How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

TOS system configuration
User avatar
StanHK
Posts: 13
Joined: 25 Jul 2020, 16:22

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by StanHK »

How to make your TNAS accessible from outside world via VPN only (note: need to have a firewall that supports VPN)

Here is some advise for those looking to improve their security (TM only said "happy new year" but no apologies for their clear negligence - no, I am not going to by nice to them as they messed up severely):

1. Get a firewalla (firewalla.com - this is made by a couple of guys that used to work at Cisco)
2. Setup VPN on the firewalla, which will allow you to tunnel into your home network
3. Setup port forwarding on your router for the firewalla VPN
4. Use the firewalla in advanced/DHCP mode (firewalla will assign internal IP addresses to your devices)
5. Fix the internal IP address for your TNAS in firewalla by reserving the assigned IP for TNAS (e.g. 172.1.1.2)
6. Take your TNAS offline by using the firewalla built-in disconnect from internet button
7. Whitelist your VPN subnet (advanced settings, network to see the subnet) and your local intranet subnet (e.g. 172.1.1.2/24) in the rules section for TNAS device
8. If you use any remote/cloud backup, find the IP CIDR blocks and domain names and whitelist those for your TNAS device in firewalla rules

*** now your TNAS should be only accessible from internal IP addresses and by VPN ***

9. Check if there are any port forwarding rules (except for your firewalla VPN) on your router, e.g. 8181, and remove those (be sure to keep your VPN port forwarding!!!)
10. Go to your network settings on your TNAS, and change the standard HTTP and HTTPS ports (e.g. 8181 --> 3131). Note, to connect to the TNAS web interface on example IP: 172.1.1.2:8181 you need to use the new port, e.g. 172.1.1.2:3131
User avatar
havesomequestions
Posts: 0
Joined: 14 Jan 2021, 22:26

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by havesomequestions »

Hi, Can you help clarify something?

How was this system exploited? I don't really understand given the configuration, I believe I have setup.

How was remote access gained? This device already sits behind my router and is not directly exposed to the internet.
Are there details of how to lock this down? I understand there was a vulnerability, but even still my device should not have been accessible outside of my local network?

Is there something here enabling traversing the NAT?
User avatar
TMRyan
TerraMaster Team
Posts: 817
Joined: 01 Dec 2020, 11:50

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by TMRyan »

{L_BUTTON_AT}havesomequestions
There are three ways for you to remotely access your TNAS device:
1. TNAS.online permission: Go to “TOS” > “Remote Access” to enable the TNAS.online remote login, set a unique TNAS ID, and then enter the TNAS.online or TNAS ID in the address bar of your computer browser (e. g., TNAS.online/john) to enable remote access.
2. DDNS (Dynamic Domain Name Server): Please refer to the “TOS Help” page for how to set up DDNS and how to use it.
3. A dedicated IP and port number: Apply for a dedicated IP from the operator and then access TNAS by forwarding it through the router port.
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement)
User avatar
havesomequestions
Posts: 0
Joined: 14 Jan 2021, 22:26

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by havesomequestions »

are any of those enabled by default? I didn't explicitly do any of those steps.

my security posture is not have these things enabled. but i wasn't aware of these.

my question was not how to enable remote access, but rather how could this infection have occurred.

I started going through the process of changing the default ports and now the webui no longer loads for me.
User avatar
havesomequestions
Posts: 0
Joined: 14 Jan 2021, 22:26

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by havesomequestions »

My main goal here is to understand how the bad actor got on to the system.

If I understand correctly there was an exploit, i've seen the metasploit toolkit with the POC.
How can I trust this system?

I have noticed lately some attempts to log into my accounts, luckily they are all 2fa, from odd regions.

It feels like this system cannot be trusted with my data, was the data exfiltrated?

Not everything was encrypted, it seemed to only target some well known extensions. I have backups in triplicate and this happened to only corrupt one of those.

But how can I put this device back in service w/o understanding how the system was exploited? I am not finding these encrypted files on any other device on my network.
User avatar
havesomequestions
Posts: 0
Joined: 14 Jan 2021, 22:26

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by havesomequestions »

Thank you for this. I believe I found I had port triggering enabled on my router and found a record of port 8181 being accessible externally.

This closes that loop for me.

StanHK wrote:
> havesomequestions wrote:
> > My main goal here is to understand how the bad actor got on to the system.
> >
> > If I understand correctly there was an exploit, i've seen the metasploit
> > toolkit with the POC.
> > How can I trust this system?
> >
> > I have noticed lately some attempts to log into my accounts, luckily they
> > are all 2fa, from odd regions.
> >
> > It feels like this system cannot be trusted with my data, was the data
> > exfiltrated?
> >
> > Not everything was encrypted, it seemed to only target some well known
> > extensions. I have backups in triplicate and this happened to only corrupt
> > one of those.
> >
> > But how can I put this device back in service w/o understanding how the
> > system was exploited? I am not finding these encrypted files on any other
> > device on my network.
>
> I can confirm that:
> 1. I did not switch on TNAS.online
> 2. I did not use DDNS (Dynamic Domain Name Server)
> 3. I did not specifically have a dedicated IP (which isn't needed for a hacker, they
> just need to find an IP address where the device is running)
>
> The port 8181 is the standard port used by TNAS for web access. So I guess they
> either got a list of IPs directly from this forum and tried all of them for open port
> 8181, or they just scanned large amounts of IPs for open port 8181.
>
> My mistake: during setup I set port mapping of 8181 to the internal IP which I then
> forgot to switch off.
User avatar
havesomequestions
Posts: 0
Joined: 14 Jan 2021, 22:26

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by havesomequestions »

For anyone else, beta.shodan.io, is how I found my open ports.

You can lookup your external ip for free and even quickly attempt connection.
User avatar
sianderson
Posts: 293
Joined: 02 Aug 2020, 03:42
Great Britain

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by sianderson »

i use GRC.com i dont know how that compares to the test you run, its an old one but I guess its all still valid
User avatar
StanHK
Posts: 13
Joined: 25 Jul 2020, 16:22

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by StanHK »

havesomequestions wrote:
> Thank you for this. I believe I found I had port triggering enabled on my router and
> found a record of port 8181 being accessible externally.
>
> This closes that loop for me.
>
Glad I could be of help with that
User avatar
ramsymartin12
Posts: 0
Joined: 16 Mar 2021, 14:38

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by ramsymartin12 »

A decryptor for the eCh0raix Ransomware, or QNAPCrypt, has been released that allows victims to recover encrypted files on their QNAP NAS devices. Ech0raix (QNAPCrypt) Ransomware is similar to DearCry Ransomware. This 'DearCry Ransomware' nasty ransomware exploits bugs in software installed in computer, or network sever exploits to install the ransomware program in your computer. Once they gain access to your computer, they will start encrypting all files stored in computer and demands ransom payment for decryption keys/software. For more details, visit 'https://malware-guide.com/blog/how-to-remove-dearcry-ransomware-restore-locked-files'.

However, one possible ways to recover locked files by any ransomware programs is to restore them from strong backup. You should make sure that you have backup of your all damaged or lost files on some external storage, or on cloud storage. You can also try powerful data recovery software for this purpose, and you can get this tool by visiting the post through link.
Post Reply