Skip to main content

NASty: QNAP Warns Users About 'eCh0raix' Ransomware

QNAP, a Taiwan-based network-attached storage (NAS) vendor, warned its NAS customers to make sure they're using strong passwords, have the latest version of its QTS firmware installed and are staying vigilant about their device's security in response to Anomali's disclosure of the eCh0raix Ransomware earlier this month.

IT security firm Anomali revealed eCh0raix on July 10. The ransomware appears to be fairly standard: it compromises QNAP devices "by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks," before a "malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the encrypted files." That's where the ransom comes in.

The ransom note instructs victims to visit a website using the Tor browser for more information about retrieving their files. Most security companies advise ransomware victims not to pay the ransom; the attackers have little motivation to hold up their end of the bargain. 

According to Anomali, eCh0raix specifically targeted publicly accessible NAS from QNAP that weren't located in Belarus, Ukraine, or Russia, potentially because the attackers operate in one of those countries. The best mitigation against this attack, the company said, would be to restrict external access to the device while also following QNAP's advice regarding strong credentials and firmware updates.

QNAP released a security advisory related to eCh0raix on July 11. Here are the company's recommendations:

  1. Update QTS to the latest version.
  2. Install and update Malware Remover to the latest version.
  3. Use a stronger admin password.
  4. Enable Network Access Protection to protect accounts from brute force attacks.
  5. Disable SSH and Telnet services if you are not using them.
  6. Avoid using default port numbers 443 and 8080.

QNAP also said that it's "urgently working on a solution to remove malware from infected devices and will release it at the soonest possible time." Anyone who owns a QNAP product can reach out to the company via the QNAP Helpdesk for additional information about eCh0raix, protecting their devices, etc. In the meantime, this is simply another reminder to be diligent about strong passwords and firmware updates.

  • digitalgriffin
    Lesson: Sensitive data should never be exposed on an outside network unless it is through a secure tunnel or really good security standards.
    Reply
  • shroomzofdoom
    Thankfully, I noticed a brute force attempt on port 8080 started a few weeks ago. The attacker was using a different IP address to get around the QNAP IP block list and trying, on average, several times per minute. Changing the default port for this service seems to have helped, the block list was of no use.
    Reply