eCh0raix Ransomware Targeting Synology NAS Drives

Updated 23-08-2019

Anomali reported on their observation of the eCh0raix ransomware targeting Synology NAS (Network Attached Storage) devices.

Once the hacker has gained access to the NAS device, either through brute-force, default credentials, or dictionary attacks, the data on the device’s drives can be encrypted.

After encryption, a “.encrypt” extension was added to the file’s name. An Onion URL and Bitcoin wallet were provided for payment and instructions on how to obtain the decryptor. There is also a “live chat” functionality in case the victim has issues and needs help.

When examining the malware it was found that this is the same malware that was targeting QNAP devices the month before.


Restrict external access to the NAS devices or the access should be limited only via VPN. Ensure all NAS devices are up-to-date with security patches and that strong credentials are employed.

Full report can be found here

Indicators of Compromise

Domain / IP

  • qkqkro6buaqoocv4.onion
  • 192.99.206[.]61:65000


  • http://qkqkro6buaqoocv4.onion/order/16sYqXAncDDiijcuruZecCkdBDwDf4vSEC

Bitcoin Wallets

  • 16sYqXAncDDiijcuruZecCkdBDwDf4vSEC
  • 1LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135
  • 1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

One thought on “eCh0raix Ransomware Targeting Synology NAS Drives

  • August 8, 2019 at 8:56 am

    Your NAS Appliance is Not secure until unless it has security features which works as a pro active approach and successfully stop ransomware attempts to your storage.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: