Skip to Content

Deadbolt ransomware attacks

Updated on 2022-10-21

The same Group-IB team also has a report out on Deadbolt, the ransomware that has been targeting QNAP NAS devices over the past few months.

Updated on 2022-10-19

A recent study by Group-IB revealed that the DeadBolt ransomware group is targeting NAS devices and asks both the victim and the vendor to pay ransoms of 0.03–0.05 BTC and 10–50 BTC, respectively. Read more: DeadBolt ransomware: nothing but NASty

Updated on 2022-10-17: Police scam ransomware gang

Dutch police said they successfully swindled the operators of the Deadbolt ransomware out of 155 decryption keys that they are now making available to victims so they can recover their files for free. Authorities said they were able to pull off their scheme after Dutch security firm Responders found that the Deadbolt gang was storing the decryption key inside the metadata of a Bitcoin transaction that gets revealed to victims when they make a payment. Using this trick, Dutch police made several payments to the Deadbolt gang, received the decryption keys, and then immediately canceled the transaction, which they are now making publicly available for past victims. Read more:

Updated on 2022-10-16

The Dutch National police was able to obtain the decryption keys for DeadBolt ransomware and restore victims’ data by faking ransom payments to the hackers’ wallet. Read more: Dutch Police Trick DeadBolt Hackers into Giving Away 150 Decryption Keys

Updated on September 2022: Deadbolt Ransomware Campaign Targeting QNAP Devices

QNAP has released an advisory warning that it has become aware of a Deadbolt ransomware campaign targeting some of its products. Specifically, “the campaign appears to target QNAP NAS devices running Photo Station with internet exposure.” QNAP has released updates to address the issue, and reminds users that “QNAP NAS should not be directly connected to the Internet.”


  • Deadbolt has been an ongoing issue for exposed storage devices. It is important to note that this and similar ransomware has affected not just QNAP devices, but QNAP has been more open in warning users and implementing specific protections to fight this ransomware. The ransomware typically does not exploit specific vulnerabilities in the storage device’s firmware, but instead exploits configuration issues like weak passwords. And please do not expose these devices to the Internet!
  • Don’t expose NAS directly to the Internet, or indirectly via port forwarding. Religiously update the firmware and any applications installed, make sure there are no unknown accounts, accounts have strong passwords, and make sure that you have backups.


Updated on June 2022: QNAP warns NAS users of high-severity vulnerability that could lead to code execution

QNAP released a patch for a high-severity vulnerability in some of its network-attached storage devices that could allow an attacker to execute remote code on the targeted device. The vulnerability, identified as CVE-2019-11043, exists in PHP and the FastCGI Process Manager. An attacker could manipulate FPM to write data over an allocated buffer and open the door for remote code. This issue had been known for nearly three years, but only recently became realistic to exploit. The company recommends users update to the latest firmware for their storage box to fix this issue. QNAP devices have faced a stretch of cyber attacks, also recently being targeted by the Deadbolt ransomware gang.



Cybersecurity firm Trend Micro published a technical analysis of DeadBolt, a ransomware strain that appeared last year and has been targeting NAS devices. The ransomware uses two ransom notes, one for the infected users and a second for the NAS vendor. If users pay the ransom, they can decrypt their files, and if NAS vendors pay the ransom, they receive a master key to unlock all of their attacked customers. However, Trend Micro said that based on its analysis, only 8% of NAS users ever paid a ransom, while a code analysis found that there is no evidence to suggest that decryption via a master key is even possible.

Updated on May 2022: Deadbolt attacks

Last week, QNAP warned of new attacks carried out with the Deadbolt ransomware. In a blog post over the weekend, IoT search engine Censys said it had already detected more than 500 infected QNAP NAS devices part of these recent attacks. That number is around 3,500 in the ZoomEye search engine.

New Deadbolt ransomware attacks

Taiwanese IoT maker QNAP published a security alert on Thursday warning of a new wave of attacks using the Deadbolt ransomware against its network-attached storage (NAS) devices. The company said the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly the TS-x51 series and TS-x53 series.

Updated on February 2022: QNAP Pushes Out NAS Firmware Update

QNAP has pushed out a firmware update for a vulnerability in kits network-attached storage (NAS) devices that is being targeted by DeadBolt ransomware operators. Although QNAP released the update in late December 2021, not all users had applied it.


  • Yet again, network storage devices are affected by ransomware. In response to this recurring problem, QNAP started to “push” firmware updates to users who had automatic updates enabled. An interesting side effect of the update was that it may have removed ransomware from devices, preventing recovery for users who had paid for the decryption key (or intended to do so). Never ever, ever expose your NAS to the Internet. It will get compromised and yes, you will lose all your data.
  • Because NAS remains a top target for attackers, you need to aggressively keep them updated and regularly verify security settings, user lists, and application lists, removing unneeded or unrecognized items.


Overview: DeadBolt Ransomware Targets QNAP NAS Devices

QNAP is urging customers to take steps to protect their network-attached storage (NAS) devices from the DeadBolt ransomware. In a statement, the company writes, “QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version.” The DeadBolt ransomware began targeting Internet-connected QNAP NAS devices on January 25.


  • The cost of a cloud hosted file service is going to be less than rebuilding your NAS if compromised with DeadBolt or other ransomware. If you’re still exposing your NAS to the Internet, make sure to disable remote system administration, make sure your router is not port forwarding the NAS admin services to the Internet and disable the UPnP Port Forwarding on your device. Make sure you’ve updated to the latest firmware. Make sure you have multiple disconnected backups of your NAS.
  • I first ran into a ransomware gang that hit a Windows Server through exposed RDP and quickly pivoted to encrypting a Synology NAS. The prevalence of this type of gear in small businesses or Prosumer (Pro-Consumer) makes these types of attacks both easy and destructive. Most of the gear is not configured with strong passwords or authentication mechanisms, and the management interfaces are generally on the same network as the standard workstation equipment. I am surprised we do not see more of this.


    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on