The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:
1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.
2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.
3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.
|2020-06-16 ⋅ IBM ⋅ |
Cloud ThreatLandscape Report 2020
|2020-06-16 ⋅ Intezer ⋅ |
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti
|2020-06-08 ⋅ QNAP ⋅ |
|2019-09-20 ⋅ Intezer ⋅ |
Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns
|2019-07-10 ⋅ Intezer ⋅ |
How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers
|2019-07-10 ⋅ Anomali ⋅ |
The eCh0raix Ransomware
There is no Yara-Signature yet.