StorageCrypt Ransomware Infecting NAS Devices Using SambaCry
StorageCrypt is a new family of ransomware that targets network-attached storage (NAS) devices using SambaCry.
SambaCry allows remote attackers to execute arbitrary code on targeted systems by uploading a shared library to a writable network share, and then causing the server to load that library.
StorageCrypt uses SambaCry in the same ways as ShellBind. Both download a file called sambacry to the /tmp folder as apaceha, and then run it.
It encrypts and renames the files and appends the .locked extension to them before dropping a ransom note containing the ransom amount, the attackers’ Bitcoin address and email address.
The contact email address is given as :-
[email protected]Network communication is via :-
hxxp://45.76.102.45/sambacryAffected Platforms
Network-Attached Storage (NAS) devices that use Samba from version 3.5.0 to versions 4.4.14, 4.5.10 and 4.6.4
Resolution
Administrators are encouraged to upgrade to a version of Samba that is not affected by the vulnerability.
As with all forms of zero-day malware the first line of defence against new variants of ransomware is user awareness and safe working practices.
To avoid becoming infected with ransomware, ensure that:
- A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
- All operating systems, antivirus and other security products are kept up to date.
- All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned based on least privilege.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.