{
	"id": "68261686-8241-4889-9efa-91eb78691c61",
	"created_at": "2026-04-06T00:06:36.752766Z",
	"updated_at": "2026-04-10T03:22:05.446093Z",
	"deleted_at": null,
	"sha1_hash": "d635c3696b4959ee69cf025a167bc029622f0acb",
	"title": "The eCh0raix Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71632,
	"plain_text": "The eCh0raix Ransomware\r\nBy Anomali Threat Research\r\nPublished: 2026-03-12 · Archived: 2026-04-05 20:54:27 UTC\r\nIntroduction\r\nAnomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network\r\nAttached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., and\r\ncontain device storage and media player functionality, amongst others. The devices appear to be compromised by\r\nbrute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload\r\nencrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the\r\nencrypted files. The ransom note created by the ransomware has the form shown below.\r\n All your data has been locked(crypted). How to unclock(decrypt) instruction located in this TOR webs\r\nNote that there is a typo in the ransom note which may indicate that the actors behind this campaign are not\r\nnative-English speakers.\r\nQNAP Technical Breakdown\r\nThe malware is written and compiled in the Go programming language. The ransomware is very simple with its\r\nsource code being fewer than 400 lines. A reconstruction of the source code tree is shown below. The functionality\r\nis standard for a ransomware: check if already encrypted, walk the file system for files to encrypt, encrypt the\r\nfiles, and produce the ransom note.\r\n Package main: /home/user/go/src/qnap_crypt_worker File: main.go getInfo Lines: 61 to 123 (62\r\nUpon execution, the malware reaches out to the URL http://192.99.206[.]61/d.php?s=started and notifies the\r\nCommand and Control (C2) that the encryption process has begun, as shown in Figure 1.\r\nChecks if the instance is already running by reaching out to a C2 IP. If it is, exit process.\r\nFigure 1 - Checks if the instance is already running by reaching out to a C2 IP. If it is, exit process.\r\nEstablishing C2 connection\r\nThe malware communicates to the C2 sg3dwqfpnr4sl5hh[.]onion via a SOCKS5 Tor proxy at\r\n192.99.206[.]61:65000, as seen in Figures 2 and 3. Based on the analysis it is clear that the proxy has been set up\r\nby the malware author to provide Tor network access to the malware without including Tor functionality in the\r\nmalware.\r\nhttps://www.anomali.com/blog/the-ech0raix-ransomware\r\nPage 1 of 4\n\nPort scan results on Proxy IP.\r\nFigure 2 - Port scan results on Proxy IP.\r\nConnects via SOCKS5 proxy\r\nFigure 3 - Connects via SOCKS5 proxy\r\nThe malware retrieves the RSA public key and the ‘readme’ text content from the C2 server. One of the samples\r\nanalyzed used the URL “http://sg3dwqfpnr4sl5hh[.]onion/api/GetAvailKeysByCampId/10”, that possibly suggests\r\nthis was the 10th campaign run by the threat actor. The data returned by the C2 server is encoded in JSON and the\r\nmalware unserializes the data into the following Go data struct:\r\n type main.Info struct { RsaPublicKey string Readme string }\r\nEncryption Module\r\nThe module generates a 32 character random string from the array\r\n“abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^\u0026*()_+” to create an AES-256\r\nkey. By using this fixed set of characters, the effective key space is 192-bit. As can be seen in Figure 4, the\r\nmalware initializes the math random page with the seed of the current time. Since it is using the math’s package to\r\ngenerate the secret key, it is not cryptographically random and it is likely possible to write a decryptor.\r\nSet the math random seed with the current time.\r\nFigure 4 - Set the math random seed with the current time.\r\nThe generated AES key is then encrypted with a public key which was either embedded in the malware sample or\r\nretrieved from the C2 server, depending on the version of the malware. The resulted string is then encoded with\r\nbase64 and added to the README_FOR_DECRYPT.txt file.\r\nBefore the malware encrypts any files, it proceeds to kill the below list of processes. The processes are stopped on\r\nthe infected NAS by issuing the commands “service stop %s” or “systemctl stop %s”.\r\napache2\r\nhttpd\r\nnginx\r\nmysqld\r\nmysql\r\nphp-fpm\r\nphp5-fpm\r\npostgresql\r\nFile Encryption\r\nThe files are encrypted with AES in Cipher Feedback Mode (CFB) with the secret key that was generated. When\r\nselecting files to encrypt, the ransomware skips any files where the absolute path for the file contain any of the\r\nstrings listed below.\r\nhttps://www.anomali.com/blog/the-ech0raix-ransomware\r\nPage 2 of 4\n\n/proc\r\n/boot/\r\n/sys/\r\n/run/\r\n/dev/\r\n/etc/\r\n/home/httpd\r\n/mnt/ext/opt\r\n.system/thumbnail\r\n.system/opt\r\n.config\r\n.qpkg\r\nIf the path does not contain any of the strings, it checks the file extension for the file. If the file extension is one of\r\nthe extensions shown below, the ransomware encrypts the file. The encrypted data is written to a new file with the\r\noriginal name and file extension but the file extensions “.encrypt” is appended to the end. Once the file has been\r\nwritten, the original file is removed.\r\n .dat.db0.dba.dbf.dbm.dbx.dcr.der.dll.dml.dmp.dng.doc.dot.dwg.dwk.dwt.dxf.dxg.ece.eml.epk.eps.erf.esm\r\nOnce the entire encryption process is completed the malware reaches out to the URL http://192.99.206.61/d[.]php?\r\ns=done and sends the command “done” to notify the completion of encryption, Figure 5.\r\nSend “done” to C2\r\nFigure 5 - Send “done” to C2\r\nC2 Analysis\r\nThe analyzed C2 URL (http://sg3dwqfpnr4sl5hh[.]onion) has partial directory listing enabled, and after browsing\r\nthrough the directories, Anomali researchers were able to find a sample named “linux_crypter”. The sample was\r\npacked by UPX. Analysis of the unpacked sample confirmed that it is written in Go and had some modifications\r\nto the previously analysed sample. The sample found on C2, checks the locale of the infected NAS for Belarus,\r\nUkraine, or Russia and exits without doing anything if a match is found. This technique is common amongst threat\r\nactors, particularly when they do not wish to infect users in their home country.\r\nAnalysis\r\nThe eCh0raix ransomware, named after a string found in the malware, is a ransomware used in targeted attacks. It\r\nappears to not be designed for mass distribution. The samples with a hardcoded public key appear to be compiled\r\nfor the target with a unique key for each target. Otherwise the decryptor sold by the threat actor could be used for\r\nall victims. The samples that fetch the public key and ransom note from the C2 server, also send a request when it\r\nstarts and when it is done. This is probably used to provide the threat actor with live feedback. The request does\r\nnot include any identifiable information for the threat actor to discern multiple targets.\r\nhttps://www.anomali.com/blog/the-ech0raix-ransomware\r\nPage 3 of 4\n\nThe threat actor targets QNAP NAS devices that are used for file storage and backups. It is not common for these\r\ndevices to run antivirus products and currently the samples are only detected by 2-3 products on VirusTotal,\r\nFigure 6, which allows the ransomware to run uninhibited. It is not known how these devices are infected.\r\nAccording to a post on Bleeping Computer’s forum, some infected systems were not fully patched and others\r\nreported detections of failed login attempts.\r\nLow detection rate on VirusTotal\r\nFigure 6 - Low detection rate on VirusTotal\r\n“During my research, the nas pops me severals time with the message \"HTTP Login Failed\", like every\r\nsecond.”\r\n- zerocool64\r\n“Seems all of us are using QNAP NAS, which version of QTS where you using at the time of the attack?\r\nMine was 4.1.3”\r\n- eggxpert\r\n“I've found a lot of .encrypt files on my RAID 6 in my QNAP TS-459 Pro II with 4.2.6 firmware”\r\n- alew1s3\r\n“I've activated system registry and suddenly there are a lot of attempts to login via HTTP in my\r\nmyqnapcloud by strange usernames and IPs so i totally disabled it”\r\n- alew1s3\r\n“Same as someone already explained: lot of login failed that day.”\r\n- lucagiroletti\r\nFigure 7 - Content from BleepingComputer forum post\r\nSource: https://www.anomali.com/blog/the-ech0raix-ransomware\r\nhttps://www.anomali.com/blog/the-ech0raix-ransomware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.anomali.com/blog/the-ech0raix-ransomware"
	],
	"report_names": [
		"the-ech0raix-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775433996,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d635c3696b4959ee69cf025a167bc029622f0acb.pdf",
		"text": "https://archive.orkl.eu/d635c3696b4959ee69cf025a167bc029622f0acb.txt",
		"img": "https://archive.orkl.eu/d635c3696b4959ee69cf025a167bc029622f0acb.jpg"
	}
}