28 December 2021

QNAP NAS devices hit with a new wave of eCh0raix ransomware attacks


QNAP NAS devices hit with a new wave of eCh0raix ransomware attacks

Malicious actors behind the eCh0raix ransomware are targeting QNAP network-attached storage (NAS), with attacks intensifying just days before the Christmas holidays.

According to BleepingComputer, multiple users managing QNAP and Synology NAS systems have been reporting about compromises of their devices since December 20. The surge of attacks has been confirmed by the ID ransomware service, where submissions started to increase on December 19 and subsided towards December 26.

At present, it’s unclear how threat actors compromised devices. Some users admit that they did not secure their devices properly, while others blame a vulnerability in QNAP’s Photo Station, which allowed attackers to hack into devices.

Once compromising devices, the threat actors behind eCh0raix create user in the administrator group, which enables them to encrypt all files on the NAS system, including pictures and documents.

One notable aspect of this campaign is that the attackers mistyped the extension for the ransom note and used the “.TXTT” extension, which might be an issue for some users who will have to open the file with a specific program (e.g. Notepad) or load it in said program.

In these recent attacks the eCh0raix ransomware operators have been observed demanding a ransom ranging from .024 ($1,200) up to .06 bitcoins ($3,000).

While there is a free decryptor for files locked with an older version (released before July 17th, 2019) of eCh0raix ransomware, currently there is no free tool to decrypt data locked by the latest variants of the ransomware (versions 1.0.5 and 1.0.6), BleepingComputer notes.

Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021