StorageCrypt Ransomware Uses SambaCry Vulnerability to Infect NAS Devices

0
87

Security experts have found that the new ransomware family StorageCrypt is using the SambaCry exploit which was patched in May to infect NAS (network-attached storage) devices.

To decrypt the victims’ files, the creators of StorageCrypt ransomware demand between 0.4 and 2 Bitcoins ($5,000 to $25,000) ransom payment.

When infecting NAS devices, StorageCrypt uses the Linux Samba vulnerability known as SambaCry and tracked as CVE-2017-7494.

The flaw lets remote hackers execute the arbitrary code on targeted systems by uploading a shared library to a writable share, and causing the server to load that library.

The first attempt of abusing the SambaCry vulnerability resulted in targeted systems being infected with a cryptocurrency miner.

This summer, the SHELLBIND malware started abusing the flaw to infect NAS devices.

According to security researchers, the StorageCrypt ransomware leverages the SambaCry in the same way as SHELLBIND did.

The cyber attack relies on the exploit executing a command to download a file named sambacry, storse it in the /tmp folder as apaceha, and running it after that.

What remains unknown at this point though, is whether the executable is only used to install the ransomware or it also serves as a backdoor for future cyber attacks.

Being installed on the infected device, the StorageCrypt ransomware encrypts and renames the files, appending the .locked extension to each of them.

After that, the malware drops a note containing the ransom amount, the hackers’ Bitcoin address, and the email address JeanRenoAParis@protonmail.com.

Additionally, the StorageCrypt ransomware was spotted dropping two files on the infected NAS devices – Autorun.inf and 美女与野兽.exe (which translates to Beauty and the beast).

The former file is meant to spread the Windows executable to the machines the folders on the NAS device are accessed from.

To keep safe from StorageCrypt or other malware that abuse SambaCry, security experts advise users to install the latest patches on their computers, as well as to disconnect NAS devices from the Internet.

Users should also consider setting up a firewall and using a VPN for secure access to the network-attached storage.

SHARE
Nelly Vladimirova

Nelly Vladimirova has been working as a journalist since 1998 with a main focus on Finance, Economics, and IT. In 2004 she graduated the University of Plovdiv, Bulgaria, as a Bachelor in English Philology and Master in Linguistics and Translation. Later, Nelly received a postgraduate certificate in Business Management from Scott’s College, UK. Presently, she is presenting the latest news related to computer security at www.virusguides.com.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.