{"id":22749,"date":"2021-12-28T11:30:56","date_gmt":"2021-12-28T10:30:56","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=22749"},"modified":"2021-12-31T10:07:01","modified_gmt":"2021-12-31T09:07:01","slug":"ransomware-ech0raix-greift-qnap-gerte-an-12-2021","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/12\/28\/ransomware-ech0raix-greift-qnap-gerte-an-12-2021\/","title":{"rendered":"Ransomware eCh0raix attacks QNAP devices (Dez. 2021)"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/2021\/12\/28\/ransomware-ech0raix-greift-qnap-gerte-an-12-2021\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Owners of QNAP NAS drives that are accessible via the Internet were attacked by the eCh0raix ransomware in a new campaign around Christmas. There are only a few people affected, but this malware, also known as QNAPCrypt, encrypts the devices and extorts a ransom. The ransomware is not new either, as I had warned about attacks in June 2020 (see <a href=\"https:\/\/borncity.com\/win\/2020\/06\/12\/qnap-sicherheitswarnung-vor-ech0raix-ransomware\/\">QNAP Security Advisory about eCh0raix Ransomware<\/a>).<\/p>\n<p>Besitzer von QNAP-NAS-Laufwerken, die per Internet erreichbar sind, wurden rund um Weihnachten in einer neuen Kampagne von der eCh0raix-Ransomware angegriffen. Es sind zwar nur wenige Betroffene, aber diese auch als QNAPCrypt bekannte Schadsoftware verschl\u00fcsselt die Ger\u00e4te und erpresst L\u00f6segeld. Neu ist die Ransomware auch nicht, hatte ich doch im Juni 2020 vor Angriffen gewarnt (siehe <a href=\"https:\/\/www.borncity.com\/blog\/2020\/06\/12\/qnap-sicherheitswarnung-vor-ech0raix-ransomware\/\">QNAP Sicherheitswarnung vor eCh0raix-Ransomware<\/a>).<\/p>\n<p><!--more--><\/p>\n<h2>The eCh0raix ransomware<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg09.met.vgwort.de\/na\/901db24437164c73b4ccca456cd6eab0\" width=\"1\" height=\"1\">It's a never-ending story. In July 2019, I had warned about a ransomware called eChoraix in the article <a href=\"https:\/\/borncity.com\/win\/2019\/07\/26\/ransomware-addressing-qnap-synology-nas-systems\/\">Ransomware addressing QNAP-\/Synology NAS systems<\/a>. The malware uses brute force attacks on the web interfaces of these devices to compromise installations that may have been secured with weak passwords. If successful, all files on the NAS are encrypted and the ransomware drops a notice that the user may pay a ransom to get their data back. <\/p>\n<h2>eCh0raix ransomware attacks on Christmas 2021<\/h2>\n<p>The colleagues at Bleeping Computer report in <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/qnap-nas-devices-hit-in-surge-of-ech0raix-ransomware-attacks\/\" target=\"_blank\" rel=\"noopener\">this recent article<\/a> that around a week before Christmas, increased attacks on QNAP devices by the threat actors of eCh0raix ransomware were observed. The colleagues probably <a href=\"https:\/\/www.bleepingcomputer.com\/forums\/t\/617854\/ech0raix-ransomware-qnapcryptsynology-nas-encrypt-support-topic\/?p=5296714\" target=\"_blank\" rel=\"noopener\">noticed hints in their own forum<\/a> from affected people.&nbsp; <\/p>\n<p><img decoding=\"async\" title=\"eCh0raix attacks on ONAP\" alt=\"eCh0raix attacks on ONAP\" src=\"https:\/\/i.imgur.com\/1UfaF0M.png\"><br \/>eCh0raix attacks on ONAP, Source: <a href=\"https:\/\/id-ransomware.malwarehunterteam.com\/\" target=\"_blank\" rel=\"noopener\">ID Ransomware service<\/a><\/p>\n<p>The graph above shows an increase just before Christmas, and now a decrease again, although the peak was still below 100 infections (quite a small value). How the attackers proceed is currently unclear &#8211; at Bleeping Computer, some people suspect an attack via QNAP Photo Station. The article still contains some hints, but no real details. Anyone from the readership affected?<\/p>\n<blockquote>\n<p>Spinsafe has published <a href=\"https:\/\/web.archive.org\/web\/20211226071138\/https:\/\/spinsafe.com\/ech0raix-qnapcrypt-2021-ransomware-help-tech-support\/\" target=\"_blank\" rel=\"noopener\">this article<\/a>, which also links to a decrypter that can recover files encrypted with older malware versions.<\/p>\n<\/blockquote>\n<p><strong>Similar articles<br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2020\/06\/12\/qnap-sicherheitswarnung-vor-ech0raix-ransomware\/\">QNAP Security Advisory about eCh0raix Ransomware<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/08\/19\/sicherheitswarnung-fr-synology-diskstation-manager-und-uc-skynas\/\">Security Alert for Synology DiskStation Manager and UC SkyNAS<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/10\/08\/fix-fr-kritische-schwachstelle-in-qnap-nas-gerten-7-10-2020\/\">Fix for critical helpdesk vulnerability in QNAP NAS devices (Oct. 7, 2020)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/09\/29\/agelocker-ransomware-zielt-auf-qnap-nas-laufwerke\/\">AgeLocker Ransomware attacks QNAP NAS drives<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/07\/26\/ransomware-addressing-qnap-synology-nas-systems\/\">Ransomware addressing QNAP-\/Synology NAS systems<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/06\/12\/qnap-sicherheitswarnung-vor-ech0raix-ransomware\/\">QNAP Security Advisory about eCh0raix Ransomware<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Owners of QNAP NAS drives that are accessible via the Internet were attacked by the eCh0raix ransomware in a new campaign around Christmas. There are only a few people affected, but this malware, also known as QNAPCrypt, encrypts the devices &hellip; <a href=\"https:\/\/borncity.com\/win\/2021\/12\/28\/ransomware-ech0raix-greift-qnap-gerte-an-12-2021\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-22749","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/22749","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=22749"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/22749\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=22749"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=22749"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=22749"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}