Network attached storage devices are being targeted by cybercriminals


Network attached storage (NAS) devices often store critical data and backups. Some NAS drives are also exposed to the open internet, and cybercriminals have taken notice.

A new form of file-locking malware emerged in June that has been named eCh0raix after a string of code. This malware is written in the Go programming language and described to be very simple as the source code is fewer than 400 lines.

This ransomware specifically targets QNAP NAS devices produced by Taiwanese firm QNAP Systems.

Several vulnerabilities have been discovered in QNAP NAS devices in the recent past, but the company has diligently released patches to shore up these vulnerabilities after they’ve been discovered. Unfortunately, though there are patches available, many organizations fail to apply the patches in a timely manner.

These cybercriminals are opportunistic, and when a non-patched NAS is found, they attack.

Network attached storage devices make appealing targets for cybercriminals dealing in ransomware as NAS devices typically store critical data and backups. These company-critical devices also typically aren’t equipped with any security software to protect them from attack.

The initial infection infects the device via unsecured, internet-facing ports and the use of brute-force attacks to bypass weak login credentials.

Once the eCh0raix malware infects the NAS device, it checks to see if the files are already encrypted. Then, the malware reaches out to a command-and-control server to begin the encryption process and to create an AES-256 encryption key to lock the files with a .encrypt extension.

Once the files are locked, users are presented with a ransom note informing them that their data has been locked. They’re then directed to a Tor website to make the ransom payment in bitcoin. Users are threatened not to tamper with the encrypted data for fear that their files will be lost.

It is necessary to take precautionary steps with NAS devices to protect against ransomware attacks. The first step is to restrict external access to NAS devices so that they can’t be found from the outside internet. Security patches should also be applied and strong credentials employed in order to protect systems from brute-force attacks.

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648