Ch0raix Ransomware Can Now Encrypt Both QNAP and Synology NAS Devices

Ch0raix Ransomware Can Now Encrypt Both QNAP and Synology NAS Devices

A new variant of the e0Chraix ransomware is used by attackers to encrypt QNAP and Synology NAS devices.

e0Chraix (aka QNAPCrypt) is a ransomware strain that first surfaced in June 2016. The ransomware attack on QNAP NAS devices was reported in multiple waves, the two biggest occurred in June 2019 and in June 2020.

eCh0raix also encrypted Synology devices in 2019. At the time, the company did not name the ransomware operation behind the attacks, but only warned its customers about a massive ransomware campaign.

While e0Chraix has targeted QNAP and Synology in the past separately, Palo Alto Networks’Unit42 reported today eCh0raix now has the functionality to encrypt both QNAP and Synology and has been doing so since September 2020.

“Before then, the attackers likely had separate codebases for campaigns targeting devices from each of the vendors,” Unit 42 said.

They also revealed that the operators of the ransomware campaign exploited CVE-2021-28799 vulnerability, the same flaw that was exploited in April in a Qlocker campaign.

Last week, Synology warned about the StealthWorker botnet that was targeting their data in ongoing brute-force attacks that could lead to ransomware infections. Even though it didn’t directly link it to eCh0raix ransomware, these devices are in high risk, as Unit 42’s report suggests.

There are at least 250,000 NAS and QNAP devices that are exposed to the Internet, according to Palo Alto Networks’ Cortex Xpanse platform.

Unit 42 researchers have released a list of best practices to be used to prevent ransomware attacks targeting QNAP and Synology NAS devices. They recommend updating device firmware, using complex login passwords to make brute-forcing more difficult, and using a hard-coded list of IP addresses to prevent unauthorized connections.

“We’re releasing our findings about this new variant of eCh0raix to raise awareness of the ongoing threats to the SOHO and small business sectors,” Unit 42 added.

“SOHO users are attractive to ransomware operators looking to attack bigger targets because attackers can potentially use SOHO NAS devices as a stepping stone in supply chain attacks on large enterprises that can generate huge ransoms.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.