This week, the ech0raix ransomware has again started targeting vulnerable QNAP Network Attached Storage (NAS) devices, according to user reports and sample submissions on the ID ransomware platform.
ech0raix (aka QNAPCrypt) had hit QNAP customers in multiple large-scale waves starting with the summer of 2019, when the attackers brute force their way into internet-exposed NAS devices†
Since then, several other campaigns have been detected and reported by the victims of this ransomware strain, in June 2020in may 2020and a huge wave of attacks targeting devices with weak passwords that started in mid-December 2021 (just before Christmas) and slowly drifted to early February 2022.
Another wave of ech0raix attacks has now been confirmed by a rapidly increasing number of ID Ransomware submissions and users reporting being hit on the BleepingComputer forums [1, 2]with the earliest hit on June 8.
While only a few dozen ech0raix samples have been submitted, the actual number of successful attacks is likely to be higher as only a few of the victims will use the ID Ransomware service to identify the ransomware that has encrypted their devices.
Although this ransomware has also been used to encrypt Synology NAS systems since August 2021, victims have only confirmed attacks on QNAP NAS devices this time.
Until QNAP provides more details about these attacks, the attack vector used in this new ech0raix campaign will remain unknown.
How to protect your NAS from attacks
While QNAP has not yet issued a warning to warn customers about these attacks, the company has previously: urged them to protect their data from potential eCh0raix attacks by:
- use stronger passwords for your administrator accounts
- Enable IP access protection to protect accounts from brute force attacks
- and avoiding using default port numbers 443 and 8080
QNAP provides detailed step-by-step instructions on how to change the NAS password, enable IP access protection, and change the system port number in this safety advice†
The Taiwanese hardware supplier has also urged customers to disable Universal Plug and Play (UPnP) port forwarding on their routers to prevent their NAS devices from being exposed to attacks from the Internet.
You can also follow this one step-by-step instructions to disable SSH and Telnet connections and enable IP and account access protection.
QNAP also warned customers on Thursday to protect their devices from ongoing attacks Deploy DeadBolt ransomware payloads†
“According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly the TS-x51 series and TS-x53 series,” the NAS maker said.
“QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet.”