QNAP NAS Community Forum

The Hacker News wrote:A new ransomware family has been found targeting Linux-based Network Attached Storage (NAS) devices made by Taiwan-based QNAP Systems and holding users' important data hostage until a ransom is paid, researchers told The Hacker News.

Independently discovered by researchers at two separate security firms, Intezer and Anomali, the new ransomware family targets poorly protected or vulnerable QNAP NAS servers either by brute forcing weak SSH credentials or exploiting known vulnerabilities.

Dubbed "QNAPCrypt" by Intezer and "eCh0raix" by Anomali, the new ransomware is written in the Go programming language and encrypts files with targeted extensions using AES encryption and appends .encrypt extension to each.

However, if a compromised NAS device is located in Belarus, Ukraine, or Russia, the ransomware terminates the file encryption process and exits without doing any harm to the files.

...

As a reminder, we urge users not to, unknowingly or unnecessarily, connect their NAS devices directly to the Internet, and also enable automatic updates to keep firmware up-to-date.

SC wrote:The researchers said the threat actor appears to be scanning the internet for QNAP devices and then compromises those set up with weak passwords. The number of potentially vulnerable QNAP NAS drives is not known, Anomali said, adding the researchers have found samples compiled for ARM and Intel x86, leading us to believe it is present in both enterprise and home devices.

...

The ransomware code itself is very simple, containing just 400 lines and written in the Go programming language.

The ransomware reaches out to the URL http://192.99.206[.]61/d.php?s=started and then tells command and control server sg3dwqfpnr4sl5hh[.]onion via a SOCKS5 Tor proxy at 192.99.206[.]61:65000 it is up and running.

Independently discovered by researchers at two separate security firms, Intezer and Anomali, the new ransomware family targets poorly protected or vulnerable QNAP NAS servers either by brute forcing weak SSH credentials or exploiting known vulnerabilities.

However, if a compromised NAS device is located in Belarus, Ukraine, or Russia, the ransomware terminates the file encryption process and exits without doing any harm to the files.

To avoid infection, you must:

Update QTS to the latest version.

Recommendation
To avoid infection, you must:

Update QTS to the latest version.
Install and update Malware Remover to the latest version.
Use a stronger admin password.
Enable Network Access Protection to protect accounts from brute force attacks.
Disable SSH and Telnet services if you are not using them.
Avoid using default port numbers 443 and 8080.

Moogle Stiltzkin wrote: ↑Thu Jul 11, 2019 2:45 pm time to enable reserved space for snapshots.

OneCD wrote: ↑Fri Jul 12, 2019 7:58 am

Moogle Stiltzkin wrote: ↑Thu Jul 11, 2019 2:45 pm time to enable reserved space for snapshots.

Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS.

Moogle Stiltzkin wrote: ↑Fri Jul 12, 2019 8:14 am

OneCD wrote: ↑Fri Jul 12, 2019 7:58 am

Moogle Stiltzkin wrote: ↑Thu Jul 11, 2019 2:45 pm time to enable reserved space for snapshots.

Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS.

what!

dolbyman wrote: ↑Fri Jul 12, 2019 10:14 am snapshots DO help if a connected client is causing file changes or deletion..just not if the actual NAS is infected