Researchers from Anomali uncovered a new ransomware strain dubbed ‘eCh0raix’ that targets QNAP Network Attached Storage (NAS) devices used for backups and file storage.
What is eCh0raix?
Researchers analyzed the eCh0raix samples and noted that it uses the hardcoded public key, with a unique key for each target. The ransomware’s C&C server is located on Tor, however, it does not contain any Tor client to connect to it. Instead, the ransomware uses a SOCKS5 proxy that connects in order to communicate with the C&C server. The ransomware operators also created an API that can be used to query for various information.
How does the ransomware work?
When selecting files to encrypt, the ransomware skips any files where the absolute path for the file contain any of the following strings: '/proc', '/boot/', '/sys/', '/run/', '/dev/', '/etc/', '/home/httpd', '/mnt/ext/opt', '.system/thumbnail', '.system/opt', '.config', and '.qpkg'.
Therefore, it essentially skips all the system files and focuses on the user's files.
What does the ransom note say?
The ransomware creates a ransom note named ‘README_FOR_DECRYPT.txt’. The ransom note includes a link to a Tor site, an associated bitcoin address, and the users encrypted private encryption key. Once the users go to the Tor payment site, they will be shown a bitcoin address and the ransom amount to be paid. The Tor site will notify users once it receives the payment, after which users can download the decryptor.
“All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this TOR website: http[:]//sg3dwqfpnr4sl5hh[.]onion/order/[Bitcoin address]
Use TOR browser for access .onion websites.
Do NOT remove this file and NOT remove last line in this file!
[base64 encoded encrypted data],” the ransom note read, Anomali researchers reported.