Linux-based network storage devices infected by ransomware.

Researchers at cybersecurity company Anomali have identified a new variant of ransomware, eCh0raix, that has infected several QNAP network storage devices. QNAP Systems, Inc. is a Taiwan-based company that specializes in network attached storage (NAS) and video surveillance solutions. 

So what is a NAS device, and what does it do?

Let’s say you're running a small business and you have many devices in your network. Ideally, there should be a single location where you can store and access all the critical files on these devices. While an external hard drive may seem like a natural choice, it comes with shortcomings: you'll need to plug it into each of your devices separately to use them and, if there is serious physical damage to the device, there may be a loss of all your data. 

Enter NAS: a NAS device is a cloud-based external hard drive, meaning it can be connected to the network, and multiple devices can be connected to it via Ethernet or Wi-Fi; NAS devices also automatically back up all file changes made to items stored on them.

Currently, a new type of ransomware is infecting Linux-based NAS devices using a brute force attack and exploiting vulnerabilities in the targeted networks. The code is written using the Go programming language. The source code identifies the unencrypted files in targeted devices before connecting to a C2 server to initiate file encryption.

The ransom note left by the attackers reads:

All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this TOR website: http://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to
Do NOT remove this file and NOT remove last line in this file!
[base64 encoded encrypted data]

Based on the structure of the note, Anomali researchers believe that attackers are not native English speakers. Additionally, they observed that the code checks the locale of the infected NAS for Belarus, Ukraine, or Russia, and ignores those devices if there's a match. The victims are given a Tor website link to pay ransom in Bitcoin in exchange for decryption keys.

General recommendations provided by Anomali for those who fell victim to eCh0raix:

• Avoid using weak passwords.
• Update all your devices with security patches.
• Restrict NAS devices from connecting to an external network.

Best practices to prevent ransomware

Here are some additional proactive ways to help ensure that your organization does not fall victim to ransomware: 

• Don't keep all your eggs in one basket. Store three separate versions of data on two different storage types with at least one being offsite.
• Remove vulnerabilities in your operating systems, browsers, and applications by regularly updating them.

See more best practices you can adopt to prevent ransomware.

How do I know if I'm a victim of ransomware?

The main indicator of a potential ransomware attack is an unusual amount of changes to files and folders. File modifications such as renaming, deletion, or permission changes over a short period of time is a clear indicator that an attack is underway. 

To safeguard your network, you need a data security tool that issues real-time alerts and offers an automated response system that quarantines infected devices to prevent ransomware from spreading. ManageEngine DataSecurity Plus is a must-have tool for your IT arsenal. Start your free, 30-day trial of DataSecurity Plus to see the tool in action for yourself.