The eCh0raix ransomware is now updated to target two vendors’ devices that are mostly used in Single Office and Home Office (SOHO) setups. Earlier, the ransomware was used to target Synology and QNAP NAS in separate campaigns. However, in the latest campaign, a new version of malware is observed targeting both devices simultaneously.
What has happened
In a recent report from Palo Alto Network Unit 42, the new variant of eCh0raix is found to be abusing a critical bug in QNAP NAS devices and a bug in Synology NAS devices.
It targets the flaw (CVE-2021-28799) in Hybrid Backup Sync (HBS 3) software in QNAP NAS devices. On April 21, hundreds of device users started reporting attacks abusing the same flaw.
The attack was leveraged hard-coded session ID to avoid authentication. Subsequently, it executed a command on the device to download malware from the remote server.
Moreover, the same eCh0raix version was found targeting Synology NAS devices as well.
The first samples of the new variant trace back to as early as September 2020.
Quarter-million potential targets
The new version of eCh0raix is considered a wilder threat for millions of devices due to its combined capacity to attack two vendors.
The researchers have stated that there are 240,000 internet-connected QNAP NAS devices. Therefore there are more than a quarter-million potential targets still exposed and vulnerable.
Although there are only 3,500 Synology NAS devices, making the attack’s surface is limited for this vendor.
Some victims have already posted about being targeted, and they claim to have paid bitcoin valued at about $500 a ransom, as recently as June 16.
The new variant of eCh0raix ransomware is an indication that cybercriminals are actively updating their tactics. Therefore, researchers recommend updating device firmware as the first step of defense. Also, it is recommended to create complex passwords and limit connections to SOHO-connected devices.