In the summer of 2019, ech0raix (aka QNAPCrypt) attacked QNAP customers in many large-scale waves, brute-forcing their way into Internet-exposed NAS devices.
Since then, people affected by this ransomware strain have detected and reported many other campaigns, including one in June 2020, another in May 2020, and a huge increase of attacks targeting devices with weak passwords that began in mid-December 2021 (right before Christmas) and gradually faded into early February 2022.
A fresh round of ech0raix attacks has been validated by a rapidly growing number of ID Ransomware entries and individuals claiming to have been harmed in a few forums, with the first attack occurring on June 8. Even though just a few dozen ech0raix samples have been submitted, the real number of successful assaults is likely to be larger because only part of the victims will use the ID Ransomware service to detect the ransomware that locked their devices.
Since August 2021, this ransomware has also been used to encrypt Synology NAS systems. However, victims have only verified attacks on QNAP NAS systems this time. The attack vector employed in this recent ech0raix campaign is unknown until QNAP releases additional information on the attacks.
While QNAP has yet to provide a warning to consumers about these attacks, the business has previously advised users to safeguard their data from eCh0raix attacks by doing the following:
- using stronger passwords for administrator accounts
- enabling IP Access Protection for protecting accounts from brute force attacks
- and preventing the use of default port numbers 443 and 8080
QNAP gives extensive step-by-step instructions for resetting the NAS password, enabling IP Access Protection, and altering the system port number in this security advisory. According to the Taiwanese hardware company, customers should stop Universal Plug and Play (UPnP) port forwarding on their routers to avoid exposing their NAS devices to Internet threats.
You may also stop SSH and Telnet connections and enable IP and account access prevention by following these step-by-step instructions. QNAP also issued a security alert to clients on Thursday, advising them to protect their devices from continuous ransomware attacks using the DeadBolt payload.
“According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series,” said the NAS maker. “QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet.”
