The security firm Intezer reported it had successfully shut down 15 active ransomware campaigns using the eCh0raix or QNAPCrypt variant with denial of service attacks.
NAS servers normally store large amounts of important data and files, which make them a valuable target for attackers and especially a viable target for ransomware campaigns. In a rare occurrence the firm Intezer found and dubbed the ransomware strain attacking Linux based file storage systems (NAS Servers) as QNAPCrypt, after well known NAS vendor QNAP.
After detection and study of the malware, Intezer found two design flaws in the ransomware which allow them to temporarily take it down thus preventing the malware from infecting additional victims and forcing the authors behind this malware to deploy new instances.
Similar to other ransomware, QNAPCrypt works by encrypting all files and delivering a ransom note. However, due to NAS being a server and not an endpoint, the ransom note was included solely as a text file. In addition, every victim is provided with a different, unique Bitcoin wallet in order to help the attackers from being tracked. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.
Intezer was able to smoke out a repository of bitcoin wallets by writing a script that simulated QNAPCrypt ransomware victims fooling the attackers into believing they had a treasure trove of potential ransom payers. This allowed the company to see how the bad guys went about creating the bitcoin wallets that would receive the ransoms.
“After simulating the infection of more than 1,091 victims from 15 different campaigns, we encountered that the attackers ran out of unique Bitcoin wallets to supply to their victims. As a result, any future infection will be unsuccessful and the authors behind this malware were forced to update their implants in order to circumvent this design flaw in their infrastructure to continue with their malicious operations,” Intezer said.
However, the success of DoS campaign resulted in the cybercriminals revamping their malware to harden it from future intervention by an outside source. This time, the newer variant uses an embedded static wallet and RSA public key in contrast to previous instances.
Chris Morales, head of security analytics at Vectra, told Threatpost that it isn’t as common to deploy endpoint monitoring to a Linux dedicated network file server — thus, the QNAPCrypt malware represents the evolution and adaptation of an attack to bypass security controls.
“What often happens in a ransomware attack would be that a desktop machine, which is Windows or OS X, would be compromised through an existing vulnerability or phishing campaign,” he explained. “Once the host is infected, malware is designed to propagate across user systems and encrypt network file servers that are connected to those systems. By targeting the network file server directly, it is highly likely the attack is circumventing detection by endpoint security tools that are monitoring for the local encryption behaviors.”
Sources: https://www.intezer.com, https://www.scmagazine.com, https://threatpost.com