A newly discovered eCh0raix ransomware variant has added support for encrypting both QNAP and Synology Network-Attached Storage (NAS) devices.

This ransomware strain (also known as QNAPCrypt) first surfaced in June 2016, after victims began reporting attacks in a BleepingComputer forum topic.

The ransomware hit QNAP NAS devices in multiple waves, with two large-scale ones were reported in June 2019 and in June 2020. 

eCh0raix also encrypted devices made by Synology in 2019, with Anomali researchers finding that the attackers brute-forced administrator credentials using default credentials or dictionary attacks.

At the time, the NAS maker warned its customers to secure their data from an ongoing and large-scale ransomware campaign. However, it did not name the ransomware operation responsible for the attacks.

Targets set on both Synology and QNAP customers

While it has targeted both QNAP and Synology devices in the past in separate campaigns, Palo Alto Networks’ Unit 42 security researchers said in a report published today that eCh0raix began bundling functionality to encrypt both NAS families starting with September 2020.

“Before then, the attackers likely had separate codebases for campaigns targeting devices from each of the vendors,” Unit 42 said.

As they further revealed, the ransomware operators exploit CVE-2021-28799 (a vulnerability providing attackers with access to hard-coded credentials, aka a backdoor account) to encrypt QNAP devices — the same flaw was abused in a large-scale Qlocker campaign in April.

The attackers brute-force their way in to deliver the ransomware payloads on Synology NAS devices by attempting to guess commonly used administrative credentials (the same tactic used in the 2019 Synology campaign mentioned above).

Even though it did not directly connect it to eCh0raix ransomware, Synology issued a security advisory last week warning customers that the StealthWorker botnet is actively targeting their data in ongoing brute-force attacks that could lead to ransomware infections.

QNAP has also notified customers of eCh0raix ransomware attacks in May, only two weeks after warning them of an ongoing AgeLocker ransomware outbreak.

QNAP devices were also hit by a massive Qlocker ransomware campaign starting mid-April, with the threat actors making $260,000 in just five days by locking the victims’ data using the 7zip open-source file archiver.

At least 250,000 NAS devices exposed to attacks

According to data collected through Palo Alto Networks’ Cortex Xpanse platform, there are at least 250,000 Internet-exposed QNAP and Synology NAS devices.

Unit 42 researchers are advising Synology and QNAP NAS owners to follow this shortlist of best practices to block ransomware attacks targeting their data:

• Update device firmware to keep attacks of this nature at bay. Details about updating QNAP NAS devices against CVE-2021-28799 can be found on the QNAP website.
• Create complex login passwords to make brute-forcing more difficult for attackers.
• Limit connections to SOHO-connected devices from only a hard-coded list of recognized IPs to prevent network attacks used to deliver ransomware to devices.

“We’re releasing our findings about this new variant of eCh0raix to raise awareness of the ongoing threats to the SOHO and small business sectors,” Unit 42 added.

“SOHO users are attractive to ransomware operators looking to attack bigger targets because attackers can potentially use SOHO NAS devices as a stepping stone in supply chain attacks on large enterprises that can generate huge ransoms.”