Several security reports indicate that a new dangerous virus called the eCh0raix ransomware is being used against QNAP Nas device owners. It appears that it is being sent in a worldwide campaigns using preset hacking configuration options and automated toolkits.
eCh0raix Ransomware Aimed Against QNAP NAS Devices Worldwide
An ongoing attack campaign is set onto QNAP NAS devices owned by both end users and enterprise users. The malware which is currently used against them is the Linux-based eCh0raix ransomware. At the moment there is no information regarding the criminal group behind the campaign. However during the code analysis it appears that there is an blacklist which will stop the infection if the victim’s device is located in these countries: Belarus, Ukraine or Russia. This means that it is very likely that the campaign is targeted and that the hackers may originate from one of these countries or another Russian-speaking one.
The current version of the eCh0raix Ransomware is written in the Go Language and infects the devices via existing vulnerabilities. This allows the hackers to automate the infections using penetration testing toolkits and frameworks. As soon as the infection is made the virus will establish a secure and persistent connection to a hacker-controlled server. One of the distinct characteristics of the threat is that it will relay the connection through the Tor Network. However the active infections have disabled this functionality at the moment choosing to directly communicate with the hackers. The virus engine has been programmed to retrieve a configuration file which will direct it further.
What will follow is file encryption based on a built-in list of target file type extensions. This is done in a way which is very similar to the desktop ransomware variants — a list of target data is used to direct a strong cipher. The result will be inaccessible sensitive data, a ransomware message will be shown to the victims which will extort them for a payment to the hackers. In the case of the analyzed infections this message is created in a file called README_FOR_DECRYPT.txt. Before the file encryption is started it will disable any running web servers so that the process can complete without problems.
The built-in list found within the captured samples includes the following file type extensions:
.dat.db0.dba.dbf.dbm.dbx.dcr.der.dll.dml.dmp.dng.doc.dot.dwg.dwk.dwt.dxf.dxg.ece.eml.epk.eps.erf.esm.ewp.far.fdb.fit.flv.fmp.fos.fpk.fsh.fwp.gdb.gho.gif.gne.gpg.gsp.gxk.hdm.hkx.htc.htm.htx.hxs.idc.idx.ifx.iqy.iso.itl.itm.iwd.iwi.jcz.jpe.jpg.jsp.jss.jst.jvs.jws.kdb.kdc.key.kit.ksd.lbc.lbf.lrf.ltx.lvl.lzh.m3u.m4a.map.max.mdb.mdf.mef.mht.mjs.mlx.mov.moz.mp3.mpd.mpp.mvc.mvr.myo.nba.nbf.ncf.ngc.nod.nrw.nsf.ntl.nv2.nxg.nzb.oam.odb.odc.odm.odp.ods.odt.ofx.olp.orf.oth.p12.p7b.p7c.pac.pak.pdb.pdd.pdf.pef.pem.pfx.pgp.php.png.pot.ppj.pps.ppt.prf.pro.psd.psk.psp.pst.psw.ptw.ptx.pub.qba.qbb.qbo.qbw.qbx.qdf.qfx
As soon as the file processing module has completed the users will be left with encrypted files.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: