• _csp_work_weixin_qq_com_ca_cawcde1f68fe5cd8cf

eCh0raix Ransomware Variant Targets QNAP, Synology NAS Devices

11.08.21 12:08 AM By jack.zhang

eCh0raix Ransomware Variant Targets QNAP, Synology NAS Devices

Operators of the nearly-year-old eCh0raix ransomware strain that’s been used to target QNAP and Synology network-attached storage (NAS) devices in past, separate campaigns have, gotten more efficient. According to researchers, both have put out a new variant that can target either vendors’ devices in a single campaign.

In a report published Tuesday, Palo Alto Network Unit 42 researchers said the new variant of eCh0raix exploits a critical bug, CVE-2021-28799 – an improper authorization vulnerability that gives attackers access to hard-coded credentials so as to plant a backdoor account – in the Hybrid Backup Sync (HBS 3) software on QNAP’s NAS devices.

HBS is used for backup, restoration and synchronization between local, remote and cloud storage spaces. On April 21, users of devices marketed by the Taiwanese vendor – Quality Network Appliance Provider (QNAP) – began to report attacks that, it turned out, abused this same flaw. Hundreds of users were extorted, as Bleeping Computer reported at the time.


As far as unit 42 can determine, there’s been no analysis yet of malware samples that would show eCh0raix ransomware targeting Synology devices before this. “Instances of Synology devices infected by eCh0raix have been reported from as far back as 2019, but the only previous research connecting the Synology attacks to eCh0raix actors is based on decryptors that were found,” they elaborated.

The first time that Unit 42 researchers saw this dual-vendor variant was September 2020. Maybe the combined variant was authored at that time and the attackers had separate code bases to target the vendors’ devices in separate campaigns before that, they suggested: a hypothesis that’s confirmed by the new variant’s project name, as revealed in compilation paths in GoLang binaries: “rct_cryptor_universal” (/home/dev/GoglandProjects/src/rct_cryptor_universal).

“Prior samples of eCh0raix use the project name qnap_crypt_worker,” researchers pointed out. Between June and September 2020, they did see other eCh0raix samples using that rct_cryptor_universal project name, but September 2020 was when they first saw a full-blown sample with two separate code flows.

Cover Your NAS

Unit 42 passed along these best practices for protecting home offices from ransomware attacks:

    • Update device firmware to keep attacks of this nature at bay. Details about updating QNAP NAS devices against CVE-2021-28799 can be found on the QNAP website
    • Create complex login passwords to make brute-forcing more difficult for attackers.
    • Limit connections to SOHO connected devices from only a hard-coded list of recognized IPs to prevent network attacks that are used to deliver ransomware to devices.