Security experts have found that the new ransomware family StorageCrypt is using the SambaCry exploit which was patched in May to infect NAS (network-attached storage) devices.
To decrypt the victims’ files, the creators of StorageCrypt ransomware demand between 0.4 and 2 Bitcoins ($5,000 to $25,000) ransom payment.
When infecting NAS devices, StorageCrypt uses the Linux Samba vulnerability known as SambaCry and tracked as CVE-2017-7494.
The flaw lets remote hackers execute the arbitrary code on targeted systems by uploading a shared library to a writable share, and causing the server to load that library.
The first attempt of abusing the SambaCry vulnerability resulted in targeted systems being infected with a cryptocurrency miner.
This summer, the SHELLBIND malware started abusing the flaw to infect NAS devices.
According to security researchers, the StorageCrypt ransomware leverages the SambaCry in the same way as SHELLBIND did.
The cyber attack relies on the exploit executing a command to download a file named sambacry, storse it in the /tmp folder as apaceha, and running it after that.
What remains unknown at this point though, is whether the executable is only used to install the ransomware or it also serves as a backdoor for future cyber attacks.
Being installed on the infected device, the StorageCrypt ransomware encrypts and renames the files, appending the .locked extension to each of them.
After that, the malware drops a note containing the ransom amount, the hackers’ Bitcoin address, and the email address JeanRenoAParis@protonmail.com.
Additionally, the StorageCrypt ransomware was spotted dropping two files on the infected NAS devices – Autorun.inf and 美女与野兽.exe (which translates to Beauty and the beast).
The former file is meant to spread the Windows executable to the machines the folders on the NAS device are accessed from.
To keep safe from StorageCrypt or other malware that abuse SambaCry, security experts advise users to install the latest patches on their computers, as well as to disconnect NAS devices from the Internet.
Users should also consider setting up a firewall and using a VPN for secure access to the network-attached storage.
