eCh0raix Ransomware Attacks Linux-Based NAS Devices

Delaware, USA ā€“ July 12, 2019 ā€“ Adversaries compromise QNAP Systems devices by exploiting vulnerabilities or brute-forcing them to install eCh0raix ransomware. Network Attached Storage devices often store sensitive data and important backups in corporate networks and can be accessed over the Internet. The value of the encrypted data and the relatively low cost of its recovery (0.05ā€“0.06 bitcoins) pushes victims to pay the ransom. Anomali researchers analyzed malware written in Go language and discovered that C&C server of eCh0raix hides on the Tor network, but ransomware does not connect to it directly. For this, the attackers created a SOCKS5 proxy and use it as an intermediate link for communications. After infection, the malware stops a number of services on the device, and then encrypts the files and creates ransom notes. Despite the fact that the malware does not sophisticated, at the beginning of the campaign only a few antiviruses could detect it. What is even worse is that on most NAS devices the antivirus is not installed at all.

There is some good news. The US Conference of Mayors adopted a resolution to no longer pay attackers for decrypting files in case of a successful attack on the cityā€™s infrastructure. We hope this decision will lead to security improvements and the implementation of the proper backup process. Also, such a solution should reduce the attractiveness of attacks on urban systems. Since the beginning of the year, 22 cities became victims of ransomware attacks (1, 2, 3, 4), two of which in total paid over a million dollars to restore files. Despite the fact that the sum is significantly less than the cost of restoration, such decisions only provoke a surge of attacks (the City of Atlanta spent about 17 million to restore files and rebuild its network, Baltimore spent one million more). For the timely detection of such attacks on the infrastructure of organizations, it is recommended to use the Ransomware Hunter SIEM rule pack available in Threat Detection Marketplace: https://my.socprime.com/en/integrations/ransomware-hunter-arcsight