ech0raix
eCh0raix is a ransomware family also known as QNAPCrypt that first surfaced in June 2016. It is an older ransomware operation focused on infecting QNAP network-attached storage (NAS) systems, and QNAP has repeatedly warned customers that ech0raix has been used to target its devices. Reporting cited here states that eCh0raix has scanned the internet for unpatched QNAP devices and that activity spiked during periods when QNAP warned customers to apply updates to vulnerable applications, suggesting exploitation of unpatched internet-exposed NAS appliances as an infection vector. The malware is associated with attacks against NAS devices used by home and enterprise customers, where exposed systems are attractive targets because they store sensitive data and are often reachable remotely over the internet. The content also notes that DPRK state-sponsored ransomware actors have been observed using or possessing publicly available encryption tools including ech0raix, alongside other ransomware and encryption utilities. High-confidence aliases and naming in the content identify eCh0raix as QNAPCrypt; no specific ransom note text, file extension, wallet, or hash IOC for ech0raix itself is provided in the supplied material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniquePersistence
1 techniqueLateral Movement
1 techniqueQNAP said it is “urgently” fixing two vulnerabilities that allow hackers to remotely access systems... A malicious actor could use those problems to get full access to a QNAP device.
Impact
1 techniqueQNAP has spent more than a year working to protect customers from the Deadbolt ransomware group, which has specifically exploited vulnerabilities in the company’s NAS storage hardware.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware targeting Internet-exposed NAS devices (notably QNAP and Synology), encrypting files and extorting owners for payment to regain access.
Ransomware strain reported as targeting QNAP customers (notably NAS environments).
Older ransomware operation focused on infecting QNAP NAS systems; reported to be scanning for and exploiting unpatched QNAP devices.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.