QNAP NAS (Network-Attached Storage) device users are reporting that their systems are being attacked via eCh0raix ransomware, aka QNAPCrypt. Around a week before Christmas, threat actors behind this malware ramped up their activities, gaining control of systems with administrator privileges.
Many users of QNAP and Synology NAS systems have been experiencing eCh0raix ransomware attack regularly, but more of them began to reveal incidents near December 20. The ID ransomware service, which started receiving entries on December 19 and peaked on December 26, confirms a rise in cyberattacks.
At this time, the initial infection vector is unknown. Some users admit to being careless and not properly securing the device (for example, exposing it to the internet over an unsecured connection); others allege that the attackers used a flaw in QNAP’s Photo Station to cause mayhem.
Regardless of the attack path, the eCh0raix ransomware attacker seems to establish a user in the administrator group, enabling them to encrypt all files on the NAS system. The malware encrypted photographs and documents, according to QNAP customers, some of whom were using the NAS system for business purposes.
Apart from the increase in the number of attacks, this campaign is notable for the actor’s mistyping of the ransom note’s extension, which was changed to “.TXTT.” While this does not prohibit some people from seeing the instructions, it does mean that they will have to tell their operating system to open the file with certain software (e.g., Notepad) or load it into that program.
ech0raix ransomware demanded between .024 ($1,200) and .06 bitcoins ($3,000) in recent attacks. Some consumers had no backup choices and were forced to pay the threat actor to recover their files.
It’s worth noting that files encrypted with a previous version of the eCh0raix ransomware (before July 17th, 2019) can be decrypted for free. However, there is no free way to decrypt data encrypted by the current malware variants (versions 1.0.5 and 1.0.6).
eCh0raix/QNAPCrypt attacks began in June 2019 and have remained a continual threat ever then. QNAP warned its users earlier this year about a new wave of eCh0raix attacks that targeted devices with weak passwords. To ensure the proper safety of their NAS equipment and the data they hold, users must follow QNAP’s recommendations.