ECh0raix Ransomware Strain QNAP NAS devices

A new ransomware strain dubbed ‘eCh0raix’ which targets QNAP Network Attached Storage (NAS) devices used for backups and file storage was recently discovered by security researchers.

Written in Go language, eCh0raix is reported to have infected and encrypted documents on QNAP NAS devices, which is compromised upon the execution of the ransomware. The QNAP NAP devices are compromised by brute-forcing weak credentials and exploiting known vulnerabilities.

The impacted devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.

Researchers analyzed the eCh0raix samples and noted that it uses the hardcoded public key, with a unique key for each target. The ransomware’s C&C server is located on Tor, however, it does not contain any Tor client to connect to it. Instead, the ransomware uses a SOCKS5 proxy that connects in order to communicate with the C&C server. The ransomware operators also created an API that can be used to query for various information.

The ransomware will then search for and kill the process such as apache2, httpd, nginx, mysqld, mysqd, and php-fpm, using service stop %s or systemctl stop %s commands.

eCh0raix is known to encrypt Microsoft Office and OpenOffice documents, PDFs, text files, archives, databases, photos, music, video, and image files using an AES in Cipher Feedback Mode (CFB) secret key created from an AES-256 key generated locally.

This AES key is then encrypted with the downloaded or embedded public RSA key and stored in base64 format in the ransom note. Upon encryption, the ransomware will append the .encrypt extension to the encrypted file's name.Worth noting