eCh0raix Ransomware Targets QNAP’s NAS Devices
The Company Warns Customers that Its Network Attached Storage (NAS) Devices Are Targeted with Ech0raix Ransomware Attacks and Roon Server Zero-Day Attacks.
QNAP, the leading computing, networking, and storage solution innovator, recently warned its users about an actively exploited Roon Server zero-day bug and eCh0raix ransomware attacks targeting their Network Attached Storage (NAS) devices.
Image Source: QNAP
The company urges its users to immediately increase their devices’ security to avoid infection, by using stronger passwords for their administrative accounts, enabling IP Access Protection to protect accounts from brute force attacks, and avoid using default port numbers 443 and 8080.
While former attacks exploited software vulnerabilities on unpatched devices, the current campaign exploits human behavior. The Taiwan-based vendor claimed that it has received reports of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.
The eCh0raix ransomware has been reported to affect QNAP NAS devices. Devices using weak passwords may be susceptible to attack.
We strongly recommend users act immediately to protect their data.
After guessing the right credentials, hackers get full access to the targeted device, allowing them to exfiltrate sensitive documents or deploy malware.
The eCh0raix ransomware, also known as QNAPCrypt, is a family of ransomware that targets and spreads across physical network appliances like NAS Synology or QNAP that are meant to ensure high-quality Internet connections. The devices were compromised by exploiting known vulnerabilities in an attempt to encrypt the files found on the system.
First identified in July 2019, the eCh0raix ransomware has since been tracked by a Russian cybercriminal group called FullOfDeep. eCh0raix uses the ransomware-as-a-service (RaaS) model. This means that affiliates can initiate ransomware attacks themselves and refund a portion of each victim’s payments to stock creators and managers, promoting tools in underground forums.
QNAP also provided users with the necessary safety measures by which they can disable Roon Server on their NAS:
- Log on to QTS as administrator – Open the app Center and then click.
- Type “Roon Server” in the search box and press ENTER. Roon Server appears in the search results.
- Click the arrow below the Roon Server icon.
- Select Stop. The application is disabled.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
Unfortunately, this is not the first time that QNAP has been on cybercriminals’ target list. Back in March, 360 Netlab researchers discovered that unpatched QNAP NAS Devices were targeted by UnityMiner in a massive cryptocurrency mining campaign.
A month later, a Qlocker ransomware campaign targeted QNAP devices around the world, storing users’ files in password-protected 7zip archives. The threat actors behind the attacks made $260,000 in just five days by remotely encrypting data using the 7zip archive program.
NAS devices have actually been targeted since August 2019, with warnings of infections regarding QSnatch malware, Muhstik Ransomware infections, the eCh0raix Ransomware campaign, and AgeLocker Ransomware attacks.