For perhaps the first time, ransomware is attacking NAS devices.
The ransomware, dubbed eCh0raix by Anomali, the threat detection vendor that discovered it, targets QNAP network-attached storage devices. It scans the internet for publicly accessible QNAP devices and tries to break in via a brute-force credential attack, bypassing weak login credentials.
According to Anomali, eCh0raix encrypts specifically targeted file extensions on the NAS using AES encryption and appends an “.encrypt” extension to the encrypted files. The ransom note directs victims to pay a ransom in bitcoin via a website accessible with a Tor browser.
“This is the first I’ve heard of a hacker targeting a specific hardware type; typically, they target users and then get in through the user space rather than targeting specific back-end devices,” said Scott Sinclair, a senior analyst covering storage and data protection for ESG.
At the same time, it makes sense, he said, because NAS devices often hold valuable data.
“But NAS devices are designed to hold data storage, file storage, which tends to be very valuable,” Sinclair said. “It does seem fairly unusual, but they are going to try whatever means they can, and if they have identified it from what I understand is it has found specific exploits in these types of devices … these types of devices house business data, so they are using that to their advantage to go after and prevent access and ransom that off.”
In addition, NAS devices are less likely to have commercial antivirus products running on them, which are often found on endpoints. QNAP NAS devices are a logical target, Sinclair said, since they are often found in smaller environments, such as small businesses or branch office environments. These users tend to use older storage devices longer than they should or fail to keep patches updated because the systems seem to work fine.
There are ways to protect NAS devices against ransomware attacks. At the very least, keep up with patches and protect the systems behind a firewall and require access via a virtual private network (VPN) with appropriate authentication mechanisms alongside, advises Joakim Kennedy, threat intel manager at Anomali.
“It comes down to good security hygiene,” he said. “Make sure to apply patches, don’t use weak credentials and reduce the exposure of your devices to the internet as much as possible. Also, ensure you have an effective backup policy for important and critical files.”
This ransomware event should also have an impact on organizations considering buying a new NAS system, Sinclair said. At the very least, potential buyers should ask more questions about the rigor vendors are putting into security testing their products.
“Any IT vendor that develops storage—especially file storage—will be working even more closely with their engineering teams to make sure that enough security has been put in during the development cycle,” he added.