eCh0raix, also dubbed QNAPCrypt by Intezer researchers, is a new ransomware variant that has been observed targeting the Linux-based Quality Network Appliance Provider, Network Attached Storage (QNAP NAS) devices used for file storage and backups. These devices typically do not run anti-virus software, allowing eCh0raix to proliferate through these devices without detection. Victims have identified that their NAS devices were not receiving updates or running current patches, suggesting the threat actors could be exploiting a vulnerability within QNAP NAS devices. Some victims also reported a significant number of failed login attempts prior to infection, suggesting a brute-force attack. Anomali researchers analyzed malware samples and discovered that the hard-coded encryption keys are unique, noting that the same decryptor key would not work for all victims. Researchers recognized the use of botnet addresses to obfuscate the genuine source IPs. At the time of this writing, there are approximately 19,000 QNAP NAS devices in the US alone that are publicly facing and could potentially be vulnerable to exploitation.

Technical Details and Reporting

  • Anomali provides technical details and IOCs here.

  • Dark Reading provides further reporting here.

  • ZDNet also provides further reporting here.