eCh0raix QNAPCrypt/Synology-NAS

Last night my home NAS which is an 8-Bay 24 Terabyte multimedia storage was hit with a cryptovirus variant called the MUHSTIK. My NAS contained photos archive, home videos, Movies, TV series & some music as well as full PC backups which is now unreadable. This new variant of the eCh0raix has started to gain traction in the last 48-72 hours with users reporting it on BleepingComputer.Com forums which seems to be targeting QNAP devices. It is believed that a Russian Cybercrime group FullofDeep was behind campaigns targeting Qnap Storage Devices.

Ransom Note

All your files have been encrypted.
You can find the steps to decrypt them in any the following links:
http://13.234.89.185/.unlock/payment/7e916d33-f7a2-46f0-807b-d2e38492a12e   Could go offline at any time
http://51.38.231.30/.unlock/payment/7e916d33-f7a2-46f0-807b-d2e38492a12e   Could go offline at any time
Or use TOR link, guaranteed Online 100% of the time:
http://5mngytmdpeyyp6xk.onion/payment/7e916d33-f7a2-46f0-807b-d2e38492a12e   Use TOR browser to access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to

Do NOT remove this file and DO NOT remove last line in this file!
Your ID: 7e916d33-f7a2-46f0-807b-d2e38492a12e

The files are encrypted and extensions are changed to “.muhstik” this ransomware also attacks apps that are not installed by QNAP App Center by default. You will notice this due to the icons being replaced by a generic QPKG icon. Currently there is no solution to decrypting the files and I have asked QNAP support to investigate and analyse the diagnostic logs. I’m hoping to clean and sanitize the machine until I find a way to make my files readable again. And no I’m not paying these assholes any money.

Update: Qnap has posted a security advisory about MUHSTIK.

Recommendations

To avoid attacks, you must:

  1. Use a stronger password for phpMyAdmin.
  2. Keep phpMyAdmin disabled whenever possible. Only enable this application when configuring settings.
  3. Update QTS to the latest version.
  4. Install and update Security Counselor to the latest version.
  5. Use a stronger admin password.
  6. Enable Network Access Protection to protect accounts from brute force attacks.
  7. Disable SSH and Telnet services if you are not using them.
  8. Avoid using default port numbers 443 and 8080.
  9. Update phpMyAdmin to the latest version.

Changing the password for phpMyAdmin

  1. Log on to QTS as administrator.
  2. Open the App Center, and then click the Search icon.
    A search box appears.
  3. Type “phpMyAdmin” and then press ENTER.
    The phpMyAdmin application appears in the search results list.
  4. Click Open.
    phpMyAdmin opens in a new tab.
  5. Log on to phpMyAdmin as root.
  6. Under General settings, click Change password.
    The Change password window appears.
  7. Select Password.
  8. Specify the new password.
    QNAP recommends the following criteria to improve password strength:
    • Should be at least 8 characters in length
    • Should include both uppercase and lowercase characters
    • Should include at least one number and one special character
    • Must not be the same as the username or the username reversed
    • Must not include characters that are consecutively repeated three or more times
  9. Verify the new password.
  10. Click Go.
    The password is changed.

Disabling phpMyAdmin

  1. Log on to QTS as administrator.
  2. Open the App Center, and then click the Search icon.
    A search box appears.
  3. Type “phpMyAdmin”, and then press ENTER.
    The phpMyAdmin application appears in the search results list.
  4. Click V and then select Stop.
    The application is disabled.

Installing the QTS Update

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS downloads and installs the latest available update.

Installing/Updating and running the latest version of Security Counselor

  1. Log on to QTS as administrator.
  2. Open the App Center, and then click the Search icon.
    A search box appears.
  3. Type “Security Counselor”, and then press ENTER.
    The Security Counselor application appears in the search results list.
  4. Click Install or Update.
    A confirmation message appears.
  5. Click OK.
    The application is installed or updated to the latest version.
  6. Open Security Counselor.
  7. Click Start Scan.
    Security Counselor scans the NAS for rules.

Changing the Device Password

  1. Log on to QTS as administrator.
  2. Click the profile picture on the QTS Task Bar.
    The Options window opens.
  3. Click Change Password.
  4. Specify the old password.
  5. Specify the new password.
    QNAP recommends the following criteria to improve password strength:
    • Should be at least 8 characters in length
    • Should include both uppercase and lowercase characters
    • Should include at least one number and one special character
    • Must not be the same as the username or the username reversed
    • Must not include characters that are consecutively repeated three or more times
  6. Verify the new password.
  7. Click Apply.

Enabling Network Access Protection

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System Security > Network Access Protection.
  3. Configure SSH protection.
    1. Select SSH.
    2. Specify a time period and the number of failed login attempts.
  4. Configure HTTP(S) protection.
    1. Select HTTP(S).
    2. Specify a time period and the number of failed login attempts.
  5. Click Apply.

Disabling SSH and Telnet Connections

  1. Log on to QTS as administrator.
  2. Go to Control Panel > Network & File Services > Telnet/SSH.
  3. Deselect Allow Telnet connection.
  4. Deselect Allow SSH connection.
  5. Click Apply.

Changing the System Port Number

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > General Settings > System Administration.
  3. Specify a new system port number.
    Warning: Do not use 443 or 8080.
  4. Click Apply.

Changing the SQL Server default password

  1. Log on to QTS as administrator.
  2. Go to Control Panel > Applications > SQL Server  > Change Root Password.
  3. Specify a new root password.
    Warning: Do not use default or a simple password.
  4. Click Apply.

Updating phpMyAdmin to the latest version.

  1. Log on to QTS as administrator.
  2. Open the App Center, and then click the Search icon.
    A search box appears.
  3. Type “phpMyAdmin”, and then press ENTER.
    The phpMyAdmin application appears in the search results list.
  4. Click Update.
    A confirmation message appears.
    Note: This option is not available if your application is already up to date.
  5. Click OK.
    The application is updated to the latest version.

2 Replies to “eCh0raix QNAPCrypt/Synology-NAS”

  1. Hallo Ron,
    at my QNAP NAS exact the same issue. All files are encrypted and has a .muhstik extension.
    PC’s in my environment are not affected. Only the files on the NAS.
    I think the weak-point is in the QNAP-OS.

    I’m not paying this assholes too!

    Franz

    1. Hi Franz,

      Sorry to hear that you’ve become a victim too and I’m hoping there is a solution to this in the near future. Another user from the bleepingcomputer.com forums provided a decryption tool for another variant in July but that’s not working with MUHSTIK.

      Let me know what you ended up doing. I’ve opened a technical support ticket with QNAP and they are currently analysing the diagnostic logs.

      Regards,

      Ron

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.