While ASUSTOR has not explained how the NAS devices are being encrypted, some ASUSTOR owners believe that it is a vulnerability in the PLEX media server or EZ Connect that allows access to their devices.
ASUSTOR states that they are investigating the attacks and have provided the following statement:
In response to Deadbolt ransomware attacks affecting ASUSTOR devices, the myasustor.com DDNS service will be disabled as the issue is investigated. ASUSTOR will release more information with new developments as we investigate and review the causes to ensure this does not happen again. We remain committed to helping affected customers in every way possible. For your protection, we recommend the following measures:
Change default ports, including the default NAS web access ports of 8000 and 8001, as well as remote web access ports of 80 and 443.
- Disable EZ Connect.
- Close Plex Ports and disable Plex.
- Make an immediate backup.
- Turn off Terminal/SSH and SFTP services.
Most importantly, do not expose your ASUSTOR device to the Internet to avoid being encrypted by DeadBolt.
If DeadBolt has already infected your device, unplug the Ethernet cable and force-shut down your NAS device by holding the power button for three seconds.
Do not attempt to reboot the NAS, as this will erase all files. Instead, use this
contact form to request instructions from ASUSTOR technicians on how to recover your files.
It is unclear if all ASUSTOR devices are vulnerable to DeadBolt attacks, but reports indicate that the AS6602T, AS-6210T-4K, AS5304T, AS6102T, and AS5304T models are unaffected.
Unfortunately, there is no way to recover files encrypted by the DeadBolt ransomware for free, and many affected QNAP users were forced to pay the ransom to recover files.
