Introduction
Anomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network Attached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., that contains device storage and media player functionality, amongst others. The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the encrypted files. The ransom note created by the ransomware has the form shown below.
All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this TOR website: http://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to Do NOT remove this file and NOT remove last line in this file!
[base64 encoded encrypted data]
Note that there is a typo in the ransom note which may indicate that the actors behind this campaign are not native-English speakers.
QNAP Technical Breakdown
The malware is written and compiled in the Go programming language. The ransomware is very simple with its source code being fewer than 400 lines. A reconstruction of the source code tree is shown below. The functionality is standard for a ransomware: check if already encrypted, walk the file system for files to encrypt, encrypt the files, and produce the ransom note.
Package main: /home/user/go/src/qnap_crypt_worker
File: main.go getInfo Lines: 61 to 123 (62) checkReadmeExists Lines: 123 to 132 (9) (init)0 Lines: 132 to 161 (29) main Lines: 161 to 213 (52) (main)func1 Lines: 185 to 191 (6) randSeq Lines: 213 to 222 (9) in Lines: 222 to 231 (9) writemessage Lines: 231 to 238 (7) chDir Lines: 238 to 269 (31) encrypt Lines: 269 to 349 (80) makesecret Lines: 349 to 358 (9)
Upon ex ..
Support the originator by clicking the read the rest link below.
