Newly Discovered Ransomware Targets QNAP NAS Systems
A new ransomware has been discovered that mainly targets QNAP NAS systems. The ransomware uses brute force attacks to crack weak passwords from network drives.
It specifically concerns the eCh0raix ransomware. The ransomware was first discovered by security researchers from the Anomali Threat Research Team. QNAP says it is working on a way to remove the malware from infected devices.
The ransomware appends an .encrypt extension to the files and encrypts them with aes 256 encryption. This concerns almost all file types that are on the disk. The malware uses language checks to see if the NAS is located in Russia, Belarus or Ukraine and then does not infect those systems. The bitcoin addresses used show that no payments have yet been made, but it is not certain whether these are the only addresses used by the perpetrators.
BleepingComputer forums show that at least the QNAP TS-251, TS-253B, TS-451, and TS-459 PRO II could be affected, but more models may be involved. QNAP recommends that users use a virus scanner to stop the ransomware.
The company also provides tips that reduce users’ risk of falling victim to the ransomware. In addition to updating the QTS software to version 4.4 and setting a stronger password, the company also recommends disabling ssh and telnet and not using ports 8080 and 443 as the default, if possible. It is also advised to enable Network Access Protection to protect systems against brute force attacks.