Disponibile il download gratuito del decryptor per eCh0raix/QNAPCrypt

Il ransomware eCh0raix, noto anche come QNAPCrypt, è un malware che cifra dispositivi NAS QNAP utilizzando, per l’attacco, brute force di credenziali deboli o exploit di vulnerabilità note che affliggono svariate versioni dei NAS QNAP, come ad esempio TS-251, QNAP TS-451, QNAP TS-459 Pro II o QNAP TS 253B tutti esposti direttamente sulla rete, senza protezione di VPN o filtri su indirizzi IP.

Il ricercatore BloodDolly ha rilasciato uno strumento di decifratura per il ransomware eCh0raix/QNAPCrypt per aiutare le vittime del ransomware a decriptare gratuitamente i file cifrati sui loro dispositivi NAS QNAP ai quali il malware ha aggiunto l’estensione “.encrypt”.

Il decryptor sviluppato da BloodDolly è scaricabile gratuitamente da questo link, maggiori informazioni sul ransomware eCh0raix/QNAPCrypt e sulla decifratura gratuita tramite il decryptor possono essere reperite sul thread “eCh0raix Ransomware – QNAPCrypt (.encrypt) Support Topic” su BleepingComputer.

Precisiamo che il decryptor funziona per le versioni del ransomware eCh0raix precedenti al 19 luglio 2019, che si distinguono perché nel testo con la richiesta di riscatto l’ultima riga contiene una stringa di 86 caratteri, mentre nelle versioni successive (ancora impossibili da decifrare) l’ultima riga della richiesta di riscatto contiene una stringa di circa 172 caratteri come nell’esempio che segue.

All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this TOR website: http://qkqkro6buaqoocv4.onion/order/1AWWnpB9vLbHBfKxGaFvuCg4jRNT8j6ss2
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to
Do NOT remove this file and NOT remove last line in this file!
<stringa di 173 caratteri>

Il decoder ECh0raix – arrivato alla versione 1.0.2 – può essere utilizzato con diverse modalità di decryption. Si raccomanda, in ogni caso, di non utilizzare il decryptor sull’unica copia di file cifrati disponibile ma farne un backup e, quando possibile, tentare la decryption prima su un sistema parallelo, magari offline.

In sostanza, il decryptor può decifrare utilizzando chiavi note (es. ottenute dai criminali a seguito di pagamento del riscatto) oppure trovarle lui stesso tramite un confronto tra file cifrati con header noti (es. Rar, 7z, pdf, rtf, png, jpg, etc…) oppure coppie di file di cui si possiede versione cifrata e non cifrata.

E’ altresì possibile ricercare tutti i file cifrati in modo ricorsivo all’interno di cartelle e sottocartelle anche protette (motivo per il quale il tool richiede di essere avviato con privilegi di Amministratore) così da ottenere una lista da utilizzare poi per velocizzare il processo di decifratura.

I dettagli di utilizzo del decryptor ECh0raixDecoder sono riportati in dettaglio nel file “README.txt” presente nell’archivio “ECh0raixDecoder.zip”, di cui si riporta qui di seguito, per comodità, il testo della versione 1.0.2.

YOU ARE USING THIS TOOL AT YOUR OWN RISK.

Before you start to read this readme, please check if you have the latest version of ECh0raixDecoder package.
http://download.bleepingcomputer.com/BloodDolly/ECh0raixDecoder.zip
If you have any question you can contact me here:
http://www.bleepingcomputer.com/forums/index.php?app=members&module=messaging&section=send&do=form&fromMemberID=950574
Introduction
Quick guide
2.1 Decryption (Known key)
2.2 Decryption (Unknown key)
Listing encrypted files
Adding keys
4.1 Add keys
4.2 From ransom note
Recovering decryption key
5.1 Pair of encrypted and original file
5.2 Two encrypted files
5.3 Number of threads
===============
1. Introduction
ECh0raix Decoder is a tool for decryption of files encrypted by ECh0raix ransomware.
==============
2. Quick guide
2.1 Decryption (Offline keys)
I do recommend to backup all the encrypted files before using this tool. The encryption process of ECh0raix ransomware is not fool proof and decrypted files can’t be 100% verified.
Run ECh0raixDecoder.exe as administrator (needed for hidden/system/personal folders)
Set version of encrypted files (To determine the version of encrypted files you can try to decrypt one ECh0raix file bigger than 1024 bytes with version 1 set and check if the file was decrypted without errors and if it is working and so on)
You can decrypt your files using one of the following features:
3a. Decrypt Folder – It will decrypt encrypted files in selected folder (I recommend to use this option to test decryption)
3b. Decrypt All – It will search encrypted files on all FIXED and REMOTE drives and try to decrypt them
3c. Decrypt List – It will decrypt encrypted files listed in selected list file (read section 3)
See log for more information (path to log file will be shown in the dialog)
In the case of failure or error please contact me.
2.1 Decryption (Known keys)
I do recommend to backup all the encrypted files before using this tool.
Run ECh0raixDecoder.exe as administrator (needed for hidden/system/personal folders)
Click on Add keys button
Copy/paste the key for your files (read section 4)
Click on Add keys button
You can decrypt your files using one of the following features:
5a. Decrypt Folder – It will decrypt encrypted files in selected folder (I recommend to use this option to test decryption)
5b. Decrypt All – It will search encrypted files on all FIXED and REMOTE drives and try to decrypt them
5c. Decrypt List – It will decrypt encrypted files listed in selected list file (read section 3)
See log for more information (path to log file will be shown in the dialog)
In the case of failure or error please contact me.
2.2 Decryption (Unknown keys)
I do recommend to backup all the encrypted files before using this tool.
Run ECh0raixDecoder.exe as administrator (needed for hidden/system/personal folders)
Click on Find key button
Select the pair of encrypted and unecnrytped version of the same file or two encrypted files or folder with encrypted files (read section 5)
If the key is found it is automatically added to the pool of keys
You can decrypt your files using one of the following features:
5a. Decrypt Folder – It will decrypt encrypted files in selected folder (I recommend to use this option to test decryption)
5b. Decrypt All – It will search encrypted files on all FIXED and REMOTE drives and try to decrypt them
5c. Decrypt List – It will decrypt encrypted files listed in selected list file (read section 3)
See log for more information (path to log file will be shown in the dialog)
In the case of failure or error please contact me.
==========================
3. Listing encrypted files
ECh0raix Decoder can search for encrypted files and create a list of found files. Single folder or all drives can be selected and then examined. When listing is performed, ECh0raix Decoder will check all files in the selected folder or on all mapped drives and try to find encrypted files by ECh0raix ransomware.
When the list file is created it can be used for decryption as a source of paths for decryption process.
The path can points to a single file or a folder. When target location is a folder and the list file is used for decryption all files in that folder are decrypted if possible.
Any unicode txt file with full paths on each line can be used as a list file.
Example:
C:\Dir\file.jpg.encrypt
C:\Dir2
D:\Dir3\Dir4\Dir5\file.jpg.encrypt
==============
4. Adding keys
4.1 Add keys
The decryption key is 32 characters long string. You can add up to 1024 decryption keys to ECh0raix Decoder, but each key has to be on separated line.
If you do not have decryption key for you files, please read section 5 (Recovering decryption key).
4.2 From ransom note
If you have valid RSA private key you can decrypt decryption key from ransom note. For decrypting decrytpion key you need last line from the ransom note or ransom note file itself and valid RSA private key or any file that contains the RSA private key (for exmaple decryptor obtained from attackers). If decrypted key is valid it will be automatically added into pool of laoded keys and can be used for decryption of encrypted files.
============================
5. Recovering decryption key
ECh0raix Decoder can recover decryption key for your encrypted files. The decryption key can be reconstructed from encrypted files with well known header or from a pair of both encrypted and original file or from a folder with several encrypted files.
5.1 Pair of encrypted and original file
If you have a pair of encrypted and unencrypted version of the same file please choose 1st option and select the pair of files. Original file name is extracted from the file name of encrypted files to prevent choosing different file.
5.2 Two encrypted files
In case you do not have original and encrypted version of the same file, you can select two encrypted files from different groups of known formats.
Supported groups of known formats:
Old office documents (doc, xls, ppt, dot, xla, wiz) {recommended to use it as 1st selected file}
New office documents (docx, xlxs, pptx) + zip archive (zip)
Rar archive (rar)
7z archive (7z)
PDF file (pdf)
RTF document (rtf)
PNG file (png)
JPG (jpg) {if possible avoid using this format as 1st file}
If the 1st file is selected from group Old office documents (for example .doc extension) it is not possible to select another file from this group as 2nd file.
5.3 Number of threads
Searching for the key runs in parallel, so this process can be split to “n” threads. It is recommended to select no more than max number of threads – 1 (this value is preddefined). Choosing more threads can halt the processor, make computer to not be able to respond or damage the processor in case your cooling is not good enough.