Ech0Raix
Description
The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:
1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.
2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.
3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.
External Analysis |
https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ |
https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf |
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought |
https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ |
https://www.anomali.com/blog/the-ech0raix-ransomware |
https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/ |
https://www.ibm.com/downloads/cas/Z81AVOY7 |
https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/ |
https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/ |
https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt |
https://www.qnap.com/en/security-advisory/QSA-20-02 |
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf |
Urls |
Screen |
http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion |
Screen |
Chat servers |
Screen |
http://7zvu7njrx7q734kvk435ntuf37gfll2pu46fmrfoweczwpk2rhp444yd.onion |
Screen |