The eCh0raix ransomware, also called QNAPCrypt, has a new variant that can now infect both QNAP as well as Synology Network-attached Storage (NAS) devices according to a report by security researchers Palo Alto Networks.
Palo Alto first spotted the new eCh0raix back in September last year. The project name of the ransomware campaign is "rct_cryptor_universal", indicating that the malware can affect any vendor. The name of the project was "qnap_crypt_worker" earlier since it would infect QNAP and Synology devices using different variants often on separate instances.
For those wondering, eCh0raix isn"t new and the ransomware first burst onto the scene back in 2016 (via Bleeping Computer) when it was targeting QNAP NAS systems. That"s why the malware is also called QNAPCrypt since it started initially by attacking QNAP devices only. While 2016 was the first such instance, further attacks were also carried out in 2019 and 2020 on QNAP NAS devices.
The new eCh0raix variation has been assigned the security vulnerability ID CVE-2021-28799. Back in April, QNAP had already confirmed the vulnerability as an "Improper Authorization Vulnerability" in HBS 3 (Hybrid Backup Sync 3). The company has further added that it has fixed the hack in the following HBS 3 versions:
- QTS 4.5.2: HBS 3 v16.0.0415 and later
QTS 4.3.6: HBS 3 v3.0.210412 and later
QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later
Information related to secure firmware versions for affected Synology systems does not exist yet. In total, there are about 250,000 vulnerable units combined both from QNAP and Synology, according to numbers from Cortex Xpanse.
You can find more technical information on the new eCh0raix variant in the official report here.