Malicious actors behind eCh0raix ransomware have launched a new campaign aimed at infecting QNAP storage devices. The ransomware targets vulnerable NAS servers manufactured by Taiwan-based QNAP Systems, by exploiting known vulnerabilities or using brute-force attacks.
The eCh0raix first appeared on the threat landscape in June last year, when they launched attack against QNAP NAS devices using the first version of their malware. Since last summer, the group has not been very active, but at the beginning of June Bleeping Computer observed a surge in the number of victims reporting eCh0raix infections in its forums.
Recently, QNAP issued an advisory describing three vulnerabilities (CVE-2018-19943, CVE-2018-19949, and CVE-2018-19953) that could be exploited by attackers to remotely inject malicious code or run arbitrary commands. The flaws are fixed in the following QTS operating system versions:
-
QTS 4.4.2.1270 build 20200410 and later
-
QTS 4.4.1.1261 build 20200330 and later
-
QTS 4.3.6.1263 build 20200330 and later
-
QTS 4.3.4.1282 build 20200408 and later
-
QTS 4.3.3.1252 build 20200409 and later
-
QTS 4.2.6 build 20200421 and later
Once a device is compromised, the attackers deploy ransomware, which encrypts the files stored on the device and displays a ransom note that demands approximately $500 in bitcoin for a decryptor.
Currently, there is no way to recover files for free. However, users who have enabled QNAP's block-based snapshot feature in the past can recover their files using snapshots.