SambaCry helps to install StorageCrypt ransomware on NAS devices

by Olivia Morelli - - 2017-12-06

Network-attached storage devices are being attacked by StorageCrypt ransomware

Cyber criminals started exploiting Linux Samba vulnerability, also known as SambaCry to install StorageCrypt (or StorageCrypter^[1]) ransomware on the network-attached storage (NAS) devices. The file encrypting-virus demands to from 0.4 to 2 Bitcoins for data recovery.

SambaCry allows attackers to exploit command shell in order to download and run various commands on the device. Criminals have already used the same vulnerability to install a backdoor trojan on NAS devices earlier this year.^[2]

However, it’s still unknown if attackers are installing StorageCrypt ransomware directly or they just open the backdoor and download malware later.

Key features of the StorageCrypt

During the attack, ransomware installs Autorun.inf and 美女与野兽.exe files on each folder on the affected NAS device. According to the latest analysis, the INF file is used for spreading EXE. When a user opens a folder on NSA with the infection, malware sneaks into a new computer.

Furthermore, ransomware starts data encryption process and corrupts various types of files stored on the targeted NAS. After the attack, documents and other data will be damaged with the .locked file extension. Following the encryption, ransomware delivers a ransom note in “_READ_ME_FOR_DECRYPT.txt” file.

The ransom note informs that about data encryption with RSA-4096 and AES-256 algorithms and asks to transfer the demanded sum of Bitcoins to the provided address. Victims report that they were asked to transfer from 0.4 to 2 Bitcoins in exchange for decryption tool.

Once the transaction is made, victims have to send an email to JeanRenoAParis@protonmail.com with their unique ID number provided in the ransom. Crooks promise to respond with a tool and decryption key.

However, security experts warn that this may never happen. Therefore, paying the ransom should not be considered as data recovery option.

Prevention of SambaCry exploitation and ransomware attack

Samba is an open sources project that allows Linux and Unix users access and use file and printer-sharing services. Thus, it supports SMB/CIFS protocol used by Windows. However, security researchers spotted a flaw in Samba’s SMB implementation^[3] which allows remote code execution.

Officially, this vulnerability is known as CVE-2017-7494.^[4] However, it is widely known as SambaCry because it shares similarities with the flaws that were used by infamous WannaCry ransomware in May 2017.

This vulnerability was patched quickly. However, attackers still managed to exploit SambaCry and install cryptocurrency miner EternalMiner.^[5] Though, upgrading to the latest version of the software is needed. Additionally, NSA manufacturers released hardware updates to minimize the possibility of cyber attack too.

Security experts also suggest using VPN connection instead of connecting NAS devices directly to the Internet to avoid StorageCrypt ransomware attack. Setting up a firewall and creating backups is recommended as well.

About the author

Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References

^ Olivia Morelli. StorageCrypter ransomware. How to remove? (Uninstall guide). 2-spyware. Security and spyware news.
^ SambaCry Vulnerability Used to Deploy Backdoors on NAS Devices. Information Security Newspaper. IT security news.
^ Paul Ducklin. Samba exploit – not quite WannaCry for Linux, but patch anyway!. Naked Security. Computer security news, opinion, advice and research.
^ CVE-2017-7494. Samba. The official website.
^ Mikhail Kuzin, Yaroslav Shmelev, Dmitry Galov. SambaCry is coming. Securelist. Information about viruses, hackers and spam.