QNAPCrypt Continues to Spread Via Brute Force Attacks
A rare instance of ransomware targeting Linux-based file storage systems, or network-attached storage servers, has been spotted, spreading via 15 separate but related attack campaigns. The hackers behind the attacks are continuing their depredations on an ongoing basis, according to researchers, so targets are expected to propagate. The malware is called QNAPCrypt after QNAP, one of the larger NAS server vendors.
NAS servers normally store large amounts of important data and files, which make them a valuable target for hackers and is a desirable target for ransomware campaigns. QNAPCrypt has a few attributes that differ from the standard ransomware. Like many ransomwares, it's an ARM variant that encrypts all files, but the ransom note is delivered as a text file left on the machine, without any message on the screen since it is a server and not an endpoint.
Every victim is provided with a different, unique Bitcoin wallet, a feature that helps hackers avoid being traced. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server, or CC2, before file encryption. It's this wallet function that has proved to be a bit of an Achilles Heel for the hackers. Researchers determined a couple of major design flaws that allows them to temporarily block the hackers' operations.
The list of bitcoin wallets was static and created in advance of the attack. Therefore, it does not create a new wallet for each new victim in real time, it pulls a wallet address from a fixed, predetermined list. The list, being static, is also finite. Once all of the wallets are sent, the ransomware would not be able to continue its malicious operation in the victim's machine. This allowed researchers to mount a denial-of-service ( DoS ) attack by simulating the infection of more than 1,091 victims, forcing the attackers to run through their list of unique Bitcoin wallets to supply to their victims.
Researchers observed that there was a request through their REST API in order to retrieve new victim configuration keys via a connection to a SOCKS5 proxy. Herein lies another design flaw, the connection to a SOCKS5 proxy is completed without any authentication enforced, so anyone would have the capability to connect to it. This abuses the fact that no authentication is enforced to connect to the SOCKS5 proxy. Since the authors behind this ransomware were delivering one Bitcoin wallet per victim from a static pool of already generated wallets, researchers could replicate the infection packets to retrieve all of the wallets until they had no further wallets under their control. Therefore, when a real infection occurred, the ransom client would not be able to retrieve configuration artifacts.
Unfortunately, the hackers took notice, and it take long to adapt it to QNAPCrypt variants. The authors updated their implants in order to patch this design flaw in their infrastructure to continue with their malicious operations. This newer implant reuses a large portion of code with old instances of x86 Linux.Rex, a malware that made headlines in 2016 as a self-replicating trojan that uses infected machines to create a peer-to-peer botnet, in order to conduct ransomware and DDoS operations.