Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back.

User's have also reported that each share on their NAS device contains a Autorun.inf file and a Windows executable named 美女与野兽.exe, which translates to Beauty and the beast. From the samples BleepingComputer has received, this Autorun.inf is an attempt to spread the 美女与野兽.exe file to other computers that open the folders on the NAS devices. 

SambaCry being used to infect victims with the StorageCrypt Ransomware

SambaCry is a Linux Samba vulnerability that when exploited, allows an attacker to open a command shell that can be used to download files and execute commands on the affected device. The current method that it is infecting the NAS devices with StorageCrypt appears to be the same as the Elf_Shellbind variant that was previously used to distribute miners.

This time around, attackers are using the vulnerability to install a ransomware called StorageCrypt on the computer. While we still do not have all the samples of this infection, what we do know is that when Samba is exploited, the exploit will execute a command that downloads a file called sambacry, stores it in the /tmp folder as apaceha, and then executes it.

It is not currently know if this executable is the one that installs StorageCrypt or is used as a backdoor for later access.

Ultimately, StorageCrypt will be installed and all the files on the NAS will be encrypted. When a file is encrypted it will be renamed so that the .locked extension is appended to the filename. The ransomware will also drop a ransom note named _READ_ME_FOR_DECRYPT.txt that contains the ransom amount, the bitcoin address to send payment to, and the email address JeanRenoAParis@protonmail.com to contact after payment.

StorageCrypt Ransom Note
StorageCrypt Ransom Note

As previously stated, the infection will also add Autorun.inf and 美女与野兽.exe files to each folder on the NAS. This is an attempt to infect other computers that open these folders with an infection.

At the time of this writing, one of the bitcoin addresses used in the ransom notes has received an incoming transfer of 1 bitcoin. It is unknown if this is a ransom payment or not.

As this ransomware is still being analyzed, if new information is discovered BleepingComputer will update this article.

How to protect yourself from SambaCry

As SambaCry targets vulnerabilities in the Samba protocol, it is important to not have any of the your NAS devices connected directly to the Internet.  If a device is connected to the Internet, while you will be able to stream and access your files, it will also be wide open for attackers to exploit.

Instead you should place your NAS behind a firewall and configure a VPN into your network. This allows you to access your NAS and the files stored on it in a secure manner.


Credits: Crying Eyes in Nav Image

IOCs

Hashes:

美女与野兽.exe - 90024e7ce704b9a186964cf05bce65fa4b620fff5461036532cafd94db4ae050
3exfglYZ.so - 7ce136262994ca82b1123cde62caf69e42281eb258d641205ba59b55f5558684
sambacry - ef7ee620ce09cd8edca81dc7866fbe87405c4a8ac88f985ac350269d8d081073

Ransom Note:

Warning
 
	Your documents,photos,databases,important files have been encrypted by RSA-4096 and AES-256!
	If you modify any file, it may cause make you cannot decrypt!!!

	Don't waste your precious time to try  decrypt the files.
	If there is no key that we provide to you , NO ONE can decrypt your precious files, even Jesus.


	How to decrypt your files  ? 

		You have to pay for decryption in bitcoin
		To decrypt your files,please following the steps below

		1,Pay 2.0 bitcoin  to this address: [bitcoin_address]
		
			Pay To : [bitcoin_address]
			Amount : 2.0

		2,After you have finished paying,Contact us and Send us your Decrypt-ID via email
	
		3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.



	How to obtain bitcoin ? 

		The easiest way to buy bitcoin is LocalBitcoins site.
		You have to register, click Buy bitcoins  and select the seller
		by payment method and price

		https://localbitcoins.com/buy_bitcoins

		https://paxful.com/buy-bitcoin

		http://bitcointalk.org/
	

	If you have any questions please do not hesitate to contact us



Contact Email	:	JeanRenoAParis@protonmail.com

Decrypt-ID		:

	

Associated Email Addresses:

JeanRenoAParis@protonmail.com

Network Communication:

hxxp://45.76.102.45/sambacry