A new ransomware family has been found targeting Network Attached Storage (NAS) devices made by Taiwan-based QNAP Systems and holding users' data hostage until a ransom is paid, researchers told The Hacker News.

Ideal for home and small business, NAS devices are dedicated file storage units connected to a network or through the Internet, which allow users to store and share their data and backups with multiple computers.

Discovered by the research team at Anomali, the new ransomware, dubbed eCh0raix, targets poorly protected or insecure QNAP NAS devices either by brute forcing weak credentials or exploiting known vulnerabilities.

Written in the Go programming language, the eCh0raix ransomware encrypts all files with targeted extensions using AES encryption and appends .encrypt extension to all the encrypted files.

However, if a compromised NAS device is located in Belarus, Ukraine, or Russia, the ransomware terminates the file encryption process and exits without doing any harm to the files.

Upon execution, the file-encrypting ransomware first connects to its remote command-and-control server, protected behind the Tor network, using a SOCKS5 Tor proxy and notifies attackers about the new victims.

"Based on the analysis it is clear that the proxy has been set up by the malware author to provide Tor network access to the malware without including Tor functionality in the malware," the researchers say.
On an infected device, the ransomware generates a 32-character random string (from an array of alphanumeric and special characters) to create an AES-256 secret key and then use it to encrypt all the files stored on targeted NAS device with AES algorithm in Cipher Feedback Mode (CFB), and then removes the original files.

Interestingly, since the encryption module uses math's package to generate the secret key, it's likely possible for researchers to write a decryptor for the new ransomware family because the function is not entirely random.

"Malware initializes the math random page with the seed of the current time. Since it is using the math's package to generate the secret key, it is not cryptographically random, and it is likely possible to write a decryptor," the researchers say.

"The threat actor targets QNAP NAS devices that are used for file storage and backups. It is not common for these devices to run antivirus products, and currently, the samples are only detected by 2-3 products on VirusTotal, which allows the ransomware to run uninhibited."

Researchers also noted that before encrypting files stored on targeted NAS devices, the ransomware also attempts to kill a specific list of processes, including apache2, httpd, nginx, MySQL, mysql, and PostgreSQL.

As a reminder, we urge users not to, unknowingly or unnecessarily, connect their NAS devices directly to the Internet, and also enable automatic updates to keep firmware up-to-date.

Moreover, users are always recommended to use strong passwords to secure their NAS devices in the first place and regularly backup stored information on these devices, so that in case of any disaster, the important data can be recovered without paying ransom to attackers.