SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.qnapcrypt (Back to overview)

QNAPCrypt

aka: eCh0raix

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:

1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.

2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.

3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

References
2020-06-16IBMIBM Security X-Force® Incident Responseand Intelligence Services (IRIS)
@online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } Cloud ThreatLandscape Report 2020
QNAPCrypt RokRAT
2020-06-16IntezerAviygayil Mechtinger
@online{mechtinger:20200616:elf:7057d58, author = {Aviygayil Mechtinger}, title = {{ELF Malware Analysis 101: Linux Threats No Longer an Afterthought}}, date = {2020-06-16}, organization = {Intezer}, url = {https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought}, language = {English}, urldate = {2020-06-16} } ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti
2020-06-08QNAPQNAP
@online{qnap:20200608:ech0raix:e56ecba, author = {QNAP}, title = {{eCh0raix Ransomware}}, date = {2020-06-08}, organization = {QNAP}, url = {https://www.qnap.com/en/security-advisory/QSA-20-02}, language = {English}, urldate = {2020-06-12} } eCh0raix Ransomware
QNAPCrypt
2019-09-20IntezerIntezer
@online{intezer:20190920:russian:27d9f67, author = {Intezer}, title = {{Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns}}, date = {2019-09-20}, organization = {Intezer}, url = {https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/}, language = {English}, urldate = {2020-01-08} } Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns
QNAPCrypt
2019-07-10IntezerIgnacio Sanmillan
@online{sanmillan:20190710:how:e52e04c, author = {Ignacio Sanmillan}, title = {{How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers}}, date = {2019-07-10}, organization = {Intezer}, url = {https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/}, language = {English}, urldate = {2020-01-13} } How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers
QNAPCrypt
2019-07-10AnomaliThreat Research Team
@online{team:20190710:ech0raix:b334de7, author = {Threat Research Team}, title = {{The eCh0raix Ransomware}}, date = {2019-07-10}, organization = {Anomali}, url = {https://www.anomali.com/blog/the-ech0raix-ransomware}, language = {English}, urldate = {2020-01-10} } The eCh0raix Ransomware
QNAPCrypt

There is no Yara-Signature yet.