With a few exceptions, most ransomware infections work in basically the same way. First, the attackers trick a user into clicking on a malicious link or opening an infected attachment. From there, the ransomware sets about encrypting the user’s files. Once the encryption process is complete, the ransomware displays a message informing its victim about the infection and demanding payment. More, recently, however, a new ransomware attack vector seems to be in play--one that specifically targets NAS appliances.
According to Yahoo Finance, a threat intelligence company called Anomali has discovered a new ransomware variant dubbed eCh0raix. Unlike traditional ransomware, which targets users and their files, this one performs a direct attack against NAS appliances. Like other types of ransomware, eCh0raix encrypts targeted files, and then demands payment via bitcoin (through a Website on the Dark Web, no less).
Ransomware that gains a foothold into an organization when users click on something that they shouldn’t is bad enough; but the idea that ransomware can directly attack your NAS, with no user involvement, is extremely unsettling. So how does this particular attack work, and what can you do about it?
Because eCh0raix targets NAS appliances rather than individual users, it exploits vulnerabilities associated with a specific NAS operating system. More specifically, eCh0raix targets QNAP NAS appliances. QNAP manufacturers enterprise-grade NAS devices, as well as appliances designed for use by consumers and SMBs. All of the current-generation QNAP appliances run the same operating system, which makes QNAP NAS devices vulnerable to attack--regardless of the appliance’s model number.
Based on reports, it seems that the ransomware targets QNAP NAS appliances that are accessible over the internet, and then uses a brute-force attack to try to decipher the appliance’s password. Fortunately, there are several things that admins can do to prevent an eCh0raix infection.
First, check to make sure that your QNAP appliances are running the latest version of the QNAP operating system. While the idea of applying the latest patches as a first line of defense might sound a bit cliché, those who have suffered an eCh0raix infection have reportedly been running older versions of the software (4.1.3 or 4.2.6).
The easiest way to find out what version of software is running on your QNAP appliances is to open the Qfinder Pro application. As you can see in Figure 1, this application lists the operating system version that is running on each of your appliances.
The Qfinder Pro application lists the operating system version used by each of your QNAP appliances.
If you do discover that your appliance needs to be updated, you can find available updates in the QNAP Control Panel in the Firmware Update section. You can see what this looks like in Figure 2.
Firmware updates are available through the QNAP Control Panel.
It is worth noting that, like some of the other NAS appliances on the market, QNAP NAS devices can run applications. (There are even antivirus applications available.) And, as with the device’s firmwar, both default applications and third-party applications occasionally need to be patched. You can find application updates in the QNAP AppCenter. If you look at Figure 3, for example, you can see that there are updates available for three of my apps.
Be sure to keep your apps up to date.
I also recommend that you go into the QNAP Control Panel, click on the System Logs option, and then enable system connection logging, as shown in Figure 4. Those who have been infected by the eCh0raix ransomware have reported that there were a significant number of failed login attempts due to the ransomware’s efforts in performing a brute force crack.
Click the Start Logging button to enable system connection logging.
Finally, consider whether or not your NAS appliance needs to be externally accessible. Granted, many organizations use the VPN functionality that is built into their QNAP NAS appliances, or they might create SMB shares directly on the appliance. In such cases, disabling direct access to the appliance isn’t an option.
In my case though, I use my QNAP NAS appliances as external storage arrays rather than as file servers. As such, my QNAP appliances are directly connected to Hyper-V servers by way of a 10 GbE network connection. When such a configuration is used, risks associated with direct attacks from the outside world can be mitigated by simply unplugging any Ethernet cables that connect the appliance to the network. These cables can be easily reconnected when performing maintenance, but are unnecessary for day-to-day operations if the appliance is functioning solely as an external storage array and has a direct connection to a host.