[German]NAS manufacturer QNAP has now issued a security warning because its devices are under attack by the eCh0raix ransomware.
The eCh0raix ransomware
It’s a never-ending story. Almost exactly a year ago, in the article Ransomware addressing QNAP-/Synology NAS systems, I warned about a ransomware called eChoraix. The malware uses brute force attacks on the web interfaces of these devices to compromise installations possibly secured with weak passwords. If successful, all files on the NAS will be encrypted and the ransomware will store a note where the user can pay.
On June 8, 2020 I had a section in the German blog post Sicherheitsinformationen (8. Juni 2020), that the cyber criminals from the eCh0raix ransomware gang are running a new campaign against QNAP NAS devices. Bleeping Computer has picked it up in this post and on ZDNet you can find this post.
QNAP pushed an advisory about eCh0raix ransomware
The following tweet tells me that QNAP has now responded and released a security warning about the eCh0raix ransomware.
QNAP has published a security alert confirming my report from last week that the eCh0raix ransomware was using the recent PhotoStation RCEs to take over NAS devices
— Catalin Cimpanu (@campuscodi) June 12, 2020
As of June 8, 2020, QSA-20-02 confirms that attacks with the eCh0raix ransomware (MR1904) are taking place, which mainly exploit older vulnerabilities. The following QNAS devices from the QTS and Photo Station series are likely to be affected by the attacks.
- QTS 4.4.1: build 20190918 and later
- QTS 4.3.6: build 20190919 and later
- QTS 4.4.1: Photo Station 6.0.3 and later
- QTS 4.3.4 – QTS 4.4.0: Photo Station 5.7.10 and later
- QTS 4.3.0 – QTS 4.3.3: Photo Station 5.4.9 and later
- QTS 4.2.6: Photo Station 5.2.11 and later
To secure a QNAP device and protect its data from ransomware attacks and unauthorized use, the manufacturer strongly recommends that you update QTS and Photo Station to the latest firmware versions. For more details, please refer to this article.