Updated on 2022-10-21
The same Group-IB team also has a report out on Deadbolt, the ransomware that has been targeting QNAP NAS devices over the past few months.
Updated on 2022-10-19
A recent study by Group-IB revealed that the DeadBolt ransomware group is targeting NAS devices and asks both the victim and the vendor to pay ransoms of 0.03–0.05 BTC and 10–50 BTC, respectively. Read more: DeadBolt ransomware: nothing but NASty
Updated on 2022-10-17: Police scam ransomware gang
Dutch police said they successfully swindled the operators of the Deadbolt ransomware out of 155 decryption keys that they are now making available to victims so they can recover their files for free. Authorities said they were able to pull off their scheme after Dutch security firm Responders found that the Deadbolt gang was storing the decryption key inside the metadata of a Bitcoin transaction that gets revealed to victims when they make a payment. Using this trick, Dutch police made several payments to the Deadbolt gang, received the decryption keys, and then immediately canceled the transaction, which they are now making publicly available for past victims. Read more:
- Nederlandse gedupeerden geholpen in unieke ransomware-actie
- Do you have a Bitcoin address or an Encrypted Deadbolt file?
Together with @Politie we were able to snatch 155 DEADBOLT decryption keys for FREE! Use our website to check if your key is amongst them.
You can do the check via the associated Bitcoin address or upload an encrypted file.https://t.co/UWOgV7RupT
— Responders (@RespondersBV) October 14, 2022
Updated on 2022-10-16
The Dutch National police was able to obtain the decryption keys for DeadBolt ransomware and restore victims’ data by faking ransom payments to the hackers’ wallet. Read more: Dutch Police Trick DeadBolt Hackers into Giving Away 150 Decryption Keys
Updated on September 2022: Deadbolt Ransomware Campaign Targeting QNAP Devices
QNAP has released an advisory warning that it has become aware of a Deadbolt ransomware campaign targeting some of its products. Specifically, “the campaign appears to target QNAP NAS devices running Photo Station with internet exposure.” QNAP has released updates to address the issue, and reminds users that “QNAP NAS should not be directly connected to the Internet.”
- Deadbolt has been an ongoing issue for exposed storage devices. It is important to note that this and similar ransomware has affected not just QNAP devices, but QNAP has been more open in warning users and implementing specific protections to fight this ransomware. The ransomware typically does not exploit specific vulnerabilities in the storage device’s firmware, but instead exploits configuration issues like weak passwords. And please do not expose these devices to the Internet!
- Don’t expose NAS directly to the Internet, or indirectly via port forwarding. Religiously update the firmware and any applications installed, make sure there are no unknown accounts, accounts have strong passwords, and make sure that you have backups.
Read more in
- Take immediate action to update Photo Station to the latest available version
- DeadBolt Ransomware
- QNAP Warns of New DeadBolt Ransomware Attacks Exploiting Photo Station Flaw
Updated on June 2022: QNAP warns NAS users of high-severity vulnerability that could lead to code execution
QNAP released a patch for a high-severity vulnerability in some of its network-attached storage devices that could allow an attacker to execute remote code on the targeted device. The vulnerability, identified as CVE-2019-11043, exists in PHP and the FastCGI Process Manager. An attacker could manipulate FPM to write data over an allocated buffer and open the door for remote code. This issue had been known for nearly three years, but only recently became realistic to exploit. The company recommends users update to the latest firmware for their storage box to fix this issue. QNAP devices have faced a stretch of cyber attacks, also recently being targeted by the Deadbolt ransomware gang.
Read more in
Cybersecurity firm Trend Micro published a technical analysis of DeadBolt, a ransomware strain that appeared last year and has been targeting NAS devices. The ransomware uses two ransom notes, one for the infected users and a second for the NAS vendor. If users pay the ransom, they can decrypt their files, and if NAS vendors pay the ransom, they receive a master key to unlock all of their attacked customers. However, Trend Micro said that based on its analysis, only 8% of NAS users ever paid a ransom, while a code analysis found that there is no evidence to suggest that decryption via a master key is even possible.
Updated on May 2022: Deadbolt attacks
Last week, QNAP warned of new attacks carried out with the Deadbolt ransomware. In a blog post over the weekend, IoT search engine Censys said it had already detected more than 500 infected QNAP NAS devices part of these recent attacks. That number is around 3,500 in the ZoomEye search engine.
New Deadbolt ransomware attacks
Taiwanese IoT maker QNAP published a security alert on Thursday warning of a new wave of attacks using the Deadbolt ransomware against its network-attached storage (NAS) devices. The company said the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly the TS-x51 series and TS-x53 series.
Updated on February 2022: QNAP Pushes Out NAS Firmware Update
QNAP has pushed out a firmware update for a vulnerability in kits network-attached storage (NAS) devices that is being targeted by DeadBolt ransomware operators. Although QNAP released the update in late December 2021, not all users had applied it.
- Yet again, network storage devices are affected by ransomware. In response to this recurring problem, QNAP started to “push” firmware updates to users who had automatic updates enabled. An interesting side effect of the update was that it may have removed ransomware from devices, preventing recovery for users who had paid for the decryption key (or intended to do so). Never ever, ever expose your NAS to the Internet. It will get compromised and yes, you will lose all your data.
- Because NAS remains a top target for attackers, you need to aggressively keep them updated and regularly verify security settings, user lists, and application lists, removing unneeded or unrecognized items.
Read more in
- Descriptions and Explanations of the QTS / QuTS hero “Recommended Version” Feature
- QNAP users still struggling with Deadbolt ransomware after forced firmware updates
- QNAP force-installs update after DeadBolt ransomware hits 3,600 devices
Overview: DeadBolt Ransomware Targets QNAP NAS Devices
QNAP is urging customers to take steps to protect their network-attached storage (NAS) devices from the DeadBolt ransomware. In a statement, the company writes, “QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version.” The DeadBolt ransomware began targeting Internet-connected QNAP NAS devices on January 25.
I just got hacked. Ransomware named DeadBolt found an exploit in @QNAP_nas storage devices, encrypting all files. They ask $1,000 from individuals or $1.8 million from QNAP. I have 50tb of data there, none of it essential or sensitive, but it hurts a lot. Time for a fresh start. pic.twitter.com/E8ZkyIbdfp
— Lex Fridman (@lexfridman) January 27, 2022
— Tom Cheney (@idobitom) January 25, 2022
- The cost of a cloud hosted file service is going to be less than rebuilding your NAS if compromised with DeadBolt or other ransomware. If you’re still exposing your NAS to the Internet, make sure to disable remote system administration, make sure your router is not port forwarding the NAS admin services to the Internet and disable the UPnP Port Forwarding on your device. Make sure you’ve updated to the latest firmware. Make sure you have multiple disconnected backups of your NAS.
- I first ran into a ransomware gang that hit a Windows Server through exposed RDP and quickly pivoted to encrypting a Synology NAS. The prevalence of this type of gear in small businesses or Prosumer (Pro-Consumer) makes these types of attacks both easy and destructive. Most of the gear is not configured with strong passwords or authentication mechanisms, and the management interfaces are generally on the same network as the standard workstation equipment. I am surprised we do not see more of this.
Read more in
- Take Immediate Actions to Stop Your NAS from Exposing to the Internet, and Fight Against Ransomware Together
- Targeted ransomware takes aim at QNAP NAS drives, warns vendor: Get your updates done pronto
- QNAP warns of new DeadBolt ransomware encrypting NAS devices
- New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key
- QNAP warns NAS users of DeadBolt ransomware, urges customers to update