DeadBolt ransomware now targets ASUSTOR devices, asks 50 BTC for master key


Level 61
Thread author
Top poster
Content Creator
Apr 24, 2016
The DeadBolt ransomware is now targeting ASUSTOR NAS devices by encrypting files and demanding a $1,150 ransom in bitcoins.

This wave of attacks was first reported on Reddit and the BleepingComputer forums, and soon after, on the ASUSTOR forums.

Similar to the DeadBolt ransomware attacks that targeted QNAP NAS devices last month, the threat actors claim to be using a zero-day vulnerability to encrypt ASUSTOR NAS devices.
While ASUSTOR has not explained how the NAS devices are being encrypted, some ASUSTOR owners believe that it is a vulnerability in the PLEX media server or EZ Connect that allows access to their devices.

ASUSTOR states that they are investigating the attacks and have provided the following statement:

In response to Deadbolt ransomware attacks affecting ASUSTOR devices, the DDNS service will be disabled as the issue is investigated. ASUSTOR will release more information with new developments as we investigate and review the causes to ensure this does not happen again. We remain committed to helping affected customers in every way possible. For your protection, we recommend the following measures:
Change default ports, including the default NAS web access ports of 8000 and 8001, as well as remote web access ports of 80 and 443.
  • Disable EZ Connect.
  • Close Plex Ports and disable Plex.
  • Make an immediate backup.
  • Turn off Terminal/SSH and SFTP services.
Most importantly, do not expose your ASUSTOR device to the Internet to avoid being encrypted by DeadBolt.

If DeadBolt has already infected your device, unplug the Ethernet cable and force-shut down your NAS device by holding the power button for three seconds.

Do not attempt to reboot the NAS, as this will erase all files. Instead, use this contact form to request instructions from ASUSTOR technicians on how to recover your files.

It is unclear if all ASUSTOR devices are vulnerable to DeadBolt attacks, but reports indicate that the AS6602T, AS-6210T-4K, AS5304T, AS6102T, and AS5304T models are unaffected.

Unfortunately, there is no way to recover files encrypted by the DeadBolt ransomware for free, and many affected QNAP users were forced to pay the ransom to recover files.
Based on last month's analysis of the ransomware by BleepingConputer, DeadBolt is a Linux malware that uses a template for the ransom note that can be substituted for any vendor, as shown below:

This is not a personal attack. You have been targeted because of the inadequate security provided by your vendor ({VENDOR_NAME}).

Therefore, we will likely see attacks against other NAS manufacturers in the future.