I have a Thecus N8800Pro v2 NAS that has been hit with a ransomware apparently called Ech0raix. I have searched widely for any information I can find about it and it seems very vague. The version of Ech0raix I’ve encountered is new where decryption tools available do not apply. Fortunately I have a backup and will not pay the ransom.
My question or dilemma is I cannot find the source or know what to look for to ensure the malware is eradicated. I don't know if this ransomware is new enough that information is not available or I’m missing something in my searches and how can I be sure this will not begin encrypting again?
Here is what I know:
- the ransomware only encrypts doc, docx, xls, xlsx, pdf, and jpg type files.
- it has only (so far) encrypted my Linux based NAS, no PC’s that I am aware of in our company have been hit and all are protected by KES 11.x
- KES registers all NAS files clean
- the ransomware leaves this file: README_FOR_DECRYPT.txtt which contains: All your data has been locked(crypted).
How to unlock(decrypt) instruction located in this TOR website: http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion/order/1PbAi22vam4Lt1e3gn4sSLiQbRetPX2KYK
Use TOR browser for access .onion websites.
Any help with this topic is greatly appreciated!