article featured image


Researchers have discovered a new eCh0raix ransomware version. If this type of malware is well-known for targeting QNAP (Quality Network Appliance Provider) and Synology NAS (network-attached storage) devices in the past, treating them separately in different campaigns, now this threat takes advantage of these at once, in the same malicious campaign.

Characteristics of the New eCh0raix Ransomware Version

According to the report Palo Alto Networks’ Unit 42 researchers wrote, the new eCh0raix ransomware version acts like this:

  • It abuses a vulnerability dubbed CVE-2021-28799.
  • Through this kind of CVE, threat actors have access to hard-coded credentials, basically using a backdoor account.
  • The goal is the QNAP appliances’ encryption.
  • In relation to Synology NAS devices, the hackers use brute-force techniques: this means they make attempts into guessing the most popular admin credentials in order to be able to attack these devices and distribute ransomware payloads.

Mitigation Measures Proposed by the Specialists

In the same report, there are stated some mitigation measures against this new version of eCh0raix ransomware. Owners who possess these kinds of devices are recommended to follow the below measures:

  • The firmware should be updated. To do so, you can check the instructions on the QNAP website that presents security measures to fight against CVE-2021-28799.
  • Another method would be to make sure you have a unique, complex, and strong password. This way attackers are put in difficulty.
  • Connection to SOHO devices should be performed only by bearing in mind a set of recognized IPs.

We’re releasing our findings about this new variant of eCh0raix to raise awareness of the ongoing threats to the SOHO and small business sectors. (…) SOHO users are attractive to ransomware operators looking to attack bigger targets because attackers can potentially use SOHO NAS devices as a stepping stone in supply chain attacks on large enterprises that can generate huge ransoms. Additionally, SOHO users typically do not employ dedicated IT or security professionals, which makes them less prepared to block ransomware attacks than larger organizations.


A Little Bit of Background

According to BleepingComputer publication, the threat of eCh0raix ransomware is not actually new.

The malware first made its appearance in 2016 and victims knew it as QNAPCrypt. Then QNAP NAS devices continued to pose as targets for these ransomware attacks, with two major hits in June 2019 and then one year apart, in June 2020. In 2019, Synology devices were also impacted, being encrypted by the malware when experts from Anomali said that the methods hackers used were to brute force credentials by means of default ones or dictionary attacks.

Customers were also warned by QNAP corporation about eCh0raix ransomware attacks in May that we also wrote about at that time, when threat actors used guessed credentials to perform data theft.

What is interesting is that a security advisory was made public last week by Synology regarding a new threat called StealthWorker botnet. Its attack methods were also based on brute-forcing tactics and ransomware infections, though it was not linked to eCh0raix ransomware.

A malicious campaign in the middle of April, known as the Qlocker ransomware campaign, managed to gather $350,000  from QNAP Nas devices users following massive data encryption by making use of a 7zip archive that was password protected.

Its activity with the new version began in September 2020 when it started to encrypt both QNAP and Synology NAS devices by combining functions.

Before then, the attackers likely had separate codebases for campaigns targeting devices from each of the vendors.


Researchers mentioned in their report that 250 000 NAS devices were affected.

If you want to find more about brute force attacks targeting Synology devices and what mitigation measures are the best against these threats, please take a look at our CEO’s word on the matter where he illustrates a personal example of this kind of cyberattack.

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo