The ech0raix ransomware has resumed targeting vulnerable QNAP Network Attached Storage (NAS) systems this week, as per user complaints and sample uploads on the ID Ransomware site.
ech0raix (also known as QNAPCrypt) began attacking QNAP customers in many large-scale waves in the summer of 2019 when attackers brute-forced their entry into Internet-exposed NAS equipment.
Since then, victims of this ransomware strain have discovered and reported numerous further campaigns, in June 2020, May 2020, and a large wave of assaults targeting devices with weak passwords that began in mid-December 2021 (just before Christmas) and gradually declined towards early February 2022.
A fresh series of ech0raix assaults have been validated by an increase in the amount of ID Ransomware submissions and users reporting getting affected on the BleepingComputer forums, with the first hit on June 8.
Although just a few dozen ech0raix samples have been submitted, the real number of successful assaults is likely to be larger because only a subset of victims will utilize the ID Ransomware service to detect the ransomware that encrypted their devices.
While this ransomware has been used to encrypt Synology NAS systems since August 2021, this time victims have solely reported attacks on QNAP NAS systems.
The attack vector employed in the current ech0raix campaign is unknown until QNAP releases additional information on these attacks.
How to Protect NAS Against Attacks
While QNAP is yet to give a warning to consumers about these assaults, the firm has already recommended users secure their data from potential eCh0raix attacks
- by using stronger passwords for administrator accounts
- activating IP Access Protection to protect accounts from brute force assaults,
- and preventing the use of the default port numbers 443 and 8080
In this security advice, QNAP gives extensive step-by-step instructions for changing the NAS password, enabling IP Access Protection, and changing the system port number.
Customers are also advised by the Taiwanese hardware manufacturer to stop Universal Plug and Play (UPnP) port forwarding on their routers to avoid exposing their NAS systems to Internet-based assaults.
One can also stop SSH and Telnet connections and enable IP and account access prevention by following these step-by-step instructions. QNAP also urged users on Thursday to protect their devices against continuous DeadBolt ransomware threats.
"According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series," the NAS maker stated.
"QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet."
