Ransomware eCh0raix attacks QNAP devices (Dez. 2021)

Sicherheit (Pexels, allgemeine Nutzung)[German]Owners of QNAP NAS drives that are accessible via the Internet were attacked by the eCh0raix ransomware in a new campaign around Christmas. There are only a few people affected, but this malware, also known as QNAPCrypt, encrypts the devices and extorts a ransom. The ransomware is not new either, as I had warned about attacks in June 2020 (see QNAP Security Advisory about eCh0raix Ransomware).


Besitzer von QNAP-NAS-Laufwerken, die per Internet erreichbar sind, wurden rund um Weihnachten in einer neuen Kampagne von der eCh0raix-Ransomware angegriffen. Es sind zwar nur wenige Betroffene, aber diese auch als QNAPCrypt bekannte Schadsoftware verschlüsselt die Geräte und erpresst Lösegeld. Neu ist die Ransomware auch nicht, hatte ich doch im Juni 2020 vor Angriffen gewarnt (siehe QNAP Sicherheitswarnung vor eCh0raix-Ransomware).

The eCh0raix ransomware

It's a never-ending story. In July 2019, I had warned about a ransomware called eChoraix in the article Ransomware addressing QNAP-/Synology NAS systems. The malware uses brute force attacks on the web interfaces of these devices to compromise installations that may have been secured with weak passwords. If successful, all files on the NAS are encrypted and the ransomware drops a notice that the user may pay a ransom to get their data back.

eCh0raix ransomware attacks on Christmas 2021

The colleagues at Bleeping Computer report in this recent article that around a week before Christmas, increased attacks on QNAP devices by the threat actors of eCh0raix ransomware were observed. The colleagues probably noticed hints in their own forum from affected people. 

eCh0raix attacks on ONAP
eCh0raix attacks on ONAP, Source: ID Ransomware service

The graph above shows an increase just before Christmas, and now a decrease again, although the peak was still below 100 infections (quite a small value). How the attackers proceed is currently unclear – at Bleeping Computer, some people suspect an attack via QNAP Photo Station. The article still contains some hints, but no real details. Anyone from the readership affected?


Spinsafe has published this article, which also links to a decrypter that can recover files encrypted with older malware versions.

Similar articles
QNAP Security Advisory about eCh0raix Ransomware
Security Alert for Synology DiskStation Manager and UC SkyNAS
Fix for critical helpdesk vulnerability in QNAP NAS devices (Oct. 7, 2020)
AgeLocker Ransomware attacks QNAP NAS drives
Ransomware addressing QNAP-/Synology NAS systems
QNAP Security Advisory about eCh0raix Ransomware

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *