SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.qnapcrypt (Back to overview)

QNAPCrypt

aka: eCh0raix

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:

1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.

2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.

3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

References
2022-02-09vmwareVMWare
@techreport{vmware:20220209:exposing:7b5f76e, author = {VMWare}, title = {{Exposing Malware in Linux-Based Multi-Cloud Environments}}, date = {2022-02-09}, institution = {vmware}, url = {https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf}, language = {English}, urldate = {2022-02-10} } Exposing Malware in Linux-Based Multi-Cloud Environments
ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike
2022-01-20Trend MicroStephen Hilt, Fernando Mercês
@techreport{hilt:20220120:backing:9498542, author = {Stephen Hilt and Fernando Mercês}, title = {{Backing Your Backup Defending NAS Devices Against Evolving Threats}}, date = {2022-01-20}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf}, language = {English}, urldate = {2022-01-24} } Backing Your Backup Defending NAS Devices Against Evolving Threats
QNAPCrypt QSnatch
2021-08-10paloalto Netoworks: Unit42Ruchna Nigam, Haozhe Zhang, Zhibin Zhang
@online{nigam:20210810:new:ee88c46, author = {Ruchna Nigam and Haozhe Zhang and Zhibin Zhang}, title = {{New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices}}, date = {2021-08-10}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/}, language = {English}, urldate = {2021-08-20} } New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices
QNAPCrypt
2021-05-14Bleeping ComputerSergiu Gatlan
@online{gatlan:20210514:qnap:9af65b9, author = {Sergiu Gatlan}, title = {{QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day}}, date = {2021-05-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/}, language = {English}, urldate = {2021-05-17} } QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day
QNAPCrypt
2021-03-05360 netlabYanlong Ma, JiaYu, GenShen Ye
@online{ma:20210305:qnap:c353950, author = {Yanlong Ma and JiaYu and GenShen Ye}, title = {{QNAP NAS users, make sure you check your system}}, date = {2021-03-05}, organization = {360 netlab}, url = {https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/}, language = {English}, urldate = {2021-03-22} } QNAP NAS users, make sure you check your system
QNAPCrypt
2021-03-02IntezerJoakim Kennedy
@online{kennedy:20210302:when:b33af31, author = {Joakim Kennedy}, title = {{When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?}}, date = {2021-03-02}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt}, language = {English}, urldate = {2021-03-04} } When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?
QNAPCrypt SunCrypt
2020-06-16IBMIBM Security X-Force® Incident Responseand Intelligence Services (IRIS)
@online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } Cloud ThreatLandscape Report 2020
QNAPCrypt RokRAT
2020-06-16IntezerAviygayil Mechtinger
@online{mechtinger:20200616:elf:7057d58, author = {Aviygayil Mechtinger}, title = {{ELF Malware Analysis 101: Linux Threats No Longer an Afterthought}}, date = {2020-06-16}, organization = {Intezer}, url = {https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought}, language = {English}, urldate = {2020-06-16} } ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti
2020-06-08QNAPQNAP
@online{qnap:20200608:ech0raix:e56ecba, author = {QNAP}, title = {{eCh0raix Ransomware}}, date = {2020-06-08}, organization = {QNAP}, url = {https://www.qnap.com/en/security-advisory/QSA-20-02}, language = {English}, urldate = {2020-06-12} } eCh0raix Ransomware
QNAPCrypt
2019-09-20IntezerIntezer
@online{intezer:20190920:russian:27d9f67, author = {Intezer}, title = {{Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns}}, date = {2019-09-20}, organization = {Intezer}, url = {https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/}, language = {English}, urldate = {2020-01-08} } Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns
QNAPCrypt
2019-07-10AnomaliThreat Research Team
@online{team:20190710:ech0raix:b334de7, author = {Threat Research Team}, title = {{The eCh0raix Ransomware}}, date = {2019-07-10}, organization = {Anomali}, url = {https://www.anomali.com/blog/the-ech0raix-ransomware}, language = {English}, urldate = {2020-01-10} } The eCh0raix Ransomware
QNAPCrypt
2019-07-10IntezerIgnacio Sanmillan
@online{sanmillan:20190710:how:e52e04c, author = {Ignacio Sanmillan}, title = {{How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers}}, date = {2019-07-10}, organization = {Intezer}, url = {https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/}, language = {English}, urldate = {2020-01-13} } How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers
QNAPCrypt

There is no Yara-Signature yet.