ech0raix

lucirau
lucirau Posts: 7  Freshman Member
First Comment Friend Collector
edited June 17 in Personal Cloud Storage

Two days ago, my Zyxel NAS326 was attack and all files are encrypted with ech0raix ransomware. Do you have any idea if there is a decryptor?

Best Answers

  • smb_corp_user
    smb_corp_user Posts: 168  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Answer ✓

    Search link: https://www.google.no/search?q=ech0raix+ransomware&newwindow=1

    I was initially going to suggest a few more links to pages where someone posted decryptor tools, but they ended up being either "page not found" or targeting router systems like QNAP or other.

    Not sure if people following this forum branch are familiar with this ransomware, but I am going to wish you all the best of luck anyway.

  • Cristih
    Cristih Posts: 2  Freshman Member
    First Answer First Comment Friend Collector
    Answer ✓

    I have same issues.Happend on 04.06.2024.I am also searching for a solution.How much is the hacker asking to decrypt?

  • Mikolaj_Gabrysiak
    edited June 16 Answer ✓
    My nas also was encrypted between 9-11/06/2024. Due to the new version of ech0raix
     (it creates txtt files with message about pay for decrypt).
    From my research, there is no way to decrypt file alone. 
    

  • Mijzelf
    Mijzelf Posts: 2,788  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    I'm disappointed that Zyxel doesn't have any viable solutions, as does Europol and others.

    The problem with strong encryption is that it is, well, strong encryption. As long as no implementation errors are made, it is not possible to decrypt without having the decryption key. And that key is not stored on your NAS.

    I think ZyXEL has tried to stop it from the other side. When I look at the release notes of the last firmware update of the 326 (from May 10 2024), I see

    [SI-1545][Issue 3-2] Privilege escalation vulnerability 2
    [SI-1545][Issue 4] Remote code execution vulnerability
    [SI-1545][Issue 5] Arbitrary file upload and remote code execution vulnerability
    [SI-1545][Issue 6] Unauthenticated backdoor vulnerability
    [SI-1545][Issue 7] Weak password generation for privileged user vulnerability

    The looks like closing backdoor(s) which malware uses to come in. Unfortunately that SI-1545 seems to be an internal code. Google doesn't know where it refers to.

  • Cristih
    Cristih Posts: 2  Freshman Member
    First Answer First Comment Friend Collector
    Answer ✓

    The same amount are asking also from me. I opened TOR and wrote on chat but no answer from them.

  • LDS
    LDS Posts: 2
    First Answer First Comment
    Answer ✓

    Is still Zyxel no 1 in security?

    I have the same issues. Happened 5 days again.

    Regards from Romania

  • p0mian
    p0mian Posts: 3
    First Answer First Comment
    Answer ✓

    Same issue. Same date. All my photos encrypted. 90% restored from backup. Contacted with them on chat but dont want to lower the price

  • TomasMalina
    TomasMalina Posts: 35  Freshman Member
    First Answer First Comment Friend Collector Fourth Anniversary
    edited June 22 Answer ✓

    I've joined the club, NAS542, June 10-12, ransom is also 0.019 BTC. Given the same issues were discussed a few years ago among QNAP and Synology users, the case doesn't look very promising - allegedly, unless we're lucky to be encrypted by an old version (prior to June 2019), they haven't found any mistakes in the encryption. The only option seems to be to recover from backups. If your ransom note has a ".txtt" extension, that is the newer version. If you want to try luck with the old decryptor (don't delete the original encrypted files if you plan to wait for a potential decryptor in the future), search for a post by the user BloodDolly (link).

  • TomasMalina
    TomasMalina Posts: 35  Freshman Member
    First Answer First Comment Friend Collector Fourth Anniversary
    Answer ✓

    Just to check, what firmware version was everyone on when it happened? My NAS542 was ABAG.13 when it got attacked.

  • p0mian
    p0mian Posts: 3
    First Answer First Comment
    Answer ✓

    same

«134

All Replies

  • smb_corp_user
    smb_corp_user Posts: 168  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Answer ✓

    Search link: https://www.google.no/search?q=ech0raix+ransomware&newwindow=1

    I was initially going to suggest a few more links to pages where someone posted decryptor tools, but they ended up being either "page not found" or targeting router systems like QNAP or other.

    Not sure if people following this forum branch are familiar with this ransomware, but I am going to wish you all the best of luck anyway.

  • lucirau
    lucirau Posts: 7  Freshman Member
    First Comment Friend Collector

    I read a lot of information about this ransomware, I found only one decryptor and I will try it, but I'm not sure if it works 100%. I hope that Zyxel users have more information.

  • Cristih
    Cristih Posts: 2  Freshman Member
    First Answer First Comment Friend Collector
    Answer ✓

    I have same issues.Happend on 04.06.2024.I am also searching for a solution.How much is the hacker asking to decrypt?

  • Mikolaj_Gabrysiak
    edited June 16 Answer ✓
    My nas also was encrypted between 9-11/06/2024. Due to the new version of ech0raix
     (it creates txtt files with message about pay for decrypt).
    From my research, there is no way to decrypt file alone. 
    

  • lucirau
    lucirau Posts: 7  Freshman Member
    First Comment Friend Collector
  • lucirau
    lucirau Posts: 7  Freshman Member
    First Comment Friend Collector

    Same to me. Unfortunately, at the moment I don't have money for the redemption, I will try to collect them and maybe I will be able to pay later. I'm disappointed that Zyxel doesn't have any viable solutions, as does Europol and others.

  • Mijzelf
    Mijzelf Posts: 2,788  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    I'm disappointed that Zyxel doesn't have any viable solutions, as does Europol and others.

    The problem with strong encryption is that it is, well, strong encryption. As long as no implementation errors are made, it is not possible to decrypt without having the decryption key. And that key is not stored on your NAS.

    I think ZyXEL has tried to stop it from the other side. When I look at the release notes of the last firmware update of the 326 (from May 10 2024), I see

    [SI-1545][Issue 3-2] Privilege escalation vulnerability 2
    [SI-1545][Issue 4] Remote code execution vulnerability
    [SI-1545][Issue 5] Arbitrary file upload and remote code execution vulnerability
    [SI-1545][Issue 6] Unauthenticated backdoor vulnerability
    [SI-1545][Issue 7] Weak password generation for privileged user vulnerability

    The looks like closing backdoor(s) which malware uses to come in. Unfortunately that SI-1545 seems to be an internal code. Google doesn't know where it refers to.

  • Cristih
    Cristih Posts: 2  Freshman Member
    First Answer First Comment Friend Collector
    Answer ✓

    The same amount are asking also from me. I opened TOR and wrote on chat but no answer from them.

  • LDS
    LDS Posts: 2
    First Answer First Comment
    Answer ✓

    Is still Zyxel no 1 in security?

    I have the same issues. Happened 5 days again.

    Regards from Romania

  • p0mian
    p0mian Posts: 3
    First Answer First Comment
    Answer ✓

    Same issue. Same date. All my photos encrypted. 90% restored from backup. Contacted with them on chat but dont want to lower the price

Consumer Product Help Center