Small Office/Home Office (SOHO) users and tech savvy consumers using QNAP and Synology Network Attached Storage (NAS) devices, are being targeted by cybercriminals with a newly released variant of the eCHoraix ransomware. The current attacks against QNAP devices make use of the CVE-2021-28799 vulnerability, first disclosed by QNAP on April 22nd,2021, which has previously been used to deploy variants of other QNAP ransomware. Researchers believe the initial variant of eCHoraix to target both QNAP and Synology devices was first developed in September 2020, prior to this, separate campaigns were used for each device type.

What Is It?

A newly released variant of the eCHoraix ransomware (previously also known as QNAPCrypt) has been found to target both QNAP and Synology NAS (Network Attached Storage) devices. Though not commonly used by large organizations, these devices are used by tech savvy consumers and SOHO users. QNAP and Synology are some of the most popular vendors in this market segment. Though SOHO users don’t possess the financial resources to pay large ransoms, due to the potential lack of in-depth IT skills and support they may see paying a smaller ransom as their only option to regain access to their files. Researchers from Palo Alto Networks’ Unit42 team have found the potential attack surface of internet facing QNAP and Synology NAS devices numbers nearly 250,000.

Originally released in June 2019, eCHoraix is written in the Go programming language and has been utilized in multiple campaigns, including significant campaigns in June of both 2019 and 2020. eCHoraix attacks have exploited vulnerabilities in QNAP operating system software as the attack vector on QNAP devices. In the case of Synology NAS devices, administrative account credentials with weak or default passwords are subjected to brute force and dictionary attacks to gain access. The current attacks against QNAP devices make use of the CVE-2021-28799 vulnerability, first disclosed by QNAP on April 22nd, 2021, which has previously been used to deploy variants of other QNAP ransomware. Researchers believe the initial variant of eCHoraix to target both QNAP and Synology devices was first developed in September 2020, prior to this, separate campaigns were used for each device type.

It has been reported by users of BleepingComputer’s forums that each victim is given a different bitcoin address for the ransom payment. However, a forum user also noted that by following the transactions in the blockchain, it can be seen the ransom payments are always transferred to the same address. It’s unknown if all the transfers to that address relate solely to eCHoraix, however that address has received a total of more than 921 bitcoins, which at the time of writing was valued at approximately $US42 million.

eCHoraix Bitcoin AddressFigure 1: Bitcoin address (Redacted)

Samples of this eCHoraix variant are compiled for either Intel or ARM architectures, as both processor types are used by different models in the QNAP and Synology NAS device ranges. When executed, the ransomware checks to ensure another copy isn’t currently executing and hasn’t previously executed on the device. It then contacts it’s C2 (command and control) site to obtain the encryption key, ransom note text and the bitcoin address where the ransom is to be paid. Encrypted files are given the .encrypt file extension. The ransomware contains a large list of file extensions that it searches for and encrypts. The encryption process is handled in two stages, the first stage encrypts files matching a subset of approximately 40 file extensions which the authors clearly believe will be a priority to their intended victims. These priority file extensions relate to source code, image, and document files. The remainder of file extensions are then searched for and encrypted.

echoraix file extensions list
Figure 2: Partial List of Encrypted File Extensions

eCHoraix ransomware is an example that cyber criminals are not solely focused on large organizations as targets. They are aware that SOHO users and businesses represent a profitable target, albeit at a smaller per capita profit. They’re also cognizant of the fact that these targets can be considered soft, with strong motivation to pay the ransom, due to a lack of IT resources and support and a heavy reliance on the data that may be encrypted. It also illustrates that cyber security basics, such as prompt patching and good password hygiene, are critical to organizations of all sizes and every user.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. In the case of QNAP devices, exploitation of the CVE-2021-28799 vulnerability is the attack vector, and for Synology devices it is brute-forcing of administrative account credentials.

When/How Did BluVector Detect It?

Ten publicly available samples, compiled for both Intel and ARM architectures, were regression tested against BluVector patented Machine Learning Engine (MLE). All samples were detected, for an average of 8.3 months prior to their release into the wild and up to 17 months.