Malicious actors behind the eCh0raix ransomware are targeting QNAP network-attached storage (NAS), with attacks intensifying just days before the Christmas holidays.
According to BleepingComputer, multiple users managing QNAP and Synology NAS systems have been reporting about compromises of their devices since December 20. The surge of attacks has been confirmed by the ID ransomware service, where submissions started to increase on December 19 and subsided towards December 26.
At present, it’s unclear how threat actors compromised devices. Some users admit that they did not secure their devices properly, while others blame a vulnerability in QNAP’s Photo Station, which allowed attackers to hack into devices.
Once compromising devices, the threat actors behind eCh0raix create user in the administrator group, which enables them to encrypt all files on the NAS system, including pictures and documents.
One notable aspect of this campaign is that the attackers mistyped the extension for the ransom note and used the “.TXTT” extension, which might be an issue for some users who will have to open the file with a specific program (e.g. Notepad) or load it in said program.
In these recent attacks the eCh0raix ransomware operators have been observed demanding a ransom ranging from .024 ($1,200) up to .06 bitcoins ($3,000).
While there is a free decryptor for files locked with an older version (released before July 17th, 2019) of eCh0raix ransomware, currently there is no free tool to decrypt data locked by the latest variants of the ransomware (versions 1.0.5 and 1.0.6), BleepingComputer notes.