Tuesday, February 11, 2025
HomeLinuxNew eCh0raix Ransomware Attacking Linux File Storage Servers

New eCh0raix Ransomware Attacking Linux File Storage Servers

Published on

SIEM as a Service

Follow Us on Google News

A new ransomware strain dubbed eCh0raix targeting Linux based QNAP Network Attached Storage (NAS) devices. The ransomware intended to infect and encrypt the files using AES encryption.

The malware written and compiled in Go programming language and has only 400 lines of code. It has a very low detection rate and it targets only Linux-based QNAP NAS servers.

QNAP is a Taiwanese company well-known for selling NAS servers for storage and media player functionality. Generally, the NAS servers are used to store a large amount of data and files.

The ransomware dubbed as “QNAPCrypt” by Intezer and “eCh0raix” by Anomali, it includes functions similar to the ransomware but contains several differences.

Once the malware executed it reaches out to the command and control server to notify the encryption process is to begin. Before encryption, it requests for wallet address and a public RSA from C&C server.

QNAP

It communicates to the C2 server via a SOCKS5 Tor proxy and the data written from the C2 server is JSON-encoded. The ransomware encrypts the file using an AES-256 key and appends .encrypt extension to the encrypted files.

Before starting the encryption process it kills the following services in the infected NAS servers.

  • apache2
  • httpd
  • nginx
  • mysqld
  • MySQL
  • PHP-fpm
  • php5-fpm
  • PostgreSQL

It encrypts following extensions

.dat.db0.dba.dbf.dbm.dbx.dcr.der.dll.dml.dmp.dng.doc.dot.dwg.dwk.dwt.dxf.dxg.ece.eml.epk.eps.erf.esm.ewp.far.fdb.fit.flv.fmp.fos.fpk.fsh.fwp.gdb.gho.gif.gne.gpg.gsp.gxk.hdm.hkx.htc.htm.htx.hxs.idc.idx.ifx.iqy.iso.itl.itm.iwd.iwi.jcz.jpe.jpg.jsp.jss.jst.jvs.jws.kdb.kdc.key.kit.ksd.lbc.lbf.lrf.ltx.lvl.lzh.m3u.m4a.map.max.mdb.mdf.mef.mht.mjs.mlx.mov.moz.mp3.mpd.mpp.mvc.mvr.myo.nba.nbf.ncf.ngc.nod.nrw.nsf.ntl.nv2.nxg.nzb.oam.odb.odc.odm.odp.ods.odt.ofx.olp.orf.oth.p12.p7b.p7c.pac.pak.pdb.pdd.pdf.pef.pem.pfx.pgp.php.png.pot.ppj.pps.ppt.prf.pro.psd.psk.psp.pst.psw.ptw.ptx.pub.qba.qbb.qbo.qbw.qbx.qdf.qfx

It also checks for the geolocation of the infected server, if the NAS severs is in Belarus, Ukraine, or Russia it exits the process with encrypting. Once it locked down the system it shows the following message.

The payment handled through Onion domain along with the unique RSA public key to be sent to the ransomware operator.

QNAP

“We were able to collect a total of 1,091 unique wallets meant to be delivered to new victims distributed among 15 different campaigns.”

Administrators are recommended to restrict the external access to QNAP NAS device, use a strong password and ensure the device is up to date with security patches.

IoC

Bitcoin addresses
18C28bVEctVtVbwNytt4Uy6k7wxpysdDLH
1Fx7jev3dvHobdK8m3Jk6cA8SrfzjjLqvM

Samples
154dea7cace3d58c0ceccb5a3b8d7e0347674a0e76daffa9fa53578c036d9357 (DE)
3d7ebe73319a3435293838296fbb86c2e920fd0ccc9169285cc2c4d7fa3f120d (TW)
95d8d99c935895b665d7da2f3409b88f ( linux_cryptor)

URLs
http://sg3dwqfpnr4sl5hh[.]onion/api/GetAvailKeysByCampId/13
http://sg3dwqfpnr4sl5hh[.]onion/order/1LWqmP4oTjWS3ShfHWm1UjnvaLxfMr2kjm
http://sg3dwqfpnr4sl5hh[.]onion/static/

IP
192.99.206.61:65000

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Hackers Use Linux Malware HiddenWasp to Attack Linux Systems for Gaining Remote Access

StealthWorker Brute-force Malware Attack on Windows & Linux Platform Via Hacked E-commerce Websites

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Akira Ransomware Dominates January 2025 as the Most Active Ransomware Threat

January 2025 marked a pivotal month in the ransomware landscape, with Akira emerging as...

SolarWinds Improves Web Help Desk in Latest 12.8.5 Update

SolarWinds announced the release of Web Help Desk (WHD) version 12.8.5, unveiling a host...

FinStealer Malware Targets Leading Indian Bank’s Mobile Users, Stealing Login Credentials

A new cybersecurity threat has emerged, targeting customers of a prominent Indian bank through...

Evil Crow RF Tool Transforms Smartphones into Powerful RF Hacking Devices

Innovative tools are continually appearing to enhance the capabilities of professionals and enthusiasts alike.One...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Akira Ransomware Dominates January 2025 as the Most Active Ransomware Threat

January 2025 marked a pivotal month in the ransomware landscape, with Akira emerging as...

Authorities Seize 8Base Ransomware Dark Web Site, Arrest Four Key Operators

Thai authorities arrested four European hackers in Phuket on February 10, 2025, for their...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...