A new ransomware strain dubbed eCh0raix targeting Linux based QNAP Network Attached Storage (NAS) devices. The ransomware intended to infect and encrypt the files using AES encryption.
The malware written and compiled in Go programming language and has only 400 lines of code. It has a very low detection rate and it targets only Linux-based QNAP NAS servers.
QNAP is a Taiwanese company well-known for selling NAS servers for storage and media player functionality. Generally, the NAS servers are used to store a large amount of data and files.
Once the malware executed it reaches out to the command and control server to notify the encryption process is to begin. Before encryption, it requests for wallet address and a public RSA from C&C server.
It communicates to the C2 server via a SOCKS5 Tor proxy and the data written from the C2 server is JSON-encoded. The ransomware encrypts the file using an AES-256 key and appends .encrypt extension to the encrypted files.
Before starting the encryption process it kills the following services in the infected NAS servers.
It encrypts following extensions
It also checks for the geolocation of the infected server, if the NAS severs is in Belarus, Ukraine, or Russia it exits the process with encrypting. Once it locked down the system it shows the following message.
The payment handled through Onion domain along with the unique RSA public key to be sent to the ransomware operator.
“We were able to collect a total of 1,091 unique wallets meant to be delivered to new victims distributed among 15 different campaigns.”
Administrators are recommended to restrict the external access to QNAP NAS device, use a strong password and ensure the device is up to date with security patches.
95d8d99c935895b665d7da2f3409b88f ( linux_cryptor)
Researchers uncovered a new covert channel to steal sensitive information from Air-gapped systems over the…
Researchers from the Google Threat Analysis group uncovered an incident associated with the north Korean…
According to a joint Cybersecurity Advisory (CSA) from the FBI, CISA, and MS-ISAC published in…
Security information and event management, or SIEM, was introduced some 17 years ago. It makes…
CryWiper, a previously unknown data wiper that masquerades as ransomware, has been recently discovered and…