Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday July 15 2019, @09:15AM   Printer-friendly
from the NASty dept.

QNAPCrypt is malware that specifically targets Linux based Network Attached Storage (NAS) file storage systems. This unusual breed of malware is currently in the wild and spreading via 15 separate campaigns.

NAS servers are an attractive target to ransomware authors for multiple reasons.

First, they often contain large amounts of important data, so people and companies will be more desperate to recover them than a typical client system.
Second, it is rare to deploy endpoint protections to them that watch for encryption activity, making it less likely to detect the malware before it has completed its business.

"What often happens in a ransomware attack would be that a desktop machine, which is Windows or OS X, would be compromised through an existing vulnerability or phishing campaign," [Chris Morales, head of security analytics at Vectra] explained. "Once the host is infected, malware is designed to propagate across user systems and encrypt network file servers that are connected to those systems. By targeting the network file server directly, it is highly likely the attack is circumventing detection by endpoint security tools that are monitoring for the local encryption behaviors."

The QNAPCrypt malware was initially stalled by Malware analysis tool company Intezer which took advantage of a design flaw in the generation of bitcoin wallets on the Command and Control (C2) server to effectively Denial-of-Service (DOS) the malware.

"[the C2 server] does not create a new wallet for each new victim in real time, but rather it pulls a wallet address from a fixed, predetermined list," explained the researchers.

Secondly, the list, being static, is also finite. "Once all of the wallets are allocated (or sent), the ransomware would not be able to continue its malicious operation in the victim's machine," they said.

This opened the door to Intezer being able to mount what was essentially a denial-of-service (DoS) attack by simulating the infection of more than 1,091 victims, forcing the attackers to run through their list of unique Bitcoin wallets to supply to their victims.

Once on a network, the malware attempts to scan and find NAS devices

Intezer determined that the initial attack vector for the campaigns is SSH brute-force attacks, so administrators should take care to update their credentials with strong passwords in order to avoid an infection.

Full Analysis of the QNAPCrypt Ransomware


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by hendrikboom on Monday July 15 2019, @01:31PM (2 children)

    by hendrikboom (1125) Subscriber Badge on Monday July 15 2019, @01:31PM (#867175) Homepage Journal

    The problem is distinguishing legitimate from illegitimate date changes.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by hendrikboom on Monday July 15 2019, @04:29PM (1 child)

    by hendrikboom (1125) Subscriber Badge on Monday July 15 2019, @04:29PM (#867233) Homepage Journal

    I suspect there might be statistical methods to detect large numbers of similar date changes made to files that the file command now sees as mere binary data.

    • (Score: 0) by Anonymous Coward on Monday July 15 2019, @07:24PM

      by Anonymous Coward on Monday July 15 2019, @07:24PM (#867296)

      You could just do a global monitoring on /home or whatever using fanotify/inotify. Your monitor just has to keep track of writes and closings for files and check them to see if they are random. If you want to reduce false positives, just add some canary files or whatever that are never accessed by anything outside of file or sha256sum and trigger when those are accessed.