A new ransomware family is using the SambaCry vulnerability that was patched in May to infect network-attached storage (NAS) devices, researchers have discovered.
Dubbed StorageCrypt, the ransomware demands between 0.4 and 2 Bitcoins ($5,000 to $25,000) from its victims for decrypting the affected files.
To infect NAS devices, StorageCrypt abuses the Linux Samba vulnerability known as SambaCry and tracked as CVE-2017-7494. Affecting devices from major vendors, the bug allows remote attackers to execute arbitrary code on targeted systems by uploading a shared library to a writable share, and then causing the server to load that library.
The first attempt to abuse the vulnerability resulted in targeted systems being infected with a cryptocurrency miner. During summer, a piece of malware dubbed SHELLBIND started abusing the flaw to infect NAS devices.
StorageCrypt leverages the SambaCry in the same manner as SHELLBIND did, BleepingComputer’s Lawrence Abrams reveals. The attack relies on the exploit executing a command to download a file called sambacry, store it in the /tmp folder as apaceha, and then running it.
What the security researcher couldn’t yet determine is whether the executable is only used to install the ransomware or is also serves as a backdoor for future attacks.
Once StorageCrypt is up and running on the infected device, it encrypts and renames the files and appends the .locked extension to them. It also drops a ransom note containing the ransom amount, the attackers’ Bitcoin address, and email address [email protected].
The malware was also observed dropping two files on the infected NAS devices, namely Autorun.inf and 美女与野兽.exe (which reportedly translates to Beauty and the beast). The former file is meant to spread the Windows executable to the machines the folders on the NAS device are accessed from.
To stay protected from this ransomware or other malware abusing SambaCry, users are advised to apply the latest patches to ensure their devices aren’t vulnerable, as well as to disconnect NAS devices from the Internet. Setting up a firewall and using a VPN for secure access to the NAS should also be taken into consideration.
Related: Malware Targets NAS Devices Via SambaCry Exploit
Related: Web Hosting Provider Pays $1 Million to Ransomware Attackers