[German]QNAP system owners are currently under fire from two ransomware groups. Once, cases of infections with the eCh0raix ransomware were detected. This is where drives are encrypted. In addition, QNAP has recently published a security notice that warns against attacks of the DeadBold ransomware on outdated versions of QTS 4.x.
Advertising
DeadBold ransomware attacks
I became aware of DeadBolt ransomware attacks on QNAP NAS drives via Twitter a couple of days ago. QNAP has published the Security Advisory QSA-22-19 (DeadBolt Ransomware) on June 17, 2022.
According to this, QNAP has recently discovered a new DeadBolt ransomware campaign targeting the corresponding devices. According to the victims' reports so far, the campaign seems to target QNAP NAS devices with outdated versions of QTS 4.x. Currently, the cases are still under investigation by QNAP, so no further information is available. The vendor's recommendation is to update QTS or QuTS hero to the latest version immediately.
eCh0raix ransomware attacks
Karsten Hahn, malware analyst at G DATA has also pointed out attacks of the eCh0raix ransomware, in which QNAP devices are encrypted, via Twitter. He has come across corresponding samples.
Advertising
The colleagues from Bleeping Computer have covered this attack within this article. Since a few days now, there have been increasing reports that QNAP devices have been encrypted by the eCh0raix ransomware (also known as QNAPCrypt). For example, on Bleeping Computer's forum, there is this post from a victim where all data on a QNAP TS-251+ server was encrypted on June 6, 2022. On June 17, 2022, there is another affected person in the same thread. The ransomware is not new, there have been warnings in the past (see the following links).
Similar articles:
QNAP Security Advisory about eCh0raix Ransomware QNAP Sicherheitswarnung vor eCh0raix-Ransomware
QTS 5.0.0 security updates for QNAP NAS devices (June 8, 2022)
QNAP Update QTS 5.0.0.1932 build 20220129 closes SAMBA vulnerability CVE-2021-44142
QNAP: DeadBolt attacks via vulnerability patched in December 2021
