Users of QNAP network-attached storage (NAS) devices have reported attacks on their systems at an increasing rate since about a week before Christmas. These attacks culminated in the NAS devices being encrypted by the ransomware eCh0raix, also known as QNAPCrypt.
There has been a significant increase in disclosed incidents related to eCh0raix infected QNAP devices on the BleepingComputer forum, where NAS-related infections are commonly discussed. Likewise, the ID ransomware service has also noticed an uptick in eCh0raix-related submissions to its service, specifically between December 19th and December 26th.
The current infection vector from this increased activity is unclear; some users have admitted that they did not secure the device properly and had it directly exposed to the Internet, allowing easy access for threat actors. However, other users claim that a vulnerability in QNAP’s Photo Station allowed the threat actors to compromise the NAS devices. Regardless of the infection vector, once the threat actors obtain an initial foothold, they create a user in the administrator group on the device, allowing them to encrypt all the files on the system.
Ransom demands from this campaign have been seen between .024 and .06 bitcoin, which is approximately $1,200 to $3,000, at the time of this writing.