eCh0raix Ransomware Targets QNAP Devices in Recent Campaign

Summary

Threat actors operating the eCh0raix ransomware variant are exploiting QNAP network-attached storage (NAS) devices in attacks. On May 18, three firmware vulnerabilities in the Photo Station app in QNAP devices were publicized – CVE-2019-7192, CVE-2019-7194, and CVE-2019-7195 – which could be exploited to bypass authentication, insert malicious code, and install web shells, respectively. While the flaws were patched in late 2019, upgrading the firmware disrupts QNAP users and may have discouraged administrators from applying the upgrade. The eCh0raix operators may be exploiting the aforementioned QNAP vulnerabilities in their operations as an increase of eCh0raix victims with encrypted NAS devices were reported over the last couple of weeks. Historically, these threat actors use exploits to target vulnerabilities in QNAP devices and brute-force weak and common administrator passwords to gain unauthorized access.

Recommendations

The NJCCIC highly recommends QNAP administrators follow the guidance in the QNAP advisory, including upgrading device firmware and software as soon as possible and establishing long and unique device passwords. To limit the impact of a ransomware attack, ensure a comprehensive data backup plan is established and apply the additional recommendations provided in the NJCCIC Ransomware: Risk Mitigation Strategies guide. The Bleeping Computer article provides additional details.