{
	"id": "822fd823-7ec5-4dba-9344-3ce9d79665a3",
	"created_at": "2026-04-06T00:09:04.423217Z",
	"updated_at": "2026-04-10T03:22:01.698038Z",
	"deleted_at": null,
	"sha1_hash": "2fc68118d9a4df361f1a37f8149ed14dac7ba49b",
	"title": "New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 149924,
	"plain_text": "New eCh0raix Ransomware Variant Targets QNAP and Synology\r\nNetwork-Attached Storage Devices\r\nBy Ruchna Nigam, Haozhe Zhang, Zhibin Zhang\r\nPublished: 2021-08-10 · Archived: 2026-04-05 16:20:09 UTC\r\nExecutive Summary\r\nUnit 42 researchers have discovered a new variant of eCh0raix ransomware targeting Synology network-attached storage\r\n(NAS) and Quality Network Appliance Provider (QNAP) NAS devices. To achieve this, attackers are also leveraging CVE-2021-28799 to deliver the new eCh0raix ransomware variant to QNAP devices. While eCh0raix is known ransomware that\r\nhas historically targeted QNAP and Synology NAS devices in separate campaigns, this new variant is the first time we’ve\r\nseen it combining functionality to target both QNAP and Synology NAS devices, demonstrating that some ransomware\r\ndevelopers are continuing to invest in optimizing the tools used to target devices common in the small office and home\r\noffice (SOHO).\r\nWe’re regularly seeing attacks with the eCh0raix ransomware variant, which has been active in the wild for nearly a year. As\r\nrecently as June, victims have reported paying a modest ransom.\r\nWe’re releasing our findings about this new variant of eCh0raix to raise awareness of the ongoing threats to the SOHO and\r\nsmall business sectors. Coverage of the ransomware crisis tends to focus on threats to large enterprises and government\r\nagencies, which are facing increasingly aggressive and disruptive ransomware attacks. However, the SOHO and small\r\nbusiness sectors can contain a large attack surface for threat actors – for example, some 250,000 QNAP and Synology NAS\r\ndevices are exposed to the public internet, according to data from the Cortex Xpanse platform.\r\nSOHO users are attractive to ransomware operators looking to attack bigger targets because attackers can potentially use\r\nSOHO NAS devices as a stepping stone in supply chain attacks on large enterprises that can generate huge ransoms.\r\nAdditionally, SOHO users typically do not employ dedicated IT or security professionals, which makes them less prepared\r\nto block ransomware attacks than larger organizations.\r\nWe recommend the following best practices for protecting home offices from ransomware attacks:\r\nUpdate device firmware to keep attacks of this nature at bay. Details about updating QNAP NAS devices against\r\nCVE-2021-28799 can be found on the QNAP website.\r\nCreate complex login passwords to make brute-forcing more difficult for attackers.\r\nLimit connections to SOHO connected devices from only a hard-coded list of recognized IPs to prevent network\r\nattacks that are used to deliver ransomware to devices.\r\nPalo Alto Networks customers are protected against eCh0raix and CVE-2021-28799 with Next-Generation Firewalls with\r\nThreat Prevention, WildFire and Advanced URL Filtering security subscriptions; Cortex Xpanse and AutoFocus.\r\nCVE-2021-28799: Exploit in the Wild\r\nOn April 22, QNAP released a security advisory to disclose a vulnerability within their Hybrid Backup Sync (HBS 3)\r\nsoftware. This software provides backup, restoration and synchronization functions between local, remote and cloud storage\r\nspaces. The vulnerability has been confirmed as an improper authorization vulnerability. Once exploited, it allows remote\r\nattackers to log in to the devices. CVE-2021-28799 is assigned to this vulnerability.\r\nOn June 21, we caught an attack targeting QNAP HBS3 with an exploit of CVE-2021-28799. While this vulnerability has\r\nbeen exploited to deliver QLocker in the past, this is the first instance we know of in which it is being exploited to deliver\r\neCh0raix (also known as QNAPCrypt) ransomware. The payload of the malicious request is shown in Figure 1. The attack\r\ntried to utilize a hard-coded session ID \"jisoosocoolhbsmgnt\" to bypass authentication and execute a command on the\r\ndevice, aiming to fetch malware from the remote server 64[.]42[.]152[.]46 and run it on the victim device. The payload is\r\nstill live at the time of this writing.\r\nhttps://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/\r\nPage 1 of 9\n\nFigure 1. CVE-2021-28799 exploit.\r\nWhile eCh0raix has historically targeted QNAP devices, further analysis of the payload led to the discovery that this is a\r\nnew variant of the ransomware that also targets Synology devices, thereby increasing its attack surface.\r\nTimeline of the New eCh0raix Ransomware Variant\r\nTo the best of our knowledge, details on the eCh0raix ransomware samples targeting these Synology devices were unknown\r\nuntil now. Instances of Synology devices infected by eCh0raix have been reported from as far back as 2019, but the only\r\nprevious research connecting the Synology attacks to eCh0raix actors is based on decryptors that were found.\r\nThe first sample we saw of this new ransomware variant combining functionality to target both QNAP and Synology devices\r\nis from September 2020. It’s possible that is when the combined variant was authored. Before then, the attackers likely had\r\nseparate codebases for campaigns targeting devices from each of the vendors. This is also confirmed by the use of\r\nrct_cryptor_universal as the project name in the new variant, going by the compilation paths present in GoLang binaries\r\n(/home/dev/GoglandProjects/src/rct_cryptor_universal). Prior samples of eCh0raix use the project name qnap_crypt_worker.\r\nWe observed other eCh0raix samples between June and September 2020 using the rct_cryptor_universal project name, but\r\nthe first full-blown sample with two separate code flows, based on a syno flag (explained below), is from September 2020.\r\nGoing by posts from victims in forums, it appears the eCh0raix ransomware is quite active. The attackers have found\r\nsuccess extorting ransom out of victims, an example of which can be seen on BleepingComputer.com, where the ransom\r\nwas paid as recently as June 16, 2021.\r\nQuerying Cortex Xpanse for NAS devices gives us a rough estimate of the number of devices from each vendor connected\r\nto the internet (i.e. the attack surface for this ransomware). Xpanse tells us there are approximately 240,000 internet-connected QNAP NAS devices. In contrast, Xpanse found approximately 3,500 Synology NAS devices – a much smaller\r\nnumber. This tells us the additional target doesn’t significantly increase the ransomware’s attack surface.\r\nTechnical Analysis\r\nThe new variant accepts an additional syno flag as an input parameter. The two accepted flags are explained below in Table\r\n1.\r\nFlag\r\nName\r\nDescription Significance\r\ns start path\r\nA string value that determines the path on the targeted device where the ransomware encrypts\r\nfiles. The default value is “/”.  The exploit we observed in the wild specified this value as\r\n“/share/” (see Figure 1). This value is also ignored if the syno flag is set, in which case the\r\nstart path value is a hardcoded list of paths. \r\nsyno is syno?\r\nThis is a Boolean value accepted by this new variant. By default, it is not set, but if explicitly\r\nset using the syno input parameter, a hardcoded path is used for encrypting files. The\r\nhardcoded path used is /volume[X] (where X takes on values from 0 to 9). This essentially\r\nmeans that the ransomware tries to encrypt the first 10 numbered volumes on the device. This\r\naligns with the name of the flag syno since Synology NAS devices specifically store their\r\ndata under volumes.\r\nTable 1. Input arguments supported by the new variant.\r\nhttps://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/\r\nPage 2 of 9\n\nCheckIsRunning: After launch, the ransomware first checks whether another instance of the process is already running.\r\nThis is done by checking for a [SampleName].pid file in the temporary directory on the system. The temporary directory\r\nlocation is determined either by the value of the TMPDIR environment variable, or /tmp is used if the environment variable\r\nis not set. If found, the ransomware tries to read an integer value from this file and kill the corresponding process ID on the\r\nsystem. If it fails to kill the existing process, it prints a message: “Program is running. Exiting…” and exits. If no existing\r\nrunning process is found, or the ransomware succeeds at killing a previously running process, it initializes the .pid file in the\r\ntemporary directory with the value of its own process ID.\r\ncheckReadmeExists: Next, the binary checks for the presence of a ransom note file. In the original variant, this file was\r\nnamed README_FOR_DECRYPT.txt. However, this new variant uses the filename README_FOR_DECRYPT.txtt (with\r\nthe extra trailing ‘t’). Perhaps the typo is an easy way for the attackers to distinguish between campaigns. This thread in the\r\nQNAP user forum starting March 21, 2021, shows this new variant has been active and contains victims’ accounts from\r\ninstances of successful infection.\r\nIf this file already exists on the device, the binary exits.\r\ngetInfo: If a preexisting ransom note file is not found and program execution continues, the ransomware attempts to connect\r\nto a Tor URL via a hard-coded SOCKS proxy – see Indicators of Compromise (IoCs) below. This URL serves as the\r\ncommand and control (C2) server and returns a JSON object containing:\r\nThe AES key used to encrypt files on the system.\r\nThe ransom note.\r\nA Bitcoin address that is included in the ransom note.\r\nWe managed to find one of the C2 URLs still live, which returned a response with the JSON object described above, as seen\r\nin Figure 2.\r\nFigure 2. C2 response.\r\nAn interesting thing to note is that the new variant uses a different URL format for communicating with the C2 using an API\r\nkey, instead of using Campaign ID numbers as the previous variant did (see Table 3 for variant comparison).\r\nIf the sample fails to connect to the C2 or receive a meaningful response, it exits with the rather amusing log message, “AES\r\npublic key not set!” (AES is a symmetric encryption algorithm, thus the concept of public or private keys is moot in this\r\ncase.)\r\nmain: Following all these steps, the ransomware iterates through the list of files at a path determined by the flag values\r\n(syno and s) explained in Table 1. Any files in this path containing the following strings are ignored:\r\n/proc /boot/ /sys/\r\n/run/ /dev/ /etc/\r\n/home/httpd /mnt/ext/opt .system/thumbnail\r\n.system/opt .config .qpkg\r\n/usr/syno /tmp /volume1/@appstore/PhotoStation\r\n.@analytic qnapSystem.php README_FOR_DECRYPT.txtt\r\n.@backup_config .antivirus .ldapdb\r\n.@backup_qbox .appDB .locks\r\n.@backup_qfiling .idmap .log\r\n.@qmariadb .php_session_sys .qbox\r\nhttps://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/\r\nPage 3 of 9\n\nTable 2. Files excluded from encryption.\r\nThe encryption algorithm used is the same as that used by the original variant (AES CFB), and the same extension\r\n(.encrypt)is appended to encrypted files, with the eCh0raix string used as a marker in the files to verify successful\r\ndecryption by decryptors. However, this new variant doesn’t generate the AES key locally, but rather receives it directly\r\nfrom the C2.\r\nThe new variant also implements encryption in two stages based on file extensions. The ransomware first iterates through\r\nfiles with the following 42 extensions and encrypts them:\r\n.arw, .c, .c++, .cfg, .cpp, .cs, .csv, .cxx, .doc, .docb, .docm, .docx, .go, .h, .hwp, .jpe, .jpeg, .jpg, .pdf, .pl, .png, .psd, .py, .rtf,\r\n.svg, .tif, .tile, .txt, .wallet, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xps\r\nWe hypothesize that this is a higher-priority subset of extensions focusing on data that would be of value to the average user.\r\nThus, it is more likely for the ransom to be paid to recover this data. These extensions are likely encrypted first to prioritize\r\nvaluable data in case the ransomware fails to complete its encryption process.\r\nAfter the encryption of files with the first set of extensions, files matching a longer list of 530 unique file extensions are\r\nencrypted. These are included in the appendix. We noticed the .docx extension is included on both lists, so those files would\r\nget encrypted twice.\r\nThe original variant targeted a total of 563 unique extensions, all encrypted as part of the same routine (also included in the\r\nappendix).\r\nNew Variant Old Variant \r\nInput Flags\r\n-s : start path\r\n-syno : is syno?\r\n-s : start path\r\nProject Name rct_cryptor_universal qnap_crypt_worker\r\nRansom Note\r\nFilename \r\nREADME_FOR_DECRYPT.txtt README_FOR_DECRYPT.txt\r\nC2\r\nCommunication\r\nFormat\r\nhttps://[TOR-Domain]/api/GetAvailKeysByApiKey/[key]http://[TOR-Domain]/api/GetAvailKeysByCampId/[number]\r\nEncryption\r\nMethod\r\nEncryption is carried out in two steps,\r\nfocusing on a short list of higher priority\r\nextensions first.\r\nAES Encryption Key received from C2\r\n42+530 unique file extensions targeted.\r\nEncryption carried out in one go.\r\nAES Encryption Key generated locally\r\n563 unique file extensions targeted.\r\nSaves\r\nransomware PID\r\nin a temporary\r\ndirectory?\r\nYes No\r\nhttps://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/\r\nPage 4 of 9\n\nKills certain\r\nrunning\r\nprocesses?\r\nNo Yes\r\nTable 3. Variant comparison.\r\nConclusion\r\nThe discussion of this new variant of eCh0raix ransomware provides an example of the ongoing threats to the SOHO and\r\nsmall business sectors. These sectors represent a large attack surface for threat actors – for example, some 250,000 QNAP\r\nand Synology NAS devices are exposed to the public internet, according to data from the Cortex Xpanse platform.\r\nSOHO users are attractive to ransomware operators looking to attack bigger targets because attackers can potentially use\r\nSOHO NAS devices as a stepping stone in supply chain attacks on large enterprises that can generate huge ransoms.\r\nAdditionally, SOHO users typically do not employ dedicated IT or security professionals, which makes them less prepared\r\nto block ransomware attacks than larger organizations.\r\nWe recommend the following best practices for protecting home offices from ransomware attacks:\r\nUpdate device firmware to keep attacks of this nature at bay. Details about updating QNAP NAS devices against\r\nCVE-2021-28799 can be found on the QNAP website. \r\nCreate complex login passwords to make brute-forcing more difficult for attackers.\r\nLimit connections to SOHO connected devices from only a hard-coded list of recognized IPs to prevent network\r\nattacks that are used to deliver ransomware to devices.\r\nPalo Alto Networks customers are protected from eCh0raix ransomware and CVE-2021-28799 by the following products\r\nand services:\r\nNext-Generation Firewalls with a Threat Prevention security subscription can block the attacks with best practice via\r\nThreat Prevention signature 91323.\r\nWildFire accurately detects and blocks these attacks.\r\nCortex Xpanse provides attack surface management for your connected assets.\r\nAdvanced URL Filtering blocks malicious malware domains.\r\nAutoFocus customers can track this activity with the eCh0raix tag.\r\nIndicators of Compromise\r\nFirst Seen SHA256\r\n2021-08-06 cc112184b17d65229ce20487d98a3751dceb3efbee7bf70929a35b66416ae248\r\n2021-08-06 670250a169ba548c07a5066a70087e83bbc7fd468ef46199d76f97f9e7f72f36\r\n2021-07-28 039a997681655004aed1cc4c6ee24bf112d79e4f3b823ccae96b4a32c5ed1b4c\r\n2021-07-28 551e03e17d1df9bd5b712bec7763578c01e7bffe9b93db246e36ec0a174f7467\r\n2021-07-28 36cfb1a7c971041c9483e4f4e092372c9c1ab792cd9de7b821718ccd0dbb09c1\r\n2021-07-28 bb3b0e981e52a8250abcdf320bf7e5398d7bebf015643f8469f63d943b42f284\r\nhttps://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/\r\nPage 5 of 9\n\n2021-07-28 2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce\r\n2021-07-28 fedcce505a5e307c1d116d52b3122f6484b3d25fb3c4d666fe7af087cfe85349\r\n2021-07-13 6df0897d4eb0826c47850968708143ecb9b58a0f3453caa615c0f62396ef816b\r\n2021-07-13 9f9bbbc80a2035df99abd60dc26e9b068b63e5fcc498e700b8cc6640ca39261b\r\n2021-06-21 0b851832f9383df7739cd28ccdfd59925e9af7203b035711a7d96bba34a9eb04\r\n2021-06-21 19448f9aa1fe6c07d52abc59d1657a7381cfdb4a4fa541279097cc9e9412964b\r\n2021-05-28 7fa8ebcccde118986c4fd4a0f61ca7e513d1c2e28a6efdf183c10204550d87ce\r\n2021-05-28 4691946e508348f458da1b1a7617d55d3fa4dc9679fff39993853e018fc28f8e\r\n2021-04-16 230d4522c2ffe31d6facd9eae829d486dfc5b4f55b2814e28471c6d0e7c9bf49\r\n2021-04-15 21d5021d00e95dba6e23cee3e83b126b068ad936128894a1750bbcd4f1eb9391\r\n2021-03-31 283b2fa0fcddff18278d924c89c68bbcd980728761bd26c5dea4ec4de69b841e\r\n2021-03-26 d2ebe2a961d07501f0614b3ba511cf44cb0be2e8e342e464a20633ed7f1fc884\r\n2021-03-26 74169aebae6412e5408904d8f6a2eb977113b3ac355c53dfd366e2903b428c62\r\n2021-03-06 2e3a6bd6d2e03c347d8c717465fec6347037b7f25adae49e9e089bc744706545\r\n2021-02-25 3c533054390bc2d04ba96089302170a806c5cdb624536037a38c9ecb5aeea75d\r\n2021-01-25 a8accaab01a8ad16029ea0e8035a79083140026e33f8580aae217b1ef216febc\r\n2020-09-23 9d4bc803c256bd340664ce08c2bf68249f33419d7decd866f3ade78626c95422\r\n2020-09-04 0e4534d015c4e6691ff3920b19c93d63c61a0f36497cb0861a149999b61b98e1\r\nInitial samples using the same project name as the new variant, but without the syno flag.\r\nhttps://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/\r\nPage 6 of 9\n\nFirst Seen SHA256\r\n2020-07-06 fe4efccf56f989bf1b326dd9890681d21c97309fee61fdac8eb2081398e4d2b1\r\n2020-07-06 f6f6e34e93c4ec191807819bd0a3e18fe91bd390ec6c67fadc970d01c25f517b\r\n2020-06-04 3b93b18ae4f3aad450897e7d02346b843e38358a0c51b834d1971824c0a30b97\r\n2020-06-03 0fa72e1644ed30436844eafc53c3003f0de056d68953673e0b5600099d0b5b8f\r\n2020-06-03 88a73f1c1e5a7c921f61638d06f3fed7389e1b163da7a1cc62a666d0a88baf47\r\nPayload URLs\r\n183[.]76.46.30/1/crp_linux_arm\r\n183[.]76.46.30/1/crp_linux_386\r\n98[.]144.56.47/1/crp_linux_arm\r\n98[.]144.56.47/1/crp_linux_386\r\n64[.]42.152.46/h/crp_linux_386\r\n64[.]42.152.46/h/crp_linux_arm\r\n2[.]37.149.230/1/crp_linux_386\r\n2[.]37.149.230/1/crp_linux_arm\r\nC2 Request\r\nhxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/chuADfBHD8hpgVs7wH8eS3\r\nrusj6\r\nhxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/41xvlF4tQ1b3iXd5okwCNhcj7\r\nhxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/hv3PWxhLkfOuNjE9u3eOGog\r\nhxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/-xS-0UcHPaAJgaQCkyE29icDiJeAakj7\r\nSocks5 Proxies used\r\n161[.]35.151.35:9100\r\n185[.]10.68.89:9100\r\n185[.]181.229.175:9100\r\n176[.]122.23.54:9100\r\nAppendix\r\n530 file extensions targeted by the new variant (in addition to the 42 extensions mentioned in the Technical Analysis\r\nsection).\r\n.1st, .3ds, .3fr, .4db, .4dd, .602, .7-zip, .7z, .7zip, .a4p, .a5w, .abf, .abw, .accdb, .accdt, .act, .adoc, .adr, .aep, .aes, .aex, .ai,\r\n.aim, .alx, .an, .ans, .ap, .apk, .apkg, .appcache, .apt, .arch00, .arj, .aro, .asa, .asax, .asc, .ascii, .ascx, .ase, .ashx, .asmx, .asp,\r\n.aspx, .asr, .asset, .atom, .att, .aty, .au, .awm, .awp, .awt, .aww, .axd, .bak, .bar, .bat, .bay, .bc6, .bc7, .bckup, .big, .bik, .bin,\r\n.bit, .bkf, .bkp, .blob, .bml, .bok, .bpw, .br, .browser, .bsa, .btapp, .bwp, .bz2, .cas, .cat, .ccbjs, .cdf, .cdr, .cer, .cfm, .cfml, .cfr,\r\n.cha, .chat, .chm, .cms, .codasite, .compressed, .con, .cpg, .cphd, .cr2, .crl, .crp, .crt, .crw, .cshtml, .csp, .csr, .css, .ctlg, .cuix,\r\n.d3dbsp, .dap, .das, .dat, .dazip, .db0, .dba, .dbf, .dbm, .dbx, .dcr, .der, .desc, .dhtml, .disco, .discomap, .dml, .dmp, .dng, .do,\r\n.dochtml, .docmhtml, .docx, .dot, .dothtml, .dotm, .dotx, .download, .dwf, .dwfx, .dwg, .dwk, .dwl, .dwl2, .dwt, .dxf, .dxg,\r\n.ece, .edge, .eml, .epibrw, .epk, .eps, .erf, .esm, .esproj, .ewp, .far, .fcgi, .fdb, .ff, .fit, .fits, .flv, .fmp, .forge, .fos, .fpk,\r\n.freeway, .fsh, .fw, .fwp, .fwtb, .fwtemplate, .fwtemplateb, .gcode, .gdb, .gho, .gif, .gne, .gpg, .gsp, .gxk, .gz, .gzip, .hdm,\r\n.hdml, .hkdb, .hkx, .hplg, .htaccess, .htc, .htm, .html, .htx, .hvpl, .hxs, .hype, .hyperesources, .hypesymbol, .hypetemplate,\r\n.ibank, .icxs, .idc, .idx, .ifx, .indd, .iqy, .itdb, .itl, .itm, .itms, .itpc, .iwd, .iwdgt, .iwi, .jcz, .jhtml, .jnlp, .js, .json, .jsp, .jspa,\r\n.jspx, .jss, .jst, .jvs, .jws, .kdb, .kdbx, .kdc, .key, .kf, .kit, .kmz, .ksd, .lasso, .layout, .lbc, .lbf, .less, .litemod, .lrf, .lsp, .ltx,\r\nhttps://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/\r\nPage 7 of 9\n\n.lvl, .lzh, .lzma, .m, .m2, .m3u, .maff, .map, .mapx, .master, .max, .mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu,\r\n.mht, .mhtml, .mjs, .mlx, .mnr, .mov, .moz, .mpd, .mpp, .mpqge, .mrwref, .mspx, .muse, .mvc, .mvr, .myo, .nba, .nbf, .ncf,\r\n.ngc, .nod, .nrw, .nsf, .ntl, .nv2, .nxg, .nzb, .oam, .obml, .obml15, .obml16, .odb, .odc, .odm, .odp, .ods, .odt, .ofx, .ognc, .olp,\r\n.opml, .orf, .oth, .p12, .p7, .p7b, .p7c, .pac, .page, .pak, .param, .pdb, .pdd, .pef, .pem, .pfx, .pgp, .php2, .php3, .php4, .php5,\r\n.phtm, .phtml, .pkpass, .plist, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .ppthtml, .pptm, .pptmhtml, .pptx, .prf,\r\n.pro, .prproj, .ps, .psk, .psp, .pst, .psw, .ptw, .ptx, .pub, .qba, .qbb, .qbo, .qbw, .qbx, .qdf, .qf, .qfx, .qic, .qif, .qrm, .r3d, .raf,\r\n.rar, .raw, .rb, .re4, .rflw, .rgss3a, .rhtml, .rim, .rjs, .rofl, .rsn, .rss, .rt, .rw2, .rw3, .rwl, .rwp, .rwsw, .rwtheme, .s, .saj, .sass,\r\n.sav, .saveddeck, .sb, .scss, .sdb, .sdc, .sdf, .seam, .sh, .sht, .shtm, .shtml, .sid, .sidd, .sidn, .sie, .sis, .site, .sitemap, .sites,\r\n.sites2, .sko, .sldasm, .sldm, .sldprt, .sldx, .slm, .snx, .sparkle, .spc, .sql, .sr2, .src, .srf, .srw, .ssp, .stc, .step, .stl, .stm, .stml,\r\n.stp, .suck, .sum, .svc, .svr, .swz, .sxc, .syncdb, .t12, .t13, .tar, .tar.bz2, .tax, .tbl, .tbz, .tcl, .tgz, .tib, .tor, .tpl, .tvpi, .tvvi, .ucf,\r\n.uhtml, .upk, .url, .vbd, .vbhtml, .vbo, .vbs, .vcf, .vdf, .vdi, .vdw, .vfs0, .vhdx, .vlp, .vlx, .vmdk, .vmem, .vmx, .vpk, .vpp_pc,\r\n.vrml, .vrt, .vsdisco, .vtf, .w3x, .wb2, .wbs, .wbxml, .wdb, .wdgt, .web, .webarchive, .webarchivexml, .webbookmark,\r\n.webhistory, .webloc, .website, .wgp, .wgt, .whtt, .widget, .wml, .wmo, .wmv, .wn, .woa, .wotreplay, .wpd, .wpp, .wps, .wpx,\r\n.wrf, .wsdl, .x3f, .x_t, .xbel, .xbl, .xbm, .xcf.gz, .xf, .xfdl, .xht, .xhtm, .xhtml, .xlk, .xml, .xpd, .xpm, .xss, .xul, .xwd, .xws,\r\n.xxx, .z, .zfo, .zhtml, .zip, .ztmp, .zul, .zvz, tar.gz, tbz2\r\n563 File Extensions targeted by the original\r\nvariant(154dea7cace3d58c0ceccb5a3b8d7e0347674a0e76daffa9fa53578c036d9357).\r\n.1st, .3ds, .3fr, .4db, .4dd, .602, .7-zip, .7z, .7zip, .a4p, .a5w, .abf, .abw, .accdb, .accdt, .act, .adoc, .adr, .aep, .aes, .aex, .ai,\r\n.aim, .alx, .an, .ans, .ap, .apk, .apkg, .appcache, .apt, .arch00, .arj, .aro, .arw, .asa, .asax, .asc, .ascii, .ascx, .ase, .ashx, .asmx,\r\n.asp, .aspx, .asr, .asset, .atom, .att, .aty, .au, .avi, .awm, .awp, .awt, .aww, .axd, .bar, .bat, .bay, .bc6, .bc7, .bckup, .big, .bik,\r\n.bin, .bit, .bkf, .bkp, .blob, .bml, .bok, .bpw, .br, .browser, .bsa, .btapp, .bwp, .bz2, .c, .c++, .cab, .cas, .cat, .ccbjs, .cdf, .cdr,\r\n.cer, .cfg, .cfm, .cfml, .cfr, .cha, .chat, .chm, .cms, .codasite, .compressed, .con, .cpg, .cphd, .cpp, .cr2, .crl, .crp, .crt, .crw,\r\n.cs, .cshtml, .csp, .csr, .css, .csv, .ctlg, .cxx, .d3dbsp, .dap, .das, .dat, .dazip, .db0, .dba, .dbf, .dbm, .dbx, .dcr, .der, .desc,\r\n.dhtml, .disco, .discomap, .dll, .dml, .dmp, .dng, .do, .doc, .docb, .dochtml, .docm, .docmhtml, .docx, .dot, .dothtml, .dotm,\r\n.dotx, .download, .dwfx, .dwg, .dwk, .dwt, .dxf, .dxg, .ece, .edge, .eml, .epibrw, .epk, .eps, .erf, .esm, .esproj, .ewp, .far, .fcgi,\r\n.fdb, .ff, .fit, .fits, .flv, .fmp, .forge, .fos, .fpk, .freeway, .fsh, .fwp, .fwtb, .fwtemplate, .fwtemplateb, .gcode, .gdb, .gho, .gif,\r\n.gne, .go, .gpg, .gsp, .gxk, .gzip, .h, .hdm, .hdml, .hkdb, .hkx, .hplg, .htaccess, .htc, .htm, .html, .htx, .hvpl, .hxs, .hype,\r\n.hyperesources, .hypesymbol, .hypetemplate, .ibank, .icxs, .idc, .idx, .ifx, .indd, .iqy, .iso, .itdb, .itl, .itm, .itms, .itpc, .iwd,\r\n.iwdgt, .iwi, .jcz, .jhtml, .jnlp, .jpe, .jpeg, .jpg, .js, .json, .jsp, .jspa, .jspx, .jss, .jst, .jvs, .jws, .kdb, .kdbx, .kdc, .key, .kf, .kit,\r\n.ksd, .lasso, .layout, .lbc, .lbf, .less, .litemod, .lrf, .ltx, .lvl, .lzh, .lzma, .m2, .m3u, .m4a, .maff, .map, .mapx, .master, .max,\r\n.mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu, .mht, .mhtml, .mjs, .mlx, .mov, .moz, .mp3, .mpd, .mpp, .mpqge,\r\n.mrwref, .mspx, .muse, .mvc, .mvr, .myo, .nba, .nbf, .ncf, .ngc, .nod, .nrw, .nsf, .ntl, .nv2, .nxg, .nzb, .oam, .obml, .obml15,\r\n.obml16, .odb, .odc, .odm, .odp, .ods, .odt, .ofx, .ognc, .olp, .opml, .orf, .oth, .p12, .p7, .p7b, .p7c, .pac, .page, .pak, .pdb,\r\n.pdd, .pdf, .pef, .pem, .pfx, .pgp, .php, .php2, .php3, .php4, .php5, .phtm, .phtml, .pkpass, .pl, .plist, .png, .pot, .potm, .potx,\r\n.ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .ppthtml, .pptm, .pptmhtml, .pptx, .prf, .pro, .prproj, .ps, .psd, .psk, .psp, .pst, .psw, .ptw,\r\n.ptx, .pub, .py, .qba, .qbb, .qbo, .qbw, .qbx, .qdf, .qf, .qfx, .qic, .qif, .qrm, .r3d, .raf, .rar, .raw, .rb, .re4, .rflw, .rgss3a, .rhtml,\r\n.rim, .rjs, .rofl, .rsn, .rss, .rt, .rtf, .rw2, .rw3, .rwl, .rwp, .rwsw, .rwtheme, .s, .saj, .sass, .sav, .saveddeck, .sb, .scss, .sdb, .sdc,\r\n.sdf, .seam, .sh, .sht, .shtm, .shtml, .sid, .sidd, .sidn, .sie, .sis, .site, .sitemap, .sites, .sites2, .sko, .sldasm, .sldm, .sldprt, .sldx,\r\n.slm, .snx, .sparkle, .spc, .sql, .sr2, .src, .srf, .srw, .ssp, .stc, .step, .stl, .stm, .stml, .stp, .suck, .sum, .svc, .svg, .svr, .swz, .sxc,\r\n.syncdb, .t12, .t13, .tar, .tar.bz2, .tax, .tbl, .tbz, .tcl, .tgz, .tib, .tor, .tpl, .tvpi, .tvvi, .txt, .ucf, .uhtml, .upk, .url, .vbd, .vbhtml,\r\n.vbo, .vcf, .vdf, .vdi, .vdw, .vfs0, .vhdx, .vlp, .vmdk, .vmem, .vmx, .vpk, .vpp_pc, .vrml, .vrt, .vsdisco, .vtf, .w3x, .wallet,\r\n.wav, .wb2, .wbs, .wbxml, .wdb, .wdgt, .web, .webarchive, .webarchivexml, .webbookmark, .webhistory, .webloc, .website,\r\n.wgp, .wgt, .whtt, .widget, .wma, .wml, .wmo, .wmv, .wn, .woa, .wotreplay, .wpd, .wpp, .wps, .wpx, .wrf, .wsdl, .x3f, .x_t,\r\n.xbel, .xbl, .xbm, .xcf.gz, .xf, .xfdl, .xht, .xhtm, .xhtml, .xla, .xlam, .xlk, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx,\r\n.xlw, .xml, .xpd, .xpm, .xps, .xss, .xul, .xwd, .xws, .xxx, .z, .zfo, .zhtml, .zip, .ztmp, .zul, .zvz, tar.gz, tbz2\r\nTable of Contents\r\nExecutive Summary\r\nCVE-2021-28799: Exploit in the Wild\r\nTimeline of the New eCh0raix Ransomware Variant\r\nTechnical Analysis\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/\r\nPage 8 of 9\n\nRelated Articles\r\nUnderstanding the Russian Cyberthreat to the 2026 Winter Olympics\r\nFrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications\r\nNew Vulnerability in QNAP QTS Firmware: CVE-2023-50358\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/\r\nhttps://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/\r\nPage 9 of 9\n\n530 file extensions section). targeted by the new variant (in addition to the 42 extensions mentioned in the Technical Analysis \n.1st, .3ds, .3fr, .4db, .4dd, .602, .7-zip, .7z, .7zip, .a4p, .a5w, .abf, .abw, .accdb, .accdt, .act, .adoc, .adr, .aep, .aes, .aex, .ai,\n.aim, .alx, .an, .ans, .ap, .apk, .apkg, .appcache, .apt, .arch00, .arj, .aro, .asa, .asax, .asc, .ascii, .ascx, .ase, .ashx, .asmx, .asp,\n.aspx, .asr, .asset, .atom, .att, .aty, .au, .awm, .awp, .awt, .aww, .axd, .bak, .bar, .bat, .bay, .bc6, .bc7, .bckup, .big, .bik, .bin,\n.bit, .bkf, .bkp, .blob, .bml, .bok, .bpw, .br, .browser, .bsa, .btapp, .bwp, .bz2, .cas, .cat, .ccbjs, .cdf, .cdr, .cer, .cfm, .cfml, .cfr,\n.cha, .chat, .chm, .cms, .codasite, .compressed, .con, .cpg, .cphd, .cr2, .crl, .crp, .crt, .crw, .cshtml, .csp, .csr, .css, .ctlg, .cuix,\n.d3dbsp, .dap, .das, .dat, .dazip, .db0, .dba, .dbf, .dbm, .dbx, .dcr, .der, .desc, .dhtml, .disco, .discomap, .dml, .dmp, .dng, .do,\n.dochtml, .docmhtml, .docx, .dot, .dothtml, .dotm, .dotx, .download, .dwf, .dwfx, .dwg, .dwk, .dwl, .dwl2, .dwt, .dxf, .dxg,\n.ece, .edge, .eml, .epibrw, .epk, .eps, .erf, .esm, .esproj, .ewp, .far, .fcgi, .fdb, .ff, .fit, .fits, .flv, .fmp, .forge, .fos, .fpk, \n.freeway, .fsh, .fw, .fwp, .fwtb, .fwtemplate, .fwtemplateb, .gcode, .gdb, .gho, .gif, .gne, .gpg, .gsp, .gxk, .gz, .gzip, .hdm,\n.hdml, .hkdb, .hkx, .hplg, .htaccess, .htc, .htm, .html, .htx, .hvpl, .hxs, .hype, .hyperesources, .hypesymbol, .hypetemplate, \n.ibank, .icxs, .idc, .idx, .ifx, .indd, .iqy, .itdb, .itl, .itm, .itms, .itpc, .iwd, .iwdgt, .iwi, .jcz, .jhtml, .jnlp, .js, .json, .jsp, .jspa,\n.jspx, .jss, .jst, .jvs, .jws, .kdb, .kdbx, .kdc, .key, .kf, .kit, .kmz, .ksd, .lasso, .layout, .lbc, .lbf, .less, .litemod, .lrf, .lsp, .ltx,\n   Page 7 of 9   \n\n.mht, .mhtml, .mjs, .ngc, .nod, .nrw, .mlx, .mnr, .mov, .nsf, .ntl, .nv2, .nxg, .moz, .mpd, .mpp, .nzb, .oam, .obml, .mpqge, .mrwref, .mspx, .obml15, .obml16, .muse, .mvc, .odb, .odc, .odm, .mvr, .myo, .nba, .odp, .ods, .odt, .nbf, .ncf, .ofx, .ognc, .olp,\n.opml, .orf, .oth, .p12, .p7, .p7b, .p7c, .pac, .page, .pak, .param, .pdb, .pdd, .pef, .pem, .pfx, .pgp, .php2, .php3, .php4, .php5,\n.phtm, .phtml, .pkpass, .plist, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .ppthtml, .pptm, .pptmhtml, .pptx, .prf,\n.pro, .prproj, .ps, .psk, .psp, .pst, .psw, .ptw, .ptx, .pub, .qba, .qbb, .qbo, .qbw, .qbx, .qdf, .qf, .qfx, .qic, .qif, .qrm, .r3d, .raf,\n.rar, .raw, .rb, .re4, .rflw, .rgss3a, .rhtml, .rim, .rjs, .rofl, .rsn, .rss, .rt, .rw2, .rw3, .rwl, .rwp, .rwsw, .rwtheme, .s, .saj, .sass,\n.sav, .saveddeck, .sb, .scss, .sdb, .sdc, .sdf, .seam, .sh, .sht, .shtm, .shtml, .sid, .sidd, .sidn, .sie, .sis, .site, .sitemap, .sites,\n.sites2, .sko, .sldasm, .sldm, .sldprt, .sldx, .slm, .snx, .sparkle, .spc, .sql, .sr2, .src, .srf, .srw, .ssp, .stc, .step, .stl, .stm, .stml,\n.stp, .suck, .sum, .svc, .svr, .swz, .sxc, .syncdb, .t12, .t13, .tar, .tar.bz2, .tax, .tbl, .tbz, .tcl, .tgz, .tib, .tor, .tpl, .tvpi, .tvvi, .ucf,\n.uhtml, .upk, .url, .vbd, .vbhtml, .vbo, .vbs, .vcf, .vdf, .vdi, .vdw, .vfs0, .vhdx, .vlp, .vlx, .vmdk, .vmem, .vmx, .vpk, .vpp_pc,\n.vrml, .vrt, .vsdisco, .vtf, .w3x, .wb2, .wbs, .wbxml, .wdb, .wdgt, .web, .webarchive, .webarchivexml, .webbookmark, \n.webhistory, .webloc, .website, .wgp, .wgt, .whtt, .widget, .wml, .wmo, .wmv, .wn, .woa, .wotreplay, .wpd, .wpp, .wps, .wpx,\n.wrf, .wsdl, .x3f, .x_t, .xbel, .xbl, .xbm, .xcf.gz, .xf, .xfdl, .xht, .xhtm, .xhtml, .xlk, .xml, .xpd, .xpm, .xss, .xul, .xwd, .xws,\n.xxx, .z, .zfo, .zhtml, .zip, .ztmp, .zul, .zvz, tar.gz, tbz2    \n563 File Extensions targeted by the original    \nvariant(154dea7cace3d58c0ceccb5a3b8d7e0347674a0e76daffa9fa53578c036d9357).      \n.1st, .3ds, .3fr, .4db, .4dd, .602, .7-zip, .7z, .7zip, .a4p, .a5w, .abf, .abw, .accdb, .accdt, .act, .adoc, .adr, .aep, .aes, .aex, .ai,\n.aim, .alx, .an, .ans, .ap, .apk, .apkg, .appcache, .apt, .arch00, .arj, .aro, .arw, .asa, .asax, .asc, .ascii, .ascx, .ase, .ashx, .asmx,\n.asp, .aspx, .asr, .asset, .atom, .att, .aty, .au, .avi, .awm, .awp, .awt, .aww, .axd, .bar, .bat, .bay, .bc6, .bc7, .bckup, .big, .bik,\n.bin, .bit, .bkf, .bkp, .blob, .bml, .bok, .bpw, .br, .browser, .bsa, .btapp, .bwp, .bz2, .c, .c++, .cab, .cas, .cat, .ccbjs, .cdf, .cdr,\n.cer, .cfg, .cfm, .cfml, .cfr, .cha, .chat, .chm, .cms, .codasite, .compressed, .con, .cpg, .cphd, .cpp, .cr2, .crl, .crp, .crt, .crw,\n.cs, .cshtml, .csp, .csr, .css, .csv, .ctlg, .cxx, .d3dbsp, .dap, .das, .dat, .dazip, .db0, .dba, .dbf, .dbm, .dbx, .dcr, .der, .desc,\n.dhtml, .disco, .discomap, .dll, .dml, .dmp, .dng, .do, .doc, .docb, .dochtml, .docm, .docmhtml, .docx, .dot, .dothtml, .dotm,\n.dotx, .download, .dwfx, .dwg, .dwk, .dwt, .dxf, .dxg, .ece, .edge, .eml, .epibrw, .epk, .eps, .erf, .esm, .esproj, .ewp, .far, .fcgi,\n.fdb, .ff, .fit, .fits, .flv, .fmp, .forge, .fos, .fpk, .freeway, .fsh, .fwp, .fwtb, .fwtemplate, .fwtemplateb, .gcode, .gdb, .gho, .gif,\n.gne, .go, .gpg, .gsp, .gxk, .gzip, .h, .hdm, .hdml, .hkdb, .hkx, .hplg, .htaccess, .htc, .htm, .html, .htx, .hvpl, .hxs, .hype,\n.hyperesources, .hypesymbol, .hypetemplate, .ibank, .icxs, .idc, .idx, .ifx, .indd, .iqy, .iso, .itdb, .itl, .itm, .itms, .itpc, .iwd,\n.iwdgt, .iwi, .jcz, .jhtml, .jnlp, .jpe, .jpeg, .jpg, .js, .json, .jsp, .jspa, .jspx, .jss, .jst, .jvs, .jws, .kdb, .kdbx, .kdc, .key, .kf, .kit,\n.ksd, .lasso, .layout, .lbc, .lbf, .less, .litemod, .lrf, .ltx, .lvl, .lzh, .lzma, .m2, .m3u, .m4a, .maff, .map, .mapx, .master, .max,\n.mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu, .mht, .mhtml, .mjs, .mlx, .mov, .moz, .mp3, .mpd, .mpp, .mpqge,\n.mrwref, .mspx, .muse, .mvc, .mvr, .myo, .nba, .nbf, .ncf, .ngc, .nod, .nrw, .nsf, .ntl, .nv2, .nxg, .nzb, .oam, .obml, .obml15,\n.obml16, .odb, .odc, .odm, .odp, .ods, .odt, .ofx, .ognc, .olp, .opml, .orf, .oth, .p12, .p7, .p7b, .p7c, .pac, .page, .pak, .pdb,\n.pdd, .pdf, .pef, .pem, .pfx, .pgp, .php, .php2, .php3, .php4, .php5, .phtm, .phtml, .pkpass, .pl, .plist, .png, .pot, .potm, .potx,\n.ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .ppthtml, .pptm, .pptmhtml, .pptx, .prf, .pro, .prproj, .ps, .psd, .psk, .psp, .pst, .psw, .ptw,\n.ptx, .pub, .py, .qba, .qbb, .qbo, .qbw, .qbx, .qdf, .qf, .qfx, .qic, .qif, .qrm, .r3d, .raf, .rar, .raw, .rb, .re4, .rflw, .rgss3a, .rhtml,\n.rim, .rjs, .rofl, .rsn, .rss, .rt, .rtf, .rw2, .rw3, .rwl, .rwp, .rwsw, .rwtheme, .s, .saj, .sass, .sav, .saveddeck, .sb, .scss, .sdb, .sdc,\n.sdf, .seam, .sh, .sht, .shtm, .shtml, .sid, .sidd, .sidn, .sie, .sis, .site, .sitemap, .sites, .sites2, .sko, .sldasm, .sldm, .sldprt, .sldx,\n.slm, .snx, .sparkle, .spc, .sql, .sr2, .src, .srf, .srw, .ssp, .stc, .step, .stl, .stm, .stml, .stp, .suck, .sum, .svc, .svg, .svr, .swz, .sxc,\n.syncdb, .t12, .t13, .tar, .tar.bz2, .tax, .tbl, .tbz, .tcl, .tgz, .tib, .tor, .tpl, .tvpi, .tvvi, .txt, .ucf, .uhtml, .upk, .url, .vbd, .vbhtml,\n.vbo, .vcf, .vdf, .vdi, .vdw, .vfs0, .vhdx, .vlp, .vmdk, .vmem, .vmx, .vpk, .vpp_pc, .vrml, .vrt, .vsdisco, .vtf, .w3x, .wallet,\n.wav, .wb2, .wbs, .wbxml, .wdb, .wdgt, .web, .webarchive, .webarchivexml, .webbookmark, .webhistory, .webloc, .website,\n.wgp, .wgt, .whtt, .widget, .wma, .wml, .wmo, .wmv, .wn, .woa, .wotreplay, .wpd, .wpp, .wps, .wpx, .wrf, .wsdl, .x3f, .x_t,\n.xbel, .xbl, .xbm, .xcf.gz, .xf, .xfdl, .xht, .xhtm, .xhtml, .xla, .xlam, .xlk, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx,\n.xlw, .xml, .xpd, .xpm, .xps, .xss, .xul, .xwd, .xws, .xxx, .z, .zfo, .zhtml, .zip, .ztmp, .zul, .zvz, tar.gz, tbz2 \nTable of Contents      \nExecutive Summary     \nCVe-2021-28799: Exploit in the Wild    \nTimeline of the New eCh0raix Ransomware Variant    \nTechnical Analysis     \nConclusion      \n   Page 8 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/"
	],
	"report_names": [
		"ech0raix-ransomware-soho"
	],
	"threat_actors": [],
	"ts_created_at": 1775434144,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2fc68118d9a4df361f1a37f8149ed14dac7ba49b.pdf",
		"text": "https://archive.orkl.eu/2fc68118d9a4df361f1a37f8149ed14dac7ba49b.txt",
		"img": "https://archive.orkl.eu/2fc68118d9a4df361f1a37f8149ed14dac7ba49b.jpg"
	}
}