Users of QNAP network-attached storage (NAS) devices have reported attacks on their systems at an increasing rate since about a week before Christmas. These attacks culminated in the NAS devices being encrypted by the ransomware eCh0raix, also known as QNAPCrypt.
There has been a significant increase in disclosed incidents related to eCh0raix infected QNAP devices on the BleepingComputer forum, where NAS-related infections are commonly discussed. Likewise, the ID ransomware service has also noticed an uptick in eCh0raix-related submissions to its service, specifically between December 19th and December 26th.
The current infection vector from this increased activity is unclear; some users have admitted that they did not secure the device properly and had it directly exposed to the Internet, allowing easy access for threat actors. However, other users claim that a vulnerability in QNAP’s Photo Station allowed the threat actors to compromise the NAS devices. Regardless of the infection vector, once the threat actors obtain an initial foothold, they create a user in the administrator group on the device, allowing them to encrypt all the files on the system.
Ransom demands from this campaign have been seen between .024 and .06 bitcoin, which is approximately $1,200 to $3,000, at the time of this writing.
As with all ransomware attacks, it is highly recommended to maintain a consistent, off-network backup of important devices, to recover from an attack without paying the ransom. Likewise, properly securing any QNAP or other NAS devices is essential to prevent threat actors from gaining access to them. One of these security measures is making sure the device is not directly connected to the Internet. Doing this step alone will tremendously decrease the attack surface of the NAS device. If it needs to be accessible from outside the local network, it is recommended to enable VPN services on the network’s edge device (such as a router) and use that to connect into the local network and then into the NAS. It is also important to make sure the device stays up to date on patching, in order to prevent known vulnerabilities from being exploited. Finally, if your device has been infected, it is important to fully clean the infection before re-using the system; in this case, an administrative user gets created on the device which can be used to re-encrypt your device if not deleted. Based on prior infections, it appears the administrative user created is named “wasthere” so it is important to fully remove this account if it exists on the system.