The eChoraix ransomware targets QNAP NAS devices in its latest attacks

Notorious echoraix ransomware has attacked susceptible QNAP Networking Attached Storage (NAS) devices this week. According to the reports and sample submission on ID Ransomware which is a site used to identify the ransomware compromised encrypted device data.

The echoraix which is also known as QNAPCrypt started attacking QNAP NAS in 2019 on a large-scale wave. According to the reports echoraix ransomware has targetted the following QNAP NAS devices in July 2019, such as QNAP TS-231, QNAP TS-251, QNAP TS 253A, QNAP TS 253B, QNAP TS-451, and QNAP TS-459 Pro II.

According to the reports by Anomali researchers these NAS devices were attacked through weak credentials. QNAP’s Network Attached Storage (NAS) are systems that consist of one or more hard drives connecting the system constantly to the internet. The QNAP is present as your backup or storage unit that serves to store all your data and important files.

The researcher’s observation stated that the ransomware echoraix is able to create a SOCKS5 proxy to connect and communicate with the system’s C2. Command and control or C2 systems are used to manage sessions remotely on compromised host devices. The threat actor can use command and control or C2 interface to directly access programs on the compromised devices from a remote location.

The threat actor can connect to the C2 server with the help of the ransomware to encrypt the compromised files with an RSA public key which is an algorithm to encrypt and decrypt messages. The echaoraix ransomware can also perform a language check to locate whether the device is from any of the Commonwealth Independent States or CIS countries. The ransomware will not encrypt any file depending on which country it is from.

According to the researchers, “The sample found on C2, checks the locale of the infected NAS for Belarus, Ukraine, or Russia and exits without doing anything if a match is found. The technique is common amongst threat actors, particularly when they do not wish to infect users in their home country.”

Several attacks by this particular ransomware strain have been detected in June 2020, and May 2020 and a massive surge of attacks started in the mid of December 2021 and moved slowly to February 2022.

It is reported that a new surge of ransomware attacks has been confirmed by ID Ransomeware submissions and several other publications.

The QNAP issued a warning to alert its customers of the latest attacks to protect their data. The NAS makers said, “According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53. QNAP urges all NAS users to check and update QTS to the latest versions as soon as possible and avoid exposing their NAS to the Internet.”