SoylentNews is people
SoylentNews
QNAPCrypt is malware that specifically targets Linux based Network Attached Storage (NAS) file storage systems. This unusual breed of malware is currently in the wild and spreading via 15 separate campaigns.
NAS servers are an attractive target to ransomware authors for multiple reasons.
First, they often contain large amounts of important data, so people and companies will be more desperate to recover them than a typical client system.
Second, it is rare to deploy endpoint protections to them that watch for encryption activity, making it less likely to detect the malware before it has completed its business.
"What often happens in a ransomware attack would be that a desktop machine, which is Windows or OS X, would be compromised through an existing vulnerability or phishing campaign," [Chris Morales, head of security analytics at Vectra] explained. "Once the host is infected, malware is designed to propagate across user systems and encrypt network file servers that are connected to those systems. By targeting the network file server directly, it is highly likely the attack is circumventing detection by endpoint security tools that are monitoring for the local encryption behaviors."
The QNAPCrypt malware was initially stalled by Malware analysis tool company Intezer which took advantage of a design flaw in the generation of bitcoin wallets on the Command and Control (C2) server to effectively Denial-of-Service (DOS) the malware.
"[the C2 server] does not create a new wallet for each new victim in real time, but rather it pulls a wallet address from a fixed, predetermined list," explained the researchers.
Secondly, the list, being static, is also finite. "Once all of the wallets are allocated (or sent), the ransomware would not be able to continue its malicious operation in the victim's machine," they said.
This opened the door to Intezer being able to mount what was essentially a denial-of-service (DoS) attack by simulating the infection of more than 1,091 victims, forcing the attackers to run through their list of unique Bitcoin wallets to supply to their victims.
Once on a network, the malware attempts to scan and find NAS devices
Intezer determined that the initial attack vector for the campaigns is SSH brute-force attacks, so administrators should take care to update their credentials with strong passwords in order to avoid an infection.
Full Analysis of the QNAPCrypt Ransomware
(Score: 1, Interesting) by Anonymous Coward on Monday July 15 2019, @10:03PM
It does make you think, if you ran BusyBox on HURD would Stallman insist on you calling it HURD or BusyBox+HURD?
Does remind me of a guy, with a stellar-looking resume and application, that talked himself out of a job when, during our interview with him, he kept insisting on calling it GNU/Linux, even after being informed that the stack he would be dealing with used BusyBox for the core utilities. Later, after a mention of how he would write a "systemd socket file" to solve a hypothetical problem, he was told that systemd was not running on the machines and could not be installed on them. He said, "Oh, I see the confusion, you are running a [finger quotes] B. S. D. Unix-like operating system [end finger quotes]. In that case I'd just install it from ports. It works just fine, I've done it before." My manager just got up and walked out. The email summarizing his thoughts on that candidate was a sight to behold.