How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

TOS system configuration
User avatar
TMroy
TerraMaster Team
Posts: 2578
Joined: 10 Mar 2020, 14:04
China

How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by TMroy »

The risk of malware infection remains on a constant rise with new infections rapidly spreading. Recently, it has been learned that some TerraMaster users’ TNAS devices have been attacked by ransomware Ech0raix (QNAPCrypt), causing their precious data to be encrypted and demanded for ransom. We express our regret for this and strongly condemn the attackers! This is a despicable act of harming the interests of others to obtain illegal income for oneself, this is a crime!

The ransomware Ech0raix (QNAPCrypt) was first reported in June 2020. It initially targeted QNAP's NAS devices. In 2020, more than 1,000 users were attacked in the United States alone. Now this ransomware is back and targets QNAP NAS devices agains, unfortunately targets TerraMaster TNAS devices too.

The following are research articles about Ech0raix (QNAPCrypt)
https://www.anomali.com/blog/the-ech0raix-ransomware
https://securityaffairs.co/wordpress/10 ... -qnap.html
https://howtofix.guide/ech0raix-ransomw ... -qnap-nas/
https://www.bugsfighter.com/remove-ech0 ... ypt-files/


For vulnerabilities that may be exploited, TerraMaster has released new TOS updates to reduce the possibility of being attacked. TerraMaster will continue to find all possible vulnerabilities and maintain timely TOS updates.

Is there any way to prevent a ransomware attack from happening? Well, yes and no. There are certainly some precautions you should take to minimize the chances of malware infection, but nothing can guarantee you won’t be targeted, any device exposed on the Internet with vulnerabilities or weak password is at risk of being attacked.

You need to take immediate actions to avoid threats to your important data
1. Update your computer operating system to the latest version;
2. Install good anti-virus software on your computer, TNAS device and router to help you detect and resist malicious threats;
3. Be cautious when opening email attachments or clicking on files from unknown sources. Beware of suspicious files with hidden file extensions, such as ".pdf.exe"
4. Malware usually targets computers that use RDP (Remote Desktop Protocol). Please disable RDP on your computer, and disable SSH and Telnet on your TNAS when not using remote access;
5. Set a high security level password for all users;
6. Disable the system default administrator account, re-create a new administrator account, and set an advanced password;
7. Enable the firewall and only allow trusted IP addresses and ports to access your device, and avoid using default port numbers 5443(HTTPS) and 8181(HTTP), and modify to any other port between 5001-65535.
8. Enable automatic IP block on your TOS control panel to block IP addresses with too many failed login attempts;
9. Backing up data is the best way to deal with malicious attacks; always back up data, at least one backup to another device. It is strongly recommended to adopt a 3-2-1 backup strategy;

If unfortunately you have found that your data is infected by ransomware
1. Disconnect your computer and TNAS device from the Internet immediately;
2. Before restoring data, thoroughly remove the infection in the computer system and TNAS;You need to restore your TNAS to factory settings and completely format all your hard drives;
3. Or you might try solutions here https://www.bugsfighter.com/remove-ech0 ... ypt-files/

More information about ransomware
https://enterprise.comodo.com/blog/how- ... ks-happen/
https://demotix.com/ransomware-attack/
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
sianderson
Posts: 293
Joined: 02 Aug 2020, 03:42
Great Britain

Re: How to protect yourself against encryption-based ransomware?

Post by sianderson »

this is also why my USB backup drive is on a smart switch, therefore, it is actually turned off for most of the day so if there was a ransomware attack it could not reach the backup drive, and only turns on in time for the backup and turn off not long after it would have completed
User avatar
yerc1
Posts: 85
Joined: 30 Oct 2020, 15:50

Re: How to protect yourself against encryption-based ransomware?

Post by yerc1 »

@ TMroy, Thank you for the guidance.

RDP - I cannot find anything in Settings for this. Please advise how to disable RDP in TOS.

I disabled Telnet. I did allow SSH access with password. One of my ToDo items with my TNAS is to change the SSH security from password to keys. Given the reports of ransomware attack on TNAS's I'm going to do this ASAP.

Many owners of TNAS will appreciate a guide for setting up SSH access with keys (instead of password, which is less secure).

Firewall - Enabling the firewall will involve balancing convenience and security. It would be good to have some guide on how to enable the firewall in TOS while still allowing interaction between TNAS and other devices (mobile phone, laptop, etc.). Maybe do this for common scenario - for example "Enable TOS Firewall without Breaking Plex Media Server on TNAS". I don't know if this scenario exists in reality, just an example.
User avatar
joeh
Posts: 9
Joined: 22 Dec 2020, 02:49

Re: How to protect yourself against encryption-based ransomware?

Post by joeh »

yerc1 wrote:
> @ TMroy, Thank you for the guidance.
>
> RDP - I cannot find anything in Settings for this. Please advise how to
> disable RDP in TOS.
>
> I disabled Telnet. I did allow SSH access with password. One of my ToDo
> items with my TNAS is to change the SSH security from password to keys.
> Given the reports of ransomware attack on TNAS's I'm going to do this ASAP.
>
> Many owners of TNAS will appreciate a guide for setting up SSH access with
> keys (instead of password, which is less secure).
>
> Firewall - Enabling the firewall will involve balancing convenience and
> security. It would be good to have some guide on how to enable the
> firewall in TOS while still allowing interaction between TNAS and other
> devices (mobile phone, laptop, etc.). Maybe do this for common scenario -
> for example "Enable TOS Firewall without Breaking Plex Media Server on
> TNAS". I don't know if this scenario exists in reality, just an
> example.

I'm pretty sure when referring to RDP they are talking about disabling it on personal computers.
User avatar
sianderson
Posts: 293
Joined: 02 Aug 2020, 03:42
Great Britain

Re: How to protect yourself against encryption-based ransomware?

Post by sianderson »

thats corrrect RDP (Remote Desktop) or (Remote Connection) could give an attacker access to your computer which in turn gives them access to the NAS drive

so its more so about the bigger picture and not just the nas drive itself
User avatar
yerc1
Posts: 85
Joined: 30 Oct 2020, 15:50

Re: How to protect yourself against encryption-based ransomware?

Post by yerc1 »

[quote=joeh post_id=6601 time=1609115762 user_id=2728]
I'm pretty sure when referring to RDP they are talking about disabling it on personal computers.
[/quote]

[quote=sianderson post_id=6619 time=1609146265 user_id=2074]
thats corrrect RDP (Remote Desktop) or (Remote Connection) could give an attacker access to your computer which in turn gives them access to the NAS drive
[/quote]

I had a feeling that was the case.

The use of RDP, SSH and Telenet in one sentence (" Please disable RDP, SSH and Telnet when not using remote access") and in the current context is a bit vague - the question has to be asked.
User avatar
TMroy
TerraMaster Team
Posts: 2578
Joined: 10 Mar 2020, 14:04
China

Re: How to protect yourself against encryption-based ransomware?

Post by TMroy »

yerc1 wrote: 29 Dec 2020, 07:48
joeh wrote: 28 Dec 2020, 08:36 I'm pretty sure when referring to RDP they are talking about disabling it on personal computers.
sianderson wrote: 28 Dec 2020, 17:04 thats corrrect RDP (Remote Desktop) or (Remote Connection) could give an attacker access to your computer which in turn gives them access to the NAS drive
I had a feeling that was the case.

The use of RDP, SSH and Telenet in one sentence (" Please disable RDP, SSH and Telnet when not using remote access") and in the current context is a bit vague - the question has to be asked.
Sorry for confusing, we have modified it to be clearer!
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
Spaniard
Posts: 19
Joined: 26 Dec 2020, 00:28

Re: How to protect yourself against encryption-based ransomware?

Post by Spaniard »

Hello

TMroy wrote:
> [b]How to protect yourself against encryption-based
> 6. Disable the system default administrator account, re-create a new
> administrator account, and set an advanced password;

Please, can you provide us with furthering information about how to do that in TOS?
the "admin" account cannot be disabled as it is linked with the root account. Is there any trick to achieve that using the CLI?

Thanks
User avatar
joeh
Posts: 9
Joined: 22 Dec 2020, 02:49

Re: How to protect yourself against encryption-based ransomware?

Post by joeh »

Spaniard wrote:
> Hello
>
> TMroy wrote:
> > [b]How to protect yourself against encryption-based
> > 6. Disable the system default administrator account, re-create a new
> > administrator account, and set an advanced password;
>
> Please, can you provide us with furthering information about how to do that in TOS?
> the "admin" account cannot be disabled as it is linked with the root
> account. Is there any trick to achieve that using the CLI?
>
> Thanks

That is correct. I didn't see a way to disable the admin account either. My F2-422 NAS is on firmware 4.2.07. The "Disable this user account" option is grayed out for the admin account. I am able to disable the guest account, which I did. All I did for the admin account is deny access to the folders I created.
User avatar
Spaniard
Posts: 19
Joined: 26 Dec 2020, 00:28

Re: How to protect yourself against encryption-based ransomware?

Post by Spaniard »

joeh wrote:

> That is correct. I didn't see a way to disable the admin account either. My F2-422
> NAS is on firmware 4.2.07. The "Disable this user account" option is grayed
> out for the admin account. I am able to disable the guest account, which I did. All I
> did for the admin account is deny access to the folders I created.

As long as the root user and the Admin share the same password and pfp-fm is run by the root, there's not too much to do against these kind of exploits.

TMRoy is there any way of disabling http in the NAS and enforce https connection?
Post Reply