StorageCrypt Ransomware Infecting NAS Devices Using SambaCry

StorageCrypt is a new family of ransomware that targets network-attached storage (NAS) devices using SambaCry.

SambaCry allows remote attackers to execute arbitrary code on targeted systems by uploading a shared library to a writable network share, and then causing the server to load that library.

StorageCrypt uses SambaCry in the same ways as ShellBind. Both download a file called sambacry to the /tmp folder as apaceha, and then run it.

It encrypts and renames the files and appends the .locked extension to them before dropping a ransom note containing the ransom amount, the attackers’ Bitcoin address and email address.

The contact email address is given as :-

[email protected]

Network communication is via :-

hxxp://45.76.102.45/sambacry

Affected Platforms

Network-Attached Storage (NAS) devices that use Samba from version 3.5.0 to versions 4.4.14, 4.5.10 and 4.6.4

Resolution

Administrators are encouraged to upgrade to a version of Samba that is not affected by the vulnerability.

As with all forms of zero-day malware the first line of defence against new variants of ransomware is user awareness and safe working practices.

To avoid becoming infected with ransomware, ensure that:

  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, antivirus and other security products are kept up to date.
  • All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned based on least privilege.




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: