Skip to content
Ransomware group

ech0raix

eCh0raix is a ransomware operation focused on infecting network-attached storage (NAS) devices, particularly QNAP systems.

Profile source: Mallory opens in a new tab

ech0raix

Family profile

eCh0raix is a ransomware operation focused on infecting network-attached storage (NAS) devices, particularly QNAP systems. The content states it is also known as QNAPCrypt and that it first surfaced in June 2016. It has been repeatedly referenced by QNAP and other reporting as a ransomware strain used to target QNAP customers and internet-exposed QNAP NAS devices.

High-confidence reporting in the content links eCh0raix to exploitation of vulnerabilities in QNAP NAS environments. Multiple sources note prior cases in which ransomware such as eCh0raix abused QNAP NAS vulnerabilities, and QNAP warned users to apply updates to affected applications to prevent attacks from both Qlocker and eCh0raix. The content further states that eCh0raix had been scanning the internet for unpatched QNAP devices and that its activity spiked during the period when Qlocker infections were rising, suggesting it may have weaponized the same bugs, although the exact intrusion vector is not confirmed in the provided material.

The malware is described as an older ransomware operation centered on QNAP systems rather than general-purpose enterprise ransomware. It is mentioned alongside other ransomware families that have targeted NAS appliances, including DeadBolt and Checkmate. One advisory cited in the content also states that DPRK actors have been observed using or possessing publicly available encryption tools including ech0raix, but the content does not establish that eCh0raix is uniquely attributable to DPRK actors.

Overall, the provided content supports describing eCh0raix/QNAPCrypt as a longstanding ransomware family targeting internet-exposed and unpatched QNAP NAS devices, associated with exploitation of QNAP vulnerabilities and recurring attack waves against NAS owners.

Ransomware.live

Operational record

View group record ↗

MITRE ATT&CK

ech0raix in ATT&CK

3 distinct techniques

Reporting

Research mentioning ech0raix

Jan 10
Macnica Security

QNAP社製NASを狙うDeadBoltランサムウェアに関連した調査 - セキュリティ研究センターブログ

過去にもQLockerやech0raix等のランサムウェアがQNAP NASの脆弱性を悪用するケースは度々ありました。

Nov 1
Bleeping Computer

Synology hurries out patches for zero-days exploited at Pwn2Own

"For instance, eCh0raix ransomware (also known as QNAPCrypt), which first surfaced in June 2016, has been targeting such systems regularly..."

Apr 6
The Record Media

QNAP ‘urgently’ fixing vulnerabilities in multiple systems | The Record from Recorded Future News

QNAP has previously warned of different ransomware strains being used to target customers, including ... the ech0raix ransomware.

Feb 9
Cisa Advisories

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA

Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.

Feb 9
Cisa

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.

Jan 26
The Record Media

New Qlocker ransomware is hitting hundreds of QNAP NAS devices per day | The Record from Recorded Future News

QNAP told users to apply updates for these apps to prevent ransomware attacks not only from the Qlocker gang but also from eCh0raix, an older ransomware operation focused on infecting QNAP systems...

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.