eCh0raix ransomware Infetta QNAP NAS in attacchi in corso
CYBER NEWS

eCh0raix ransomware Infetta QNAP NAS in attacchi in corso

1 Star2 Stars3 Stars4 Stars5 Stars (Ancora nessuna valutazione)
Loading ...


Diversi rapporti di sicurezza indicano che un nuovo virus pericoloso chiamato ransomware eCh0raix viene utilizzato contro i proprietari di dispositivi NAS QNAP. It appears that it is being sent in a worldwide campaigns using preset hacking configuration options and automated toolkits.




eCh0raix Ransomware Aimed Against QNAP NAS Devices Worldwide

An ongoing attack campaign is set onto QNAP NAS devices owned by both end users and enterprise users. The malware which is currently used against them is the Linux-based eCh0raix ransomware. At the moment there is no information regarding the criminal group behind the campaign. However during the code analysis it appears that there is an lista nera which will stop the infection if the victim’s device is located in these countries: Bielorussia, Ukraine or Russia. This means that it is very likely that the campaign is targeted and that the hackers may originate from one of these countries or another Russian-speaking one.

Correlata: CVE-2019-7406 in TP-LINK Wi-Fi Extender può essere sfruttata senza autenticazione

The current version of the eCh0raix Ransomware is written in the Go Language e infects the devices via existing vulnerabilities. This allows the hackers to automate the infections using penetration testing toolkits and frameworks. As soon as the infection is made the virus will establish a secure and persistent connection to a hacker-controlled server. One of the distinct characteristics of the threat is that it will relay the connection through the Tor Network. However the active infections have disabled this functionality at the moment choosing to directly communicate with the hackers. The virus engine has been programmed to retrieve a configuration file which will direct it further.

What will follow is crittografia dei file based on a built-in list of target file type extensions. This is done in a way which is very similar to the desktop ransomware variants — a list of target data is used to direct a strong cipher. The result will be inaccessible sensitive data, a ransomware message will be shown to the victims which will extort them for a payment to the hackers. In the case of the analyzed infections this message is created in a file called README_FOR_DECRYPT.txt. Before the file encryption is started it will disable any running web servers so that the process can complete without problems.

The built-in list found within the captured samples includes the following file type extensions:

.dat.db0.dba.dbf.dbm.dbx.dcr.der.dll.dml.dmp.dng.doc.dot.dwg.dwk.dwt.dxf.dxg.ece.eml.epk.eps.erf.esm.ewp.far.fdb.fit.flv.fmp.fos.fpk.fsh.fwp.gdb.gho.gif.gne.gpg.gsp.gxk.hdm.hkx.htc.htm.htx.hxs.idc.idx.ifx.iqy.iso.itl.itm.iwd.iwi.jcz.jpe.jpg.jsp.jss.jst.jvs.jws.kdb.kdc.key.kit.ksd.lbc.lbf.lrf.ltx.lvl.lzh.m3u.m4a.map.max.mdb.mdf.mef.mht.mjs.mlx.mov.moz.mp3.mpd.mpp.mvc.mvr.myo.nba.nbf.ncf.ngc.nod.nrw.nsf.ntl.nv2.nxg.nzb.oam.odb.odc.odm.odp.ods.odt.ofx.olp.orf.oth.p12.p7b.p7c.pac.pak.pdb.pdd.pdf.pef.pem.pfx.pgp.php.png.pot.ppj.pps.ppt.prf.pro.psd.psk.psp.pst.psw.ptw.ptx.pub.qba.qbb.qbo.qbw.qbx.qdf.qfx

As soon as the file processing module has completed the users will be left with encrypted files.

Avatar

Martin Beltov

Martin si è laureato con una laurea in Pubblicazione da Università di Sofia. Come un appassionato di sicurezza informatica si diletta a scrivere sulle ultime minacce e meccanismi di intrusione.

Altri messaggi - Sito web

Seguimi:
CinguettioGoogle Plus

Lascio un commento

Il tuo indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *

Termine è esaurito. Ricarica CAPTCHA.

Condividi su Facebook Quota
Loading ...
Condividi su Twitter Tweet
Loading ...
Condividi su Google Plus Quota
Loading ...
Condividi su Linkedin Quota
Loading ...
Condividi su Digg Quota
Condividi su Reddit Quota
Loading ...
Condividi su Stumbleupon Quota
Loading ...