ech0raix
eCh0raix is a ransomware operation focused on infecting network-attached storage (NAS) devices, particularly QNAP systems.
Profile source: Mallory opens in a new tabech0raix
Family profile
eCh0raix is a ransomware operation focused on infecting network-attached storage (NAS) devices, particularly QNAP systems. The content states it is also known as QNAPCrypt and that it first surfaced in June 2016. It has been repeatedly referenced by QNAP and other reporting as a ransomware strain used to target QNAP customers and internet-exposed QNAP NAS devices.
High-confidence reporting in the content links eCh0raix to exploitation of vulnerabilities in QNAP NAS environments. Multiple sources note prior cases in which ransomware such as eCh0raix abused QNAP NAS vulnerabilities, and QNAP warned users to apply updates to affected applications to prevent attacks from both Qlocker and eCh0raix. The content further states that eCh0raix had been scanning the internet for unpatched QNAP devices and that its activity spiked during the period when Qlocker infections were rising, suggesting it may have weaponized the same bugs, although the exact intrusion vector is not confirmed in the provided material.
The malware is described as an older ransomware operation centered on QNAP systems rather than general-purpose enterprise ransomware. It is mentioned alongside other ransomware families that have targeted NAS appliances, including DeadBolt and Checkmate. One advisory cited in the content also states that DPRK actors have been observed using or possessing publicly available encryption tools including ech0raix, but the content does not establish that eCh0raix is uniquely attributable to DPRK actors.
Overall, the provided content supports describing eCh0raix/QNAPCrypt as a longstanding ransomware family targeting internet-exposed and unpatched QNAP NAS devices, associated with exploitation of QNAP vulnerabilities and recurring attack waves against NAS owners.
Ransomware.live
Operational record
MITRE ATT&CK
ech0raix in ATT&CK
3 distinct techniquesReporting
Research mentioning ech0raix
QNAP社製NASを狙うDeadBoltランサムウェアに関連した調査 - セキュリティ研究センターブログ
過去にもQLockerやech0raix等のランサムウェアがQNAP NASの脆弱性を悪用するケースは度々ありました。
Synology hurries out patches for zero-days exploited at Pwn2Own
"For instance, eCh0raix ransomware (also known as QNAPCrypt), which first surfaced in June 2016, has been targeting such systems regularly..."
QNAP ‘urgently’ fixing vulnerabilities in multiple systems | The Record from Recorded Future News
QNAP has previously warned of different ransomware strains being used to target customers, including ... the ech0raix ransomware.
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA
Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.
New Qlocker ransomware is hitting hundreds of QNAP NAS devices per day | The Record from Recorded Future News
QNAP told users to apply updates for these apps to prevent ransomware attacks not only from the Qlocker gang but also from eCh0raix, an older ransomware operation focused on infecting QNAP systems...