Security researchers have identified a new ransomware called eCh0raix, which targets Linux devices with QNAP Network Attached Storages (NAS). Ransomware is designed to infect and encrypt victims' files using AES encryption.
QNAP is a Taiwanese company known for selling NAS servers that are mainly used for multimedia storage and playback needs. More generally, the NAS servers are used to store large amounts of data and files.
The ransomware named "QNAPCrypt" by Intezer and "eCh0raix" from Anomali, has basic ransomware functionality, but contains several differences.
Once the malware is running, it communicates with the command and control server to begin the encryption process. Prior to encryption, it requests specific information from the C&C server, such as the address of the wallet where ransomeware victims' money will be deposited, and a public RSA key.
Communication with the C2 server is via the Tor network, with the help of a SOCKS5 proxy server. The data sent from the server is encoded with JSON. Ransomware encrypts the file using an AES-256 key and adds the .ccrypt extension to the encrypted files.
Before the encryption process starts, the following services are terminated on infected NAS servers:
ECh0raix encrypts the following extensions:
.dat.db0.dba.dbf.dbm.dbx.dcr.der.dll.dml.dmp.dng.doc.dot.dwg.dwk.dwt.dxf.dxg.ece.eml.epk.eps.erf.esm .ewp.far.fdb.fit.flv.fmp.fos.fpk.fsh.fwp.gdb.gho.gif.gne.gpg.gsp.gxk.hdm.hkx.htc.htm.htx.hxs.idc.idx .ifx.iqy.iso.itl.itm.iwd.iwi.jcz.jpe.jpg.jsp.jss.jst.jvs.jws.kdb.kdc.key.kit.ksd.lbc.lbf.lrf.ltx.lvl .fr .nsf.ntl.nv3.nxg.nzb.oam.odb.odc.odc.odm.odp.ods.odt.ofx.olp.orf.oth.p4.p3b.p2c.pac.pak.pdb.pdd.pdf.pef pdf .qfx
Ways of Protection from eCh0raix ransomware
What actions should the administrators of NaS devices do to protect their systems effectively? Security researchers recommend that admins restrict external access to QNAP NAS devices, use strong passwords, and ensure that their devices are up-to-date, always having the latest security updates.