Anomali introduced new extortion software that is designed for network-attached storage (NAS) devices manufactured by QNAP Systems.
The extortion virus, named eCh0raix after a line in the code, was first seen in June when a discussion regarding it appeared on the Bleeping Computer forums. At the moment, it is not widespread and for reasons and for unknown reasons targets only NAS QNAP Systems devices, SC Media told the Anomali Threat Research Team. But why such NAS devices are targeted is no secret.
“These devices are commonly used to store backups and important files, making them a lucrative target for extortion,” Anemali said.
Anemali stressed that there is absolutely nothing wrong with security on QNAP devices, but those with weaker credentials are susceptible.
Experts reported that the source of the threat, scans the Internet for QNAP, and then hacks those who are configured with weak passwords. The number of potentially vulnerable QNAP NAS drives is unknown, Anemali said, adding that researchers found samples compiled for ARM and Intel x86, leading us to believe it was present in both enterprise and home devices.
Malware gets the login by rough forced device login to credentials and then uses previously known vulnerabilities, Anomali researchers wrote. After it kills nine processes inside the device, it then checks to see if the files have already been encrypted, and if not, changes the file extensions to .encrypt, and then uses AES encryption to make the file unavailable.
At this point, a ransom invoice is issued:
All data is locked (encrypted).
How to unlock (decrypt) the instruction located on this TOR site: http://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]
Use the TOR browser to access .onion websites.
https://duckduckgo.com/html?q=tor browser, for example
DO NOT DELETE this file and DO NOT delete the last line in this file!
[Encrypted base64 data]
The extortion code itself is very simple, contains only 400 lines and is written in the Go programming language.
The extortion program accesses the URL http://192.99.206 [.] 61/d.php? S = started and then reports sg3dwqfpnr4sl5hh [.] through the SOCKS5 Tor proxy server at 192.99.206 [.] 61:65000.