Customers of QNAP network-attached storage (NAS) devices are reporting that their systems are being targeted with the eCh0raix ransomware, often known as QNAPCrypt.
The attackers behind this explicit malware ramped up their exercise a few weeks earlier than Christmas, gaining control of the units with administrator privileges.
The surge in attacks
According to BleepingComputer, many users of QNAP and Synology NAS systems have been regularly reporting eCh0raix ransomware assaults but more of them started to reveal incidents around December 20. The surge in the number of attacks is confirmed by the ID ransomware service, where submissions started to increase on December 19 and reached a peak on December 26.
At this time, it remains unclear how hackers exploited the QNAP devices, some users claim that attackers abused a vulnerability in the Photo Station software to hack them and others admit they were reckless and did not secure the device properly.
Regardless of the attacking methodology, it seems that attackers first create a user in the administrator group, then use it to encrypt the content of the NAS system. The malware encrypted pictures and documents, according to QNAP users, some of whom were using the NAS system for business purposes.
Another thing that stands out in this malicious campaign is the fact that the extension related to the ransom note appears to be mistyped, as the “.TXTT” extension was used. This extension does not impact the display of the instructions; however, some users might have to open the file with certain programs like Notepad.
Threat actors demand ransom ranging from .024 ($1,200) to .06 bitcoins ($3,000) during these recent attacks. Some users had no backup options and had to pay the attackers to recover their files.
“It is important to note that there is a free decryptor for files locked with an older version (before July 17th, 2019) of eCh0raix ransomware. However, there is no free solution to decrypt data locked by the latest variants of the malware (versions 1.0.5 and 1.0.6),” reported BleepingComputer.
eCh0raix/QNAPCrypt assaults started in June 2019 and have remained a continual threat ever since. QNAP warned its users earlier this year regarding a new wave of eCh0raix attacks that targeted devices with weak passwords.