New Ransomware is Targeting QNAP’s Network-Attached Storage Devices

Researchers discovered a new form of ransomware that is targeting network storage devices.

The ransomware, named eCh0raix, affects devices by brute-forcing weak credentials and taking advantage of known vulnerabilities in their systems. A team of cybersecurity researchers at Anomali detailed this file-locking malware which emerged in June. It targets QNAP network-attached storage (NAS) devices by QNAP systems, a Taiwanese firm with offices in 16 countries.

The security provider said in an advisory that the extent of the infection is still unclear for the moment.

The malware seems to have been designed for targeted attacks and not just for mass distribution. In some samples that Anomali analyzed, hard-coded encryption keys appeared to have unique decryption keys linked to them. This detail means that the same decryptor would not take effect for all victims.New Ransomware is Targeting QNAP’s Network-Attached Storage Devices


Joakim Kennedy, Anomali’s threat intelligence manager, said the company had found a fully offline version of the malware. He added that it also has an online version that reaches to the C2 server. Once it is in the server, it will get the bitcoin wallet and public key before it starts.

Hackers wrote eCh0raix in the Go programming language. Anomali described the malware as very simple, having a source code fewer than 400 lines. It checks to see if the files are already encrypted before reaching out to a server to begin the encryption.

During an attack, the malware provides a ransom note informing users that all their data has been locked. They will then get directed to a Tor website to pay the ransom with bitcoin. The ransomware will also issue a warning telling users not to tamper with the encrypted data.

What makes eCh0raix interesting is it is targeting NAS devices, Kennedy observed. These devices are often used to store essential files and backups, particularly in enterprise settings despite having little protection. This fact makes NAS devices a potentially profitable target for ransomware authors, he added.

To protect NAS devices against ransomware attacks, security specialists recommend users to restrict external access to them. This way, the devices will be hidden from the outside internet. Experts also advise users to apply security patches and use strong login credentials to protect systems from brute-force attacks.


eCh0raix is the latest version of ransomware used in targeted attacks. In the last few months, many security vendors have reported a substantial reduction in overall ransomware activity. However, they have seen a sharp increase in attacks targeting enterprise organizations.