Storagecrypt Jun 2026

StorageCrypt: The Ransomware That Targeted Network Storage StorageCrypt is a notorious strain of ransomware that gained infamy for specifically targeting Network Attached Storage (NAS) devices. Unlike many ransomware variants that focus on individual workstations, StorageCrypt was designed to strike the heart of a home or business network—the centralized storage where users keep their most valuable backups and archives. What is StorageCrypt? StorageCrypt (also known as StorageCrypter ) is a type of malicious software that encrypts a victim's files using advanced cryptographic algorithms, typically RSA or AES . Once the files are locked, they are rendered inaccessible, and the malware leaves behind a ransom note. This note usually demands payment in cryptocurrency, such as Bitcoin, in exchange for the decryption key. It shares significant behavioral similarities with other ransomware families like Scarab-Hitler, Suri , and CryptoJoker. The SambaCry Connection The most significant wave of StorageCrypt infections occurred when attackers exploited a specific vulnerability known as SambaCry (CVE-2017-7494). This flaw existed in Samba, the popular open-source software used by Linux and Unix systems—including many NAS devices from brands like QNAP and Thecus—to share files across a network. By exploiting this vulnerability, attackers could remotely execute code on the NAS device, allowing them to install StorageCrypt and begin encrypting the entire drive without needing direct user interaction. Key Characteristics

Depending on the size of your data, your bandwidth, storage quota etc, there are different approaches you can take: * If you have ... Rclone Encrypt and protect a storage device with a password in Disk ... Go to the Disk Utility app on your Mac. If Disk Utility isn't open, click in the Dock, type Disk Utility in the Search field, then... Apple Support How To Encrypt a File or Folder - Microsoft Support To encrypt a file or folder: * Right-click a file or folder and select Properties. * Select the Advanced... * Select the Encrypt c... Microsoft Support Encrypting your Scaleway Object Storage data using Rclone Mar 27, 2025 —

This write-up is structured as a Threat Analysis Report suitable for use by security researchers, SOC analysts, or incident response teams.

Threat Analysis Report: StorageCrypt (Ransomware-as-Worm) Threat Level: CRITICAL Aliases: NASCRYPT.v4, .encryptedZSQ, StorageWorm Type: Ransomware / Hybrid Worm Target OS: Linux (ARMv7, x86_64), QTS, DSM, ADM Vector: Internet-exposed NAS services, SMB exploits, phishing with .spk packages storagecrypt

1. Executive Summary StorageCrypt is a multi-vector ransomware strain specifically engineered to target Network Attached Storage (NAS) environments. Unlike traditional PC ransomware that encrypts local Documents or Desktop , StorageCrypt recursively traverses shared volumes, RAID arrays, and snapshot caches. Its distinguishing feature is a self-propagation module that scans for adjacent NAS devices on the local subnet using default credentials and unpatched CVE exploits (e.g., CVE-2020-36195, CVE-2021-28799). Once inside a corporate backup NAS, it deletes volume snapshots before encryption to prevent recovery.

2. Infection Chain The typical kill chain consists of five phases: Phase 1: Initial Access

Direct exposure – NAS admin portals (port 5000, 8080, 443) brute-forced via credential stuffing. Phishing with .spk packages – Malicious Synology/QNAP app packages installed manually by users. Drive-by download – Legitimate NAS apps compromised via supply chain (e.g., malicious update to PhotoStation ). StorageCrypt (also known as StorageCrypter ) is a

Phase 2: Persistence & Reconnaissance

Drops a hidden .storagecrypt directory in /root/.cache/ . Installs a cron job: @reboot /usr/bin/scryptd --resume . Executes smbclient -L and nmap -p 445,2049,111 to map network shares and other NAS devices.

Phase 3: Privilege Escalation

Exploits CVE-2021-28799 (QNAP SQL injection) to gain root. Uses sudo -l to find NOPASSWD entries for rsync , dd , or umount .

Phase 4: Defense Evasion

“The app works efficiently, it’s brain-dead simple to use, and it does just what it promises” — MacWorld

“Basically, ImageOptim works like magic, cutting down the size of images without making them look worse” — MacStories

StorageCrypt: The Ransomware That Targeted Network Storage StorageCrypt is a notorious strain of ransomware that gained infamy for specifically targeting Network Attached Storage (NAS) devices. Unlike many ransomware variants that focus on individual workstations, StorageCrypt was designed to strike the heart of a home or business network—the centralized storage where users keep their most valuable backups and archives. What is StorageCrypt? StorageCrypt (also known as StorageCrypter ) is a type of malicious software that encrypts a victim's files using advanced cryptographic algorithms, typically RSA or AES . Once the files are locked, they are rendered inaccessible, and the malware leaves behind a ransom note. This note usually demands payment in cryptocurrency, such as Bitcoin, in exchange for the decryption key. It shares significant behavioral similarities with other ransomware families like Scarab-Hitler, Suri , and CryptoJoker. The SambaCry Connection The most significant wave of StorageCrypt infections occurred when attackers exploited a specific vulnerability known as SambaCry (CVE-2017-7494). This flaw existed in Samba, the popular open-source software used by Linux and Unix systems—including many NAS devices from brands like QNAP and Thecus—to share files across a network. By exploiting this vulnerability, attackers could remotely execute code on the NAS device, allowing them to install StorageCrypt and begin encrypting the entire drive without needing direct user interaction. Key Characteristics

Depending on the size of your data, your bandwidth, storage quota etc, there are different approaches you can take: * If you have ... Rclone Encrypt and protect a storage device with a password in Disk ... Go to the Disk Utility app on your Mac. If Disk Utility isn't open, click in the Dock, type Disk Utility in the Search field, then... Apple Support How To Encrypt a File or Folder - Microsoft Support To encrypt a file or folder: * Right-click a file or folder and select Properties. * Select the Advanced... * Select the Encrypt c... Microsoft Support Encrypting your Scaleway Object Storage data using Rclone Mar 27, 2025 —

This write-up is structured as a Threat Analysis Report suitable for use by security researchers, SOC analysts, or incident response teams.

Threat Analysis Report: StorageCrypt (Ransomware-as-Worm) Threat Level: CRITICAL Aliases: NASCRYPT.v4, .encryptedZSQ, StorageWorm Type: Ransomware / Hybrid Worm Target OS: Linux (ARMv7, x86_64), QTS, DSM, ADM Vector: Internet-exposed NAS services, SMB exploits, phishing with .spk packages

1. Executive Summary StorageCrypt is a multi-vector ransomware strain specifically engineered to target Network Attached Storage (NAS) environments. Unlike traditional PC ransomware that encrypts local Documents or Desktop , StorageCrypt recursively traverses shared volumes, RAID arrays, and snapshot caches. Its distinguishing feature is a self-propagation module that scans for adjacent NAS devices on the local subnet using default credentials and unpatched CVE exploits (e.g., CVE-2020-36195, CVE-2021-28799). Once inside a corporate backup NAS, it deletes volume snapshots before encryption to prevent recovery.

2. Infection Chain The typical kill chain consists of five phases: Phase 1: Initial Access

Direct exposure – NAS admin portals (port 5000, 8080, 443) brute-forced via credential stuffing. Phishing with .spk packages – Malicious Synology/QNAP app packages installed manually by users. Drive-by download – Legitimate NAS apps compromised via supply chain (e.g., malicious update to PhotoStation ).

Phase 2: Persistence & Reconnaissance

Drops a hidden .storagecrypt directory in /root/.cache/ . Installs a cron job: @reboot /usr/bin/scryptd --resume . Executes smbclient -L and nmap -p 445,2049,111 to map network shares and other NAS devices.

Phase 3: Privilege Escalation

Exploits CVE-2021-28799 (QNAP SQL injection) to gain root. Uses sudo -l to find NOPASSWD entries for rsync , dd , or umount .

Phase 4: Defense Evasion

Subscribe to an occasional newsletter

Pro tips about ImageOptim, gif.ski and image formats in general. News about upcoming features and access to preview versions of apps I develop.