A newly found form of ransomware targets network storage devices, which use weak credential brute-forced data and exploit known vulnerabilities in their systems.
The new form of file-locking malware was dubbed eCh0raix after a string of code in June and is described by cybersecurity researches at Anomali. The ransomware targets QNAP storage connected (NAS) network devices manufactured by the Taiwanese company QNAP, which has offices in 16 countries and customers worldwide.
In recent years a number of vulnerabilities have been discovered on QNAP NAS devices but patched after they were found and revealed. Many organizations, however, are struggling to apply patches promptly.
The attacks are opportunistic, since the initial infection is carried through unsecured, web-facing ports and brute forces are used to circumvent weak login identifiers. As NAS devices serve to store critical data and backups, attractive targets for cybercriminals dealing with ransomware are established–but despite that, they are usually unfitted for security.
“Publicly exposed devices and systems expand overall attack surfaces and potentially expose and exploit vulnerabilities,” says ZDNet Threat Intelligence Manager Joakim Kennedy.
“The attacks by Ransomware will continue as a way for threats to monetize their efforts and interrupt operations for other aims.”
The source code is less than 400 lines-eCh0raix checks to see if files already are encrypted before it reaches a control and control server to start encryption, and to create the AES-256 encryption key to lock files by means of a.encryption extension.
Users are provided with a ransom notice to inform them that all their information has been locked and forwarded to a Tor website to pay ransom payment in bitcoin.
Researchers suggest orthographic errors in the ransom note that people behind the ransomware are not English speakers.
It is recommended that users limit external access to NAS device from outside the internet to protect against ransomware attacks. It is also recommended that security patches be used to protect systems against brute force attacks and that strong credentials be employed.