According to BleepingComputer, forum users have noticed an uptick in attacks since December 20, with submissions to the ID ransomware service for this specific threat increasing on December 19 and peaking on December 20.
At this moment, it is unclear how threat actors gained access to QNAP devices; nevertheless, some users say that attackers hacked them using a weakness in the Photo Station software.
The attackers first create a user in the administrator group, which they then use to encrypt the NAS’s data. The threat actor behind this campaign mistyped the extension for the ransom note, using the “.TXTT” extension. The ransom demanded by the ech0raix ransomware ranges from.024 bitcoins ($1,200) to.06 bitcoins ($3,000).
Bleeping Computers researchers reported that, “It’s worth noting that there’s a free decryptor for files encrypted by an older version of the eCh0raix ransomware (before July 17th, 2019).” However, there is no free way to decrypt data that has been encrypted by the malware’s most recent variations (versions 1.0.5 and 1.0.6).”
The ransomware, dubbed “QNAPCrypt” by Intezer and “eCh0raix” by Anomali, is created in the Go programming language and encrypts files with AES encryption. The malicious malware appends the.encrypt extension to encrypted files’ filenames.
In August, a new form of the eCh0raix ransomware began infecting QNAP and Synology Network-Attached Storage (NAS) devices from Taiwan.
According to the Taiwanese firm, Ongoing eCh0raix ransomware attacks affected QNAP NAS machines using weak passwords.
Since at least 2019, when eExperts from security firms Intezer and Anomali detected a sample of the ransomware targeting Network Attached Storage (NAS) devices, the eCh0raix malware has been active.
Finally Anomali researchers concluded that,” a wave of eCh0raix attacks targeting Synology NAS equipment, in which threat actors used brute-force attacks. The company also issued a warning to its customers about the ongoing AgeLocker ransomware epidemic“.