Home / About / Threat Intelligence / QNAP and Synology NAS devices targeted by ransomware gang

Overview

A new strain of eCh0raix ransomware has been discovered targeting QNAP and Synology Network Attached Storage (NAS) devices. This is not the first time that either vendor has been the target of ransomware, however it appears to be the first time that the same ransomware group has been identified as being the source.

Impact

Access to and encryption of all data on the device as well as the potential to use the device as a mechanism to pivot the attack to target other devices.

Affected Products

QNAP NAS running HBS 3 (QNAP NAS devices running HBS 2 and HBS 1.3 are not affected.)
There is no clear version of Synology NAS devices that are affected as attacks against this type of device appear to be brute force password attacks.

Vulnerability Detection

The attempted use of hard-coded and credentials in QNAP devices and the brute forcing of administrative credentials for either vendor’s device are key indicators of an attack against the devices.

Containment, Mitigations & Remediations

Palo Alto Networks’ Unit 42 security researchers are advising affected NAS owners to follow best practices to block ransomware attacks targeting their data:

  • Update device firmware to keep attacks of this nature at bay. Details about updating QNAP NAS devices against CVE-2021-28799 can be found on the QNAP website.
  • Create complex login passwords to make brute-forcing more difficult for attackers.
  • Limit connections to SOHO-connected devices from only a hard-coded list of recognized IPs to prevent network attacks used to deliver ransomware to devices.

Separately, Synology provided advice more specific to their devices, but still in-line with security best practices:

  • Use a complex and strong password and apply password strength rules to all users.
  • Create a new account in the administrator group and disable the system default “admin” account.
  • Enable Auto Block in Control Panel to block IP addresses with too many failed login attempts.
  • Run Security Advisor to make sure there is no weak password in the system.

Indicators of Compromise

Regular changes to files, resulting in different hashes, have been seen to occur on a regular basis and so the below should not just be considered in isolation.

The below IoC’s are curtesy of the Palo Alto Network’s Unit 42 Research division:

File Hashes
cc112184b17d65229ce20487d98a3751dceb3efbee7bf70929a35b66416ae248
670250a169ba548c07a5066a70087e83bbc7fd468ef46199d76f97f9e7f72f36
039a997681655004aed1cc4c6ee24bf112d79e4f3b823ccae96b4a32c5ed1b4c
551e03e17d1df9bd5b712bec7763578c01e7bffe9b93db246e36ec0a174f7467
36cfb1a7c971041c9483e4f4e092372c9c1ab792cd9de7b821718ccd0dbb09c1
bb3b0e981e52a8250abcdf320bf7e5398d7bebf015643f8469f63d943b42f284
2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce
fedcce505a5e307c1d116d52b3122f6484b3d25fb3c4d666fe7af087cfe85349
6df0897d4eb0826c47850968708143ecb9b58a0f3453caa615c0f62396ef816b
9f9bbbc80a2035df99abd60dc26e9b068b63e5fcc498e700b8cc6640ca39261b
0b851832f9383df7739cd28ccdfd59925e9af7203b035711a7d96bba34a9eb04
19448f9aa1fe6c07d52abc59d1657a7381cfdb4a4fa541279097cc9e9412964b
7fa8ebcccde118986c4fd4a0f61ca7e513d1c2e28a6efdf183c10204550d87ce
4691946e508348f458da1b1a7617d55d3fa4dc9679fff39993853e018fc28f8e
230d4522c2ffe31d6facd9eae829d486dfc5b4f55b2814e28471c6d0e7c9bf49
21d5021d00e95dba6e23cee3e83b126b068ad936128894a1750bbcd4f1eb9391
283b2fa0fcddff18278d924c89c68bbcd980728761bd26c5dea4ec4de69b841e
d2ebe2a961d07501f0614b3ba511cf44cb0be2e8e342e464a20633ed7f1fc884
74169aebae6412e5408904d8f6a2eb977113b3ac355c53dfd366e2903b428c62
2e3a6bd6d2e03c347d8c717465fec6347037b7f25adae49e9e089bc744706545
3c533054390bc2d04ba96089302170a806c5cdb624536037a38c9ecb5aeea75d
a8accaab01a8ad16029ea0e8035a79083140026e33f8580aae217b1ef216febc
9d4bc803c256bd340664ce08c2bf68249f33419d7decd866f3ade78626c95422
0e4534d015c4e6691ff3920b19c93d63c61a0f36497cb0861a149999b61b98e1
fe4efccf56f989bf1b326dd9890681d21c97309fee61fdac8eb2081398e4d2b1
f6f6e34e93c4ec191807819bd0a3e18fe91bd390ec6c67fadc970d01c25f517b
3b93b18ae4f3aad450897e7d02346b843e38358a0c51b834d1971824c0a30b97
88a73f1c1e5a7c921f61638d06f3fed7389e1b163da7a1cc62a666d0a88baf47

Payload URLs

183[.]76.46.30/1/crp_linux_arm
183[.]76.46.30/1/crp_linux_386
98[.]144.56.47/1/crp_linux_arm
98[.]144.56.47/1/crp_linux_386
64[.]42.152.46/h/crp_linux_386
64[.]42.152.46/h/crp_linux_arm
2[.]37.149.230/1/crp_linux_386
2[.]37.149.230/1/crp_linux_arm

C2 Request

hxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/chuADfBHD8hpgVs7wH8eS3S0Vv-rusj6

hxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/41xvlF4tQ1b3iXd5okwCNhcj7fh9gMB2

hxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/hv3PWxhLkfOuNjE9u3eOGogbGSH2bGT0

hxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/-xS-0UcHPaAJgaQCkyE29icDiJeAakj7

Socks5 Proxies used

161[.]35.151.35:9100
185[.]10.68.89:9100
185[.]181.229.175:9100
176[.]122.23.54:9100

Threat Landscape

“Small Office/Home Office (SOHO) users are attractive to ransomware operators looking to attack bigger targets because attackers can potentially use SOHO NAS devices as a stepping stone in supply chain attacks on large enterprises that can generate huge ransoms”

SOHO users are also more likely to pay the smaller ransom sums demanded. In mid-April a ransomware campaign against QNAP devices netted the attackers $260,000 in just 5 days. In this instance the attackers used the 7Zip utility to encrypt the data.

According to data from the Cortex Xpanse platform, some 243,500 QNAP and Synology NAS devices are currently exposed to the public internet.

Further Information

Bleeping Computer – eCh0raix ransomware now targets both QNAP and Synology NAS devices
Bleeping Computer – Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices
Bleeping Computer – 159 A ransomware gang made $260,000 in 5 days using the 7zip utility
Synology ® Investigates Ongoing Brute-Force Attacks From Botnet
Unit 42 Palo Alto – New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices
QNAP