Threat Actors Utilizing eCh0raix Ransomware Change NAS Targeting

<h2>Introduction</h2><p>On July 23, 2019, Synology Inc., a Taiwan-based Network Attached Storage (NAS) company, posted an advisory on safeguarding internet-connected Synology NAS devices from Ransomware attacks.^[1] The storage devices are encrypted after attackers successfully brute-forcing administrator credentials by using default credentials or dictionary attacks. There are also public reports of ransomware and brute-force attacks from Synology users on social media platforms and forums. Figure 1 below shows a screenshot of failed login attempts shared by a user on Reddit.</p><p style="text-align: center;"><em><img alt="Brute-force Attack Screenshot Shared by A Reddit User" src="https://cdn.filestackcontent.com/pPrglD1TQeHMf3ofw1Cq"/><br/> Figure 1 - Brute-force Attack Screenshot Shared by A Reddit User<br/> Source: https://holland.pk/uptow/i4/aef55dd69b8e1dcc6783189b977ee216.jpg</em></p><p>Anomali has been monitoring ransomware attacks on NAS devices, and on July 21st a user posted on BleepingComputer forum that his Synology NAS was infected by a ransomware. The user noted that the files had been encrypted with a “.encrypt” extension, as observed in Figure 2.</p><p style="text-align: center;"><em><img alt="Screenshot of Bleepingcomputer forum post" src="https://cdn.filestackcontent.com/tQKj5nFqQWeJZD1xUyc8"/><br/> Figure 2 - Screenshot of Bleepingcomputer forum post.</em></p><p>The post also shared the Onion URL, http://qkqkro6buaqoocv4[.]onion/order/16sYqXAncDDiijcuruZecCkdBDwDf4vSEC, and a Bitcoin wallet address for making payment and obtaining the decryptor. We followed the URL and found that the user had already paid 0.06 bitcoins (BTC) (approximately $602 USD) and obtained a decryptor, Figure 3.</p><p style="text-align: center;"><em><img alt="Screenshot of Onion site" src="https://cdn.filestackcontent.com/4icFAnYdR1OxkTLcm2RM"/><br/> Figure 3 - Screenshot of Onion site.</em></p><p>The page gives instructions to the victims for decrypting the files on the NAS device and a link to download the decryptor file. There’s a chat functionality on the website to interact with the perpetrator, Figure 4.</p><p style="text-align: center;"><em><img alt="Screenshot of interaction between victim and perpetrator" src="https://cdn.filestackcontent.com/O8VnRPNvRIeietxr3DiK"/><br/> Figure 4 - Screenshot of interaction between victim and perpetrator.</em></p><p>The download link was live when we visited the link via TOR enabled browser and downloaded the file named “decryptor.zip”. After unzipping it extracts 3 files as shown below in Figure 5.</p><p style="text-align: center;"><em><img alt="Screenshot of extracted files from the file “decryptor.zip”" src="https://cdn.filestackcontent.com/SYwF8hjlQrq6dCCSaznH"/><br/> Figure 5 - Screenshot of extracted files from the file “decryptor.zip”</em></p><p>The decryptor files are compiled in Go programming language. It is very simple with only 140+ lines of source code. A reconstruction of the source code tree is shown below in Figure 6. As the file name suggests the only functionality of the executable is to decrypt the files.</p><p style="text-align: center;"><em><img alt="Screenshot of Go source Tree structure from Synology Decryptor" src="https://cdn.filestackcontent.com/G5Dgs8pQXyZhCKxAT9P8"/><br/> Figure 6 - Screenshot of Go source Tree structure from Synology Decryptor</em></p><p style="text-align: center;"><em><img alt="Screenshot of Go source Tree structure from QNAP Decryptor" src="https://cdn.filestackcontent.com/3ZCd7pWfSXqdoda6ehQN"/><br/> Figure 7 - Screenshot of Go source Tree structure from QNAP Decryptor</em></p><p>After looking into the strings of the decryptor, Anomali researchers found that it is the same eCh0raix ransomware that targeted QNAP devices last month.^[2] The identification was made based on the code similarities and the unique string “eCh0raix” present in the decryptor executable. The source code tree of the eCh0raix decryptor is shown in Figure 7 and a sample code comparison between the samples is shown in Figure 8 below.</p><p style="text-align: center;"><em><img alt="Screenshot shows code similarities of both Decryptors" src="https://cdn.filestackcontent.com/VktyI3xFQKdTEG0yDZkR"/><br/> Figure 8 - Screenshot shows code similarities of both Decryptors</em></p><p>During the decryption process the decryptor looks for the keyword “eCh0raix” in the encrypted files to confirm if the decryption routine is complete. The unique string acts as a marker in the infection process.</p><h2>Analysis</h2><p>We believe that this attack against Synology users was conducted by the same actor behind the eCh0raix ransomware targeting QNAP NAS devices, as reported on July 10, 2019. This conclusion was based on code similarity, ransom amount, and shared strings. The threat actors behind these attacks will likely continue their malicious activity because the large amount of NAS devices connected to the internet presents a large target pool. Furthermore, NAS devices are sometimes the final backup for companies or individuals, therefore, actors have more leverage when demanding ransom.</p><h3>Recommendations</h3><p>Restrict external access to the NAS devices or the access should be limited only via VPN. Ensure all NAS devices are up-to-date with security patches and that strong credentials are employed.</p><h3>IOCs</h3><p>qkqkro6buaqoocv4[.]onion</p><h3>Bitcoin Addresses</h3><p>16sYqXAncDDiijcuruZecCkdBDwDf4vSEC</p><p>1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP</p><p>1LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135</p><h2>Endnotes</h2><p>^[1] “Synology® Urges All Users to Take Immediate Action to Protect Data from Ransomware Attack,” Synology Press Release, accessed July 31, 2019, published July 23, 2019, https://www.synology.com/en-global/company/news/article/2019JulyRansomware.</p><p>^[2] Anomali Labs, “Thech0raix Ransomware,” Anomali, accessed July 31, 2019, published July 10, 2019, https://www.anomali.com/blog/the-ech0raix-ransomware.</p>