A few days ago, my QNAP TS-469 was also infected by eCh0raix. It appears to be the newer version.
Just to be clear, for this new variant, has anyone been able to find the decryption keys without paying the ransom?
Is it a lost cause to try the exhaustive search?
Thank you!
I had received this awesome gift on my Qnap too. This infected all of our files including all family pics, all business pics and documents. Yes I know I am a total idiot for leaving that open to this type of hack but I didnt take any of that seriously. I always thought no-one want the little guy and I will be the first to say I was wrong!
I tried the exhaustive search on 3 computers for over a week solid with no luck. I believe the chances of randomly trying keys is similar to hitting the lottery, not like BINGO lottery but more like powerball.
I paid, I really didnt want to but I did get everything back and paid their black friday sale of .021 BTC. I got it all and used the decryptor you are using pointing the find key at the files the pirates sent. All came back and I only lost about 10 files. I took this as a learning experience and spent time setting up NAS security including paying the small fee for McAffee Realtime scanning and turning on firewalls.
Hi , I have same issue , as you paid could you able to tell me what I have to do ? I'm not expert of dark web or bitcoin. please explain to me well. thanks
Merry Xmas to you all! Sucks that this keep happening and we need to learn our lesson here so we can stop this madness. First off I dont think we should be paying at all but since some us, including me, didnt keep up security and were lazy protecting our data there may be some that have no choice. I am no expert but I got this same thing and it took everything we had for our business and all personal. I am such an idiot with my QNAP security that I had to pay!
This is how I did it and hope that others will chime in if there is a better way. Follow their instructions and take you time in each step this is a multi day process if you dont already have a Coinbase account. Good thing is that the ransomers are also in no hurry at all. If you send to the wrong wallet the money is gone and you will never see it again and you will have to buy more BTC. I found it super easy using Coinbase. Go open a Coinbase account if you havent already and wait for all your approvals and checks that need to be done, can take a day or two.
Make a complete copy of the encrypted files. Use a removable harddrive and keep a full copy of all the encrypted files. I cannot stress enough not to skip this step. This will help you recover anything that may get damaged while decrypting and you may be able to recover them.
While waiting go download the Tor Browser as the note suggests. https://www.torproject.org/download/
When you install do not se the highest security because it will block popups and you will not be able to chat with them if you have issues. Actually it is kinda funny because they are very helpful in chat if you have any issues.
Once its all set open the tor browser and copy and paste the address they gave you to get to the ransom page. There it will tell you how much Bitcoin is needed and where to send it.
Go to Coinbase and buy the exact amount of bitcoin that is required. Do not worry about dollar amount buy the fraction of the coin, do not try to figure the price. Once you buy and everything on Coinbase is all approved you can go to the Send/Receive button in the top right of Coinbase. Make sure you choose Bitcoin (BTC) and use the up/down arrows to send bitcoin by fraction instead of dollar amount. Make sure you entire exact amount they are asking for. Then on the ransom page that give a long string of letters and numbers and tell you to send the money there, thats their wallet. Send the BTC to that address, copy from ransom page and paste in address to send BTC.
Next step is to wait a couple days continuing to check to see if they received your funds. Once they do the ransom page will change to the decryptor. I would not use their decryptor but you still need to download it and save it. Go get the decryptor listed in this chat - https://www.bleepingcomputer.com/ransomware/decryptor/ech0raix-ransomware-decryptor-restores-qnap-files-for-free/
You will use that to decode instead of the hackers. Open the decryptor and click on get key from file and point to the file for the system you are using. If your on a windows 10 click on the win64 file in the decryptor the hackers sent you and test out a couple folders. If all is good you can run it on everything and delete the encrypted files.
Once everything is decrypted move all the files to a removable harddrive, throw out your NAS and get one that is supported. Move your data back to a new NAS with proper security, software updates, firewall and settings. Take the removable harddrive with all the unencrypted copy of all your data, unplug it and set it aside for a future backup. Every month or shorter if you change alot of files, plug in your removable harddrive and update your backup and unplug it again for storage.
I think with everyones help here we may be able to make a easy to follow guide to help step by step for paying if needed, getting to the onion site, decrypting and finally helping to set us all up for proper security going forward. The only way to beat these guys is to up our security so it cant happen again.
All please feel free to modify/correct anything I stated. As I said I am no expert but thats how I got all my files back.
Edited by jpman13, 25 December 2021 - 03:19 PM.
Back to top
