QNAP NAS devices and Ransomware

Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt.

The instigators who pushed this  malware increased activity about a week before Christmas, taking control of the devices with administrator privileges.

The method of infection is as of yet unclear . Some users admit they were reckless and did not secure the device properly (e.g. open  ports over an insecure connection); others claim a vulnerability in QNAP’s Photo Station allowed the attackers to wreak havoc.

Yes I know I am a total idiot for leaving that open to this type of hack but I didnt take any of that seriously. I always thought no-one want the little guy and I will be the first to say I was wrong!

Regardless of the attack path, it appears that the eCh0raix ransomware actor creates a user in the administrator group, which allows them to encrypt all files on the NAS system.

ech0raix ransomware demands ranging from .024 ($1,200) to .06 bitcoins ($3,000) during these recent attacks.. Some users had no backup options and had to pay the threat actor to recover their files.

Recommended Qnap Security Settings to avoid data recovery

1.  
2. Remove  suspicious accounts.
3. Remove  suspicious applications.
4. Disable auto router configuration and set up device access controls in myQNAPcloud.
5. Avoid opening default port numbers to the Internet.
6. Install and run the latest version of Malware Remover.
7. Change passwords for all accounts.
8. Update installed QTS applications to the latest versions.
9. Update QTS to the latest available version.
10. Install QuFirewall.
11. Subscribe to QNAP Security Advisory newsletter.

Common Default Port Numbers

Removing Unknown or Suspicious Users

1. Log on to QTS as administrator.
2. Go to Control Panel > Privilege > Users.
3. Verify all users on the list.
4. Select unknown or suspicious users.
5. Click Delete. A confirmation message appears.
6. Click OK.

Removing Unknown or Suspicious Applications

1. Log on to QTS as administrator.
2. Open the App Center.
3. Verify all installed applications.
4. Locate an unknown or suspicious application.
5. Click Remove. A confirmation message appears.
6. Click OK.

Changing myQNAPcloud Settings

1. Log on to QTS as administrator.
2. Open myQNAPcloud.
3. Go to Auto Router Configuration.
4. Deselect Enable UPnP port forwarding.
5. Go to Publish Services.
6. Deselect all unnecessary services.
7. Click Apply.
8. Go to Access Control.
9. Set Device access controls to Private.
10. Click Apply.

Changing the System Port Number

If the NAS is directly connected to the Internet (for example, via PPPoE, static external IP address, or a router in DMZ mode), change the system port number in QTS.

1. Log on to QTS as administrator.
2. Go to Control Panel > System > General Settings > System Administration.
3. Specify a new system port number. Warning: Do not use 22, 443, 80, 8080 or 8081.
4. Click Apply.

If the NAS is behind a router but is connected to the Internet through port forwarding, specify a new port number on the router. Do not use 22, 443, 80, 8080 or 8081.

Installing and Running the Latest Version of Malware Remover

1. Log on to QTS as administrator.
2. Open the App Center, and click the Search icon. A search box appears.
3. Type “Malware Remover”, and then press ENTER. The Malware Remover application appears in the search result list.
4. Click Install. QTS installs the latest version of Malware Remover.
5. Open Malware Remover.
6. Click Start Scan. Malware Remover scans the NAS for malware.

Changing the Admin Password

1. Log on to QTS as administrator.
2. Click the profile picture on the QTS Task Bar. The Options window opens.
3. Click Change Password.
4. Specify the old password.
5. Specify the new password.QNAP recommends the following criteria to improve password strength:
   • Should be at least 8 characters in length
   • Should include both uppercase and lowercase characters
   • Should include at least one number and one special character
   • Must not be the same as the username or the username reversed
   • Must not include characters that are consecutively repeated three or more times
6. Verify the new password.
7. Click Apply.

Changing User Passwords

1. Log on to QTS as administrator.
2. Go to Control Panel > Privilege > Users.
3. Select a user.
4. Click Change Password. The Change Password window appears.
5. Specify the old password.
6. Specify the new password.QNAP recommends the following criteria to improve password strength:
   • Should be at least 8 characters in length
   • Should include both uppercase and lowercase characters
   • Should include at least one number and one special character
   • Must not be the same as the username or the username reversed
   • Must not include characters that are consecutively repeated three or more times
7. Verify the new password.
8. Click Apply.
9. Repeat the above steps to change passwords for other users.

Updating Installed QTS applications

1. Log on to QTS as administrator.
2. Open the App Center.
3. Go to My Apps.
4. Beside Install Updates, click All. A confirmation message appears.
5. Click OK. QTS updates installed applications to the latest versions.

Updating QTS

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
4. QTS downloads and installs the latest available update.

Installing QuFirewall

1. Log on to QTS as administrator.
2. Open the App Center, and click the Search icon. A search box appears.
3. Type “QuFirewall”, and then press ENTER. The QuFirewall application appears in the search result list.
4. Click Install. QTS installs the latest version of QuFirewall
5. Open QuFirewall and Enable QuFirewall.

For more information on our NAS Data Revovery Services