QNAP’s network-attached storage devices are constantly being targeted by the attackers, one way or another. We recently shared the news of the [oom_reaper] malware that uses half of the NAS devices to mine cryptocurrency. Now, a new malware emerges with a much bigger impact, encrypting the storage.
Might be just users’ fault
The users of some QNAP and Synology NAS devices are reporting the eCh0raix ransomware attack in the forums. While some users admit their fault for not securely connecting the device to the internet, others just claim it’s the manufacturer’s fault. The attackers are using the door to inject the ransomware is currently unknown. Some users think there is a vulnerability in the QNAP Photo Station app.
After the attackers breach the NAS systems, they create a new administrator-level user. With that administrator user account, they can encrypt the storage drives using the device’s internal tools. The attackers leave a note with a typo extension, as .txtt.
The note informs users that they are being hacked and directs them to the “eCh0raix order page” to get the payment. The ransom demand prices vary between 0.024 and 0.06 bitcoins, which translates into 1,200 and 3,000 US dollars with the current exchange.