QNAP NAS Devices Under Attack - Another Wave of eCh0raix Ransomware Identified

QNAP Network Attached Storage (NAS) devices, manufactured by the Taiwanese corporation QNAP Systems, Inc. have been facing cyber threats from various groups, such as the Muhstik and the QSnatch groups. Recently, a new variant of any already known ransomware was seen again, actively attacking QNAP NAS devices.

The eCh0raix wave targeting QNAP NAS

  • In June 2020, the eCh0raix ransomware operators launched a new wave of attacks targeting the QNAP network-attached storage (NAS) devices.
  • The ransomware operators likely incorporated exploits for the three vulnerabilities (CVE-2019-7192, CVE-2019-7194, and CVE-2019-7195) that were recently discovered in mid-May 2020.
  • The eCh0raix gang uses two different attack vectors: exploitation of known vulnerabilities in unpatched QNAP devices, and brute force attacks to break admin passwords.

A brief about eCh0raix

eCh0raix group has been specifically targeting QNAP NAS devices for almost one year now.
  • In August 2019, a free decryptor for eCh0raix ransomware released, that could decrypt all the files infected before July 17, 2019. But soon after, a newer version of ransomware was observed, indicating that the eCh0raix gang was desperate to continue its cyber attacks.
  • In July 2019, the eCh0raix gang was first seen targeting enterprise QNAP Network Attached Storage (NAS) devices across the world, except for those from Belarus, Ukraine, or Russia.

Security recommendations

Besides regularly updating the QTS firmware to the latest version, QNAP Systems provides several additional recommendations. Users should use a strong admin password, and enable the Network Access Protection to prevent brute force attacks. Also, disabling the SSH and Telnet services, and avoiding the use of default ports 443 and 8080 can help prevent attacks from threats like eCh0raix.