U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

eCh0raix ransomware is back and targets QNAP NAS devices again

eCh0raix Ransomware operators are back after months of apparent inactivity, now are targeting QNAP storage devices in a new campaign. Threat actors behind the eCh0raix Ransomware have launched a new campaign aimed at infecting QNAP storage devices. The eCh0raix ransomware was appeared in the threat landscape in June 2019 by experts at security firms Intezer […]

eCh0raix ransomware

eCh0raix Ransomware operators are back after months of apparent inactivity, now are targeting QNAP storage devices in a new campaign.

Threat actors behind the eCh0raix Ransomware have launched a new campaign aimed at infecting QNAP storage devices.

The eCh0raix ransomware was appeared in the threat landscape in June 2019 by experts at security firms Intezer and Anomali.

The ransomware targets poorly protected or vulnerable NAS servers manufactured by Taiwan-based QNAP Systems, attackers exploits known vulnerabilities or carry out brute-force attacks.

The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

On June 1, BleepingComputers observed a surge in the number of users reporting eCh0raix infections in its forums.

The following graph shows the submissions to the ransomware identification site ID-Ransomware.

Hackers are targeting QNAP devices attempting to exploit well-known vulnerabilities or by brute-forcing weak passwords.

QNAP released a security dvisory for the following NAS that could be exploited by attackers to inject malicious code or perform remote code execution. An attacker could trigger these issue to install the ransomware on vulnerable devices.

QNAP already addressed the vulnerabilities issues in the following QTS versions:

  • QTS 4.4.2.1270 build 20200410 and later
  • QTS 4.4.1.1261 build 20200330 and later
  • QTS 4.3.6.1263 build 20200330 and later
  • QTS 4.3.4.1282 build 20200408 and later
  • QTS 4.3.3.1252 build 20200409 and later
  • QTS 4.2.6 build 20200421 and later

Upon accessing QNAP NAS devices, the attackers deploy the ransomware, which start encrypting the files on the device.

Crooks demand $500 worth of bitcoin to decrypt the files, the instructions to pay the ransom are included in the note “README_FOR_DECRYPT.txt” that is dropped on the device.

Experts warn that unlike previous versions of the eCh0raix ransomware, this latest doesn’t allow victims to recover files for free.

Users that have enabled QNAP’s block-based snapshot feature in the past, can recover the files using the snapshots.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – eCh0raix, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]