eCh0raix Ransomware Targeting Synology NAS Drives
Updated 23-08-2019
Anomali reported on their observation of the eCh0raix ransomware targeting Synology NAS (Network Attached Storage) devices.
Once the hacker has gained access to the NAS device, either through brute-force, default credentials, or dictionary attacks, the data on the device’s drives can be encrypted.
After encryption, a “.encrypt” extension was added to the file’s name. An Onion URL and Bitcoin wallet were provided for payment and instructions on how to obtain the decryptor. There is also a “live chat” functionality in case the victim has issues and needs help.
When examining the malware it was found that this is the same malware that was targeting QNAP devices the month before.
Recommendations
Restrict external access to the NAS devices or the access should be limited only via VPN. Ensure all NAS devices are up-to-date with security patches and that strong credentials are employed.
Full report can be found here
Indicators of Compromise
Domain / IP
- qkqkro6buaqoocv4.onion
- 192.99.206[.]61:65000
URL
- http://qkqkro6buaqoocv4.onion/order/16sYqXAncDDiijcuruZecCkdBDwDf4vSEC
Bitcoin Wallets
- 16sYqXAncDDiijcuruZecCkdBDwDf4vSEC
- 1LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135
- 1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.
Your NAS Appliance is Not secure until unless it has security features which works as a pro active approach and successfully stop ransomware attempts to your storage.