Cybercriminals are again attacking the NAS servers of the manufacturer QNAP with the popular eCh0raix ransomware, also known as QNAPCrypt. Users are reporting attacks on their computers, the objective of this malware is to take control of the NAS servers with administrator privileges and encrypt all the data contained in the NAS server, so we should pay a ransom to get the files back and folders on our server accessible. Do you want to know everything about this ransomware that affects QNAP again?
What is this QNAPCrypt doing on my NAS?
Users in different forums have been reporting serious security incidents on their NAS servers for about a week, some users were attacked on December 20 and other users yesterday. The objective of this ransomware is to take full control of the NAS server to encrypt all the files and folders contained in the computer, in addition, it is also responsible for deleting the snapshots that would serve to protect us against this type of attack. This malware, when taking control as an administrator, bypasses all the protections against ransomwares that we can take on the NAS server, therefore, we must make sure not to be infected by it.
The initial infection vector is not known at the moment, it is not known what vulnerability they are exploiting to enter the server and encrypt all the data. Some users have indicated that they have not taken all the usual recommended security measures, such as not exposing the QNAP admin panel to the Internet, others claim that the security flaw is in the QNAP Photo Station application, which allowed attackers an escalation of privileges.
This eCh0raix ransomware creates a user in the administrators group, to later begin to encrypt all the data contained in it, including images and documents, so if the ransom is not paid we could lose everything, unless we make a copy of security. Another very important detail of this ransomware is that the plain text note it leaves on the NAS server has the wrong extension, instead of being TXT it is TXTT.
This ransomware asks for bitcoins to receive the decryption password, depending on the infected NAS, we will have to pay between 0.024 bitcoins (1,200 dollars) and 0.06 bitcoins (about 3,000 dollars), so it will be really expensive to recover our data. We must remember that with the latest ransomware that affected QNAP, about 300-400 euros were required to recover the data, now this figure has tripled.
Can the files be decrypted?
Currently the files cannot be decrypted, with the previous version of the eCh0raix ransomware they could be decrypted, this ransomware affected QNAP in the summer of 2019. The latest variants are versions 1.0.5 and 1.0.6 and currently has no solution. This malware has been a threat since Summer 2019 on and off, so we must properly protect our QNAP NAS servers to avoid this very dangerous ransomware.
The manufacturer QNAP continuously monitors all threats and sometimes provides solutions to its users, such as tools to decrypt NAS files, but these types of solutions usually take a long time to develop, on the order of several weeks, so if we get infected, we will be at least this time without our files.
In RedesZone we have published a complete tutorial on how to protect QNAP NAS properly, to mitigate any possible ransomware attack.
