[SECURITY ADVISORY] eCh0raix Ransomware

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

[SECURITY ADVISORY] eCh0raix Ransomware

Post by Toxic17 »

  • Release date: May 14, 2021
  • Security ID: QSA-21-18
  • Affected products: QNAP NAS devices
  • Status: Investigating
Summary
The eCh0raix ransomware has been reported to affect QNAP NAS devices. Devices using weak passwords may be susceptible to attack.
We strongly recommend users act immediately to protect their data.
If you have any questions regarding this issue, please contact us through the QNAP Helpdesk.

Recommendation
To avoid infection, we recommend the following actions:
  1. Use stronger passwords for your administrator accounts.
  2. Enable IP Access Protection to protect accounts from brute force attacks.
  3. Avoid using default port numbers 443 and 8080.
Changing the Device Password
  1. Log on to QTS or QuTS hero as administrator.
  2. Click the profile picture on the Task Bar.
    The Options window opens.
  3. Click Password Settings.
  4. Specify the old password.
  5. Specify the new password.
    QNAP recommends the following criteria to improve password strength:
    • At least 8 characters in length
    • Include both uppercase and lowercase characters
    • Include at least one number and one special character
    • Must not be the same as the username or the username reversed
    • Must not include characters that are consecutively repeated three or more times
  6. Verify the new password.
  7. Click Apply.
Enabling IP Access Protection
  1. Log on to QTS or QuTS hero as administrator.
  2. Go to Control Panel > System > Security > IP Access Protection.
  3. Configure SSH protection.
    1. Select SSH.
    2. Specify a time period, the number of failed login attempts, and the duration for blocking an IP address that has reached the number of failed login attempts within the time period.
  4. Configure HTTP(S) protection.
    1. Select HTTP(S).
    2. Specify a time period, the number of failed login attempts, and the duration for blocking an IP address that has reached the number of failed login attempts within the time period
  5. Click Apply.
Changing the System Port Number
  1. Log on to QTS or QuTS hero as administrator.
  2. Go to Control Panel > System > General Settings > System Administration.
  3. Specify a new system port number.
    Warning: Do not use 443 or 8080.
  4. Click Apply.
Revision History: V1.0 (May 14, 2021) - Published
elvisimprsntr

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by elvisimprsntr »

Here we go again!
Barboots
Getting the hang of things
Posts: 53
Joined: Fri Jun 30, 2017 3:24 pm

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by Barboots »

elvisimprsntr wrote:Here we go again!
Message has gone out. "This is a good business".
alec59
New here
Posts: 2
Joined: Tue May 25, 2021 9:46 pm

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by alec59 »

Hello guys,
I'm sorry for my english :/
yesterday, my QNAP TS251 was infected by "EchoRaix Qnap Encrypt"
Since, I ve 3 issues :

- my files was encrypted. I tried to follow this topic, but here is a lot of informations, and in english ^^
Can we decrypt our files, or it's totally dead ?

- My NAS is available by Chrome ( when I use the IP I can access to the control panel ).
Qfinder pro find my QNAP

BUT it's totally innaccessble by windows explorer ( I tried with \\192.168.1.xx or \\NAS Name, windows tell me there is no access )
For now, I get back my data there arn't crypted by FileStation, but it's long, and boring...

It's possible than the Ransomware block me ?

- I scanned my PC with a lot of tool ( FRST, Malaware etc...) And I don't found Echoraix virus. It's normal ? how I can be sure there is nothing left ??

Thanks, and have a nice day
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by dolbyman »

jacobite1
Easy as a breeze
Posts: 389
Joined: Fri Aug 07, 2015 7:02 pm
Location: London, England

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by jacobite1 »

A couple of people are reporting recent infections of eCh0raix (as determined by the presence of a 'README_FOR_DECRYPT.txtt' file) over on the subreddit.

Edit: link here (https://www.reddit.com/r/qnap/comments/ ... d_qlocker/)
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!

Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
Derek s
Starting out
Posts: 18
Joined: Fri Jun 22, 2018 1:29 am

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by Derek s »

Hi all,
sorry if this question seems stupid but I am a basic user. One of the points of advice is “Specify a new system port number.
Warning: Do not use 443 or 8080“

Given that 8080 seems the default ( and I have no idea what port 443 is for), can anyone advise what the criteria is for choosing a port number to change to?

Also, will changing the port number impact access via qhoto, qvideo, qmusic apps etc. or pc access via the web, or access via NFS?

I do not host any webpages, purely use the Nas for multimedia accessed by lan at home and qnap apps over the web.

I am consumer with enough knowledge to set up the Nas for all I need and have cloud and local backup.Some of this advice seems to assume a level of network technical knowledge that I am not familiar with.(ip and mac addresses are about my limit).

Thanks

Derek.
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by Mousetick »

Derek s wrote: Fri May 28, 2021 6:08 am sorry if this question seems stupid but I am a basic user. One of the points of advice is “Specify a new system port number.
Warning: Do not use 443 or 8080“
Not a stupid question at all. This is not bad advice, it's just rather naive and useless and doesn't improve security. It might have helped 25 years ago, not anymore. Cybercriminals may take a bit longer than average to find your NAS, but they'll still find it pretty soon.

What matters is whether the NAS port number, any port number, is open to the internet. If you have followed the other points of advice, no NAS ports should be forwarded between the internet and the NAS on your router, and UPnP should be turned off both on your router and the NAS. Once that is done the NAS is secure from direct attacks from the internet, it's only accessible from your local network, or via a VPN, if applicable, and you don't need to change port numbers. At this point changing port numbers will only be an inconvenience to you, without significant benefit, if any at all.
Given that 8080 seems the default ( and I have no idea what port 443 is for), can anyone advise what the criteria is for choosing a port number to change to?
8080 is for accessing the NAS web interface via HTTP and 443 is for accessing the same NAS web interface via HTTPS (encrypted connection between your web browser and the NAS). You can change them to anything you like between 1 and 65535, as long as they're not already used by other services on the NAS. For example, you can't use 139 or 445 because it's used for Windows Networking on the NAS. You can't use 111 or 2049 because it's used by NFS services on the NAS. There are several other ports that may be used by the NAS, I'm not going to go over the entire list here.

I can suggest a couple that should not conflict with anything: 8888 for HTTP and 8443 for HTTPS. But my advice is don't bother to change the port number, so don't worry about it.
Also, will changing the port number impact access via qhoto, qvideo, qmusic apps etc. or pc access via the web, or access via NFS?
Yes to all, you'll need to specify the new port number, except NFS which is not affected. For the phone apps I believe they have a feature to auto-detect the port automatically? Otherwise you need to change the port number somewhere in the configuration. When accessing from a web browser (PC or phone), you need to specify the new port number at the end of the address in the URL, i.e. http://address[:port-number]/ or https://address[:port-number]/.
I do not host any webpages, purely use the Nas for multimedia accessed by lan at home and qnap apps over the web.
If by "accessed by qnap apps over the web" you mean over the internet while you're away from your home/office, then you have a lot more important things to worry about than port numbers. You need to block all that stuff off at the router level and set up a VPN to access your home/office network over the internet.
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by oyvindo »

I think the general advice everyone is giving about disconnecting your NAS from the internet - completely - is a bad advice. For most people with a NAS, one of the main purposes is to allow them to get access to private files and folder also when away from home. Then, the advice becomes almost like; Use your NAS as a paper wight, and your guaranteed never to be attacked by ransomwear!
VPN and Reverse Proxy solutions can be alternative ways to gain reasonably safe ways to connect from the internet while still being protected. Nothing is 100%, so weight the risk. After all, you do wear seatbelts when you drive, right? But still - there is always a certain risk og getting injured in an accident.
Same, same with a computing device like a NAS.
ImageImageImage
User avatar
Cbrad01
Know my way around
Posts: 245
Joined: Fri Jan 15, 2016 9:17 pm

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by Cbrad01 »

oyvindo wrote:I think the general advice everyone is giving about disconnecting your NAS from the internet - completely - is a bad advice. For most people with a NAS, one of the main purposes is to allow them to get access to private files and folder also when away from home. Then, the advice becomes almost like; Use your NAS as a paper wight, and your guaranteed never to be attacked by ransomwear!
VPN and Reverse Proxy solutions can be alternative ways to gain reasonably safe ways to connect from the internet while still being protected. Nothing is 100%, so weight the risk. After all, you do wear seatbelts when you drive, right? But still - there is always a certain risk og getting injured in an accident.
Same, same with a computing device like a NAS.
I agree with you, the key is understanding the risks and taking steps to make the risks as low as possible. Life is always a risk vs reward decision. My NAS has a port open to the internet but traffic to that port passes through my SonicWall and is inspected. It’s a pain to configure and maintain but it’s relatively safe as the SonicWall takes the brunt of the internet attacks (which is what is is designed for). The NAS is not designed for security, it’s designed for ease of use and lots of “cool” features. These ease of use items by nature and are less secure (generally the easier it is to use the less secure it is).
When you expose your data / systems to the internet take steps to protect them.


Sent from my iPhone using Tapatalk
elvisimprsntr

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by elvisimprsntr »

Apparently nobody has learned anything from events of the past month or so. Exposing any NAS, regardless of manufacturer or distribution, directly to the WAN is the worst possible thing you can do.

It's really not that hard to set up an VPN and it doesn't cost any coin. You can securely connect to a LAN via VPN and access any IP based device on the LAN that you allow. You can SSH, access SMB shares, steam media, etc. from anywhere on earth and even from 35,000 feet in the air.

If you don't know how to set up a VPN, then consider it a leaning opportunity. There are plenty of options and tutorials on the web.
Last edited by elvisimprsntr on Sat May 29, 2021 6:08 pm, edited 1 time in total.
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by dolbyman »

I said it many times before .. for 95% of all end user it's better to not expose the NAS at all .. no IF's, BUT's or COCONUT's brings years or decades of user-files back because people have no clue what they are doing and believe in juicy marketing promises ... so it still stands

DO NOT EXPOSE YOUR NAS TO WAN
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by oyvindo »

Even if you tell people not to drive without safety belts, there's always some people who will. I think what people are expecting, is some sort of warning message as a permanent background image on the desktop warning them about this. Just like in USA where all microwave ovens are clearly labeled that you should not dry your cat in it. It's true!! This happened after a lady accidentally killed her cat in it. The cat was used to dry out in the old oven, and when it was replaced with a micro, the lady had no idea. She sued the manufacturer and won the case and was awarded a large sum of money as compensation for the dead cat.
That's how people are 😮
How about a class action lawsuit against QNAP ? 😜 (just kidding)
ImageImageImage
elvisimprsntr

[SECURITY ADVISORY] eCh0raix Ransomware

Post by elvisimprsntr »

It comes down to putting a closed source appliance with a long documented history of hard coded credentials and vulnerabilities on the WAN vs using an open source and well vetted VPN, and putting the highly targeted vulnerable appliance behind a firewall.

I was not infected with ransomware and sleep well knowing all my appliances are behind an enterprise class software firewall.
Last edited by elvisimprsntr on Sat May 29, 2021 5:47 am, edited 1 time in total.
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [SECURITY ADVISORY] eCh0raix Ransomware

Post by Mousetick »

I'm better than you and you're wrong and yadda yadda yadda.

Way to ruin a thread that's supposed to inform and help users. I feel sorry for the confused lost users who come here in search of answers. Instead they find stories about cats in micro-waves, and people fighting over who's the smartest and koolest.
Post Reply

Return to “Users' Corner”