Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

StorageCrypt Ransomware Targets NAS Devices via SambaCry Exploit

A new ransomware family is using the SambaCry vulnerability that was patched in May to infect network-attached storage (NAS) devices, researchers have discovered.

A new ransomware family is using the SambaCry vulnerability that was patched in May to infect network-attached storage (NAS) devices, researchers have discovered.

Dubbed StorageCrypt, the ransomware demands between 0.4 and 2 Bitcoins ($5,000 to $25,000) from its victims for decrypting the affected files.

To infect NAS devices, StorageCrypt abuses the Linux Samba vulnerability known as SambaCry and tracked as CVE-2017-7494. Affecting devices from major vendors, the bug allows remote attackers to execute arbitrary code on targeted systems by uploading a shared library to a writable share, and then causing the server to load that library.

The first attempt to abuse the vulnerability resulted in targeted systems being infected with a cryptocurrency miner. During summer, a piece of malware dubbed SHELLBIND started abusing the flaw to infect NAS devices.

StorageCrypt leverages the SambaCry in the same manner as SHELLBIND did, BleepingComputer’s Lawrence Abrams reveals. The attack relies on the exploit executing a command to download a file called sambacry, store it in the /tmp folder as apaceha, and then running it.

What the security researcher couldn’t yet determine is whether the executable is only used to install the ransomware or is also serves as a backdoor for future attacks.

Once StorageCrypt is up and running on the infected device, it encrypts and renames the files and appends the .locked extension to them. It also drops a ransom note containing the ransom amount, the attackers’ Bitcoin address, and email address [email protected].

The malware was also observed dropping two files on the infected NAS devices, namely Autorun.inf and 美女与野兽.exe (which reportedly translates to Beauty and the beast). The former file is meant to spread the Windows executable to the machines the folders on the NAS device are accessed from.

Advertisement. Scroll to continue reading.

To stay protected from this ransomware or other malware abusing SambaCry, users are advised to apply the latest patches to ensure their devices aren’t vulnerable, as well as to disconnect NAS devices from the Internet. Setting up a firewall and using a VPN for secure access to the NAS should also be taken into consideration.

Related: Malware Targets NAS Devices Via SambaCry Exploit

Related: Web Hosting Provider Pays $1 Million to Ransomware Attackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.