Threat Actor Profile
Low Cybercriminal
Description

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'The QNAPCrypt ransomware works similarly to other ransomware, '
                'including encrypting all files and delivering a ransom note. '
                'However, there are several important differences:1. The '
                'ransom note was included solely as a text file, without any '
                'message on the screen—naturally, because it is a server and '
                'not an endpoint.2. Every victim is provided with a different, '
                'unique Bitcoin wallet—this could help the attackers avoid '
                'being traced.3. Once a victim is compromised, the malware '
                'requests a wallet address and a public RSA key from the '
                'command and control server (C&C) before file encryption.',
 'firstseen': None,
 'group': 'ech0raix',
 'has_negotiations': False,
 'has_ransomnote': True,
 'lastseen': None,
 'locations': [{'available': False,
                'fqdn': 'veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion',
                'slug': 'http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion',
                'title': '404 page not found',
                'type': 'DLS'},
               {'available': False,
                'fqdn': '7zvu7njrx7q734kvk435ntuf37gfll2pu46fmrfoweczwpk2rhp444yd.onion',
                'slug': 'http://7zvu7njrx7q734kvk435ntuf37gfll2pu46fmrfoweczwpk2rhp444yd.onion',
                'title': '',
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 1,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': True,
                     'locations': [{'available': False,
                                    'fqdn': 'veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion',
                                    'slug': 'http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion',
                                    'title': '404 page not found',
                                    'type': 'DLS'},
                                   {'available': False,
                                    'fqdn': '7zvu7njrx7q734kvk435ntuf37gfll2pu46fmrfoweczwpk2rhp444yd.onion',
                                    'slug': 'http://7zvu7njrx7q734kvk435ntuf37gfll2pu46fmrfoweczwpk2rhp444yd.onion',
                                    'title': '',
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 1,
                     'ransomware_live_group': 'ech0raix',
                     'tools': {},
                     'url': 'https://www.ransomware.live/group/ech0raix',
                     'victims': 0,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/ech0raix',
 'victims': 0,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home