SPOT: Analyzing IoT Ransomware Attacks using Bare Metal NAS Devices

Ransomware attacks targeting Network Attached Storage (NAS) devices have shown a steady presence in the threat landscape since 2019. Early research has analyzed the functionality of IoT ransomware but its attack infrastructure and operation remain unrevealed. In this paper, we propose an attack observation system named SPOT, which uses popular bare metal NAS devices, QNAP, as honeypot and malware sandbox to conduct an in-depth analysis of the ransomware attacks. During the three-month observation with SPOT from September to November 2021, we observed, on average, 130 hosts per day accessing from the Internet that retrieves files in the storage and exploits the vulnerable services of the NAS devices, indicating NAS devices are intensively targeted. Moreover, we obtained 39 eCh0raix samples from VirusTotal and executed them in the SPOT sandboxes. We identified six remote Onion proxy servers used to connect to the C&C server behind the TOR network to hide their locations. By redirecting the C&C connections to active proxy servers, we successfully observed two malware samples interacting with the C&C server, encrypting files in the infected NAS device, and leaving ransom notes. Two kinds of contact points for ransom payment were found in the ransom notes; instruction web pages and email addresses. While the email addresses were not reachable during the experiment, we could access the instruction website, which was hosted on the same TOR hidden service as the C&C server. We kept monitoring the instruction page as it was created for each ransomware infection and we even observed a “30% discount campaign” of ransom payments for a limited period. We observe that the degree of automation in the attack operation is much higher compared to the tailored and targeted ransomware attacks. While each case of successful ransom payment is limited to 0.03 BTC, the automated nature of the attacks would maximize the frequency of such successful cases.