New eCh0raix Ransomware Targets Backup Devices

eCh0raix, also dubbed QNAPCrypt by Intezer researchers, is a new ransomware variant that has been observed targeting backup systems. This campaign is currently targeting the Linux-based Quality Network Appliance Provider, Network Attached Storage (QNAP NAS) devices as well as Iomega NAS devices. In some cases, files have been deleted rather than encrypted. Anti-virus software is typically not used on NAS systems, allowing eCh0raix to proliferate without detection. Victims have identified that their NAS devices were not receiving updates or running current patches, indicating that the threat actors could be exploiting a vulnerability within NAS devices. Some victims also reported a significant number of failed login attempts prior to infection, suggesting a brute-force attack may have been the point of entry. Anomali researchers analyzed malware samples and discovered that the hard-coded encryption keys are unique, noting that the same decryptor key would not work for all victims. Researchers recognized the use of botnet addresses to obfuscate the genuine source IPs. At the time of this writing, there are approximately 19,000 QNAP NAS devices in the US alone that are public facing and could potentially be vulnerable to exploitation. The NJCCIC recommends NAS users and administrators ensure login credentials are strong and unique to each platform, enable MFA, and keep NAS devices updated. Also, we suggest limiting public exposure of NAS devices and protecting them behind a firewall. Synology, Lenovo, and QNAP have issued advisories containing mitigation techniques. The Anomali blog post contains further analysis and indicators of compromise (IOCs).