Threat Actors Utilizing eCh0raix Ransomware Change NAS Targeting | Anomali

Threat Actors Utilizing eCh0raix Ransomware Change NAS Targeting

August 1, 2019 | Anomali Labs

Introduction

On July 23, 2019, Synology Inc., a Taiwan-based Network Attached Storage (NAS) company, posted an advisory on safeguarding internet-connected Synology NAS devices from Ransomware attacks.[1] The storage devices are encrypted after attackers successfully brute-forcing administrator credentials by using default credentials or dictionary attacks. There are also public reports of ransomware and brute-force attacks from Synology users on social media platforms and forums. Figure 1 below shows a screenshot of failed login attempts shared by a user on Reddit.

Brute-force Attack Screenshot Shared by A Reddit User
Figure 1 - Brute-force Attack Screenshot Shared by A Reddit User
Source: https://holland.pk/uptow/i4/aef55dd69b8e1dcc6783189b977ee216.jpg

Anomali has been monitoring ransomware attacks on NAS devices, and on July 21st a user posted on BleepingComputer forum that his Synology NAS was infected by a ransomware. The user noted that the files had been encrypted with a “.encrypt” extension, as observed in Figure 2.

Screenshot of Bleepingcomputer forum post
Figure 2 - Screenshot of Bleepingcomputer forum post.

The post also shared the Onion URL, http://qkqkro6buaqoocv4[.]onion/order/16sYqXAncDDiijcuruZecCkdBDwDf4vSEC, and a Bitcoin wallet address for making payment and obtaining the decryptor. We followed the URL and found that the user had already paid 0.06 bitcoins (BTC) (approximately $602 USD) and obtained a decryptor, Figure 3.

Screenshot of Onion site
Figure 3 - Screenshot of Onion site.

The page gives instructions to the victims for decrypting the files on the NAS device and a link to download the decryptor file. There’s a chat functionality on the website to interact with the perpetrator, Figure 4.

Screenshot of interaction between victim and perpetrator
Figure 4 - Screenshot of interaction between victim and perpetrator.

The download link was live when we visited the link via TOR enabled browser and downloaded the file named “decryptor.zip”. After unzipping it extracts 3 files as shown below in Figure 5.

Screenshot of extracted files from the file “decryptor.zip”
Figure 5 - Screenshot of extracted files from the file “decryptor.zip”

The decryptor files are compiled in Go programming language. It is very simple with only 140+ lines of source code. A reconstruction of the source code tree is shown below in Figure 6. As the file name suggests the only functionality of the executable is to decrypt the files.

Screenshot of Go source Tree structure from Synology Decryptor
Figure 6 - Screenshot of Go source Tree structure from Synology Decryptor

Screenshot of Go source Tree structure from QNAP Decryptor
Figure 7 - Screenshot of Go source Tree structure from QNAP Decryptor

After looking into the strings of the decryptor, Anomali researchers found that it is the same eCh0raix ransomware that targeted QNAP devices last month.[2] The identification was made based on the code similarities and the unique string “eCh0raix” present in the decryptor executable. The source code tree of the eCh0raix decryptor is shown in Figure 7 and a sample code comparison between the samples is shown in Figure 8 below.

Screenshot shows code similarities of both Decryptors
Figure 8 - Screenshot shows code similarities of both Decryptors

During the decryption process the decryptor looks for the keyword “eCh0raix” in the encrypted files to confirm if the decryption routine is complete. The unique string acts as a marker in the infection process.

Analysis

We believe that this attack against Synology users was conducted by the same actor behind the eCh0raix ransomware targeting QNAP NAS devices, as reported on July 10, 2019. This conclusion was based on code similarity, ransom amount, and shared strings. The threat actors behind these attacks will likely continue their malicious activity because the large amount of NAS devices connected to the internet presents a large target pool. Furthermore, NAS devices are sometimes the final backup for companies or individuals, therefore, actors have more leverage when demanding ransom.

Recommendations

Restrict external access to the NAS devices or the access should be limited only via VPN. Ensure all NAS devices are up-to-date with security patches and that strong credentials are employed.

IOCs

qkqkro6buaqoocv4[.]onion

Bitcoin Addresses

16sYqXAncDDiijcuruZecCkdBDwDf4vSEC

1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP

1LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135

Endnotes

[1] “Synology® Urges All Users to Take Immediate Action to Protect Data from Ransomware Attack,” Synology Press Release, accessed July 31, 2019, published July 23, 2019, https://www.synology.com/en-global/company/news/article/2019JulyRansomware.

[2] Anomali Labs, “Thech0raix Ransomware,” Anomali, accessed July 31, 2019, published July 10, 2019, https://www.anomali.com/blog/the-ech0raix-ransomware.

Anomali Labs
About the Author

Anomali Labs

Get the latest threat intelligence news in your email.