DeadBolt ransomware targets QNAP devices, QNAP force-updates firmware

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/

A new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide using what they claim is a zero-day vulnerability in the device's software.
The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a .deadbolt file extension.

Instead of creating ransom notes in each folder on the device, the QNAP device's login page is hijacked to display a screen stating, "WARNING: Your files have been locked by DeadBolt," as shown in the image below.
... ...

BleepingComputer is aware of at least fifteen victims of the new DeadBolt ransomware attack, with no specific region being targeted.

As with all ransomware attacks against QNAP devices, the DeadBolt attacks only affect devices accessible to the Internet.
As the threat actors claim the attack is conducted through a zero-day vulnerability, it is strongly advised that all QNAP users disconnect their devices from the Internet and place them behind a firewall.

With QNAP owners being targeted by ongoing attacks from two other ransomware families known as Qlocker and eCh0raix, all owners should follow these steps to prevent future attacks.
BleepingComputer has created a DeadBolt ransomware support topic that can be used to discuss the attacks and potentially receive help from other QNAP owners.

 

[LASER_oneXM]

QNAP force-installs update after DeadBolt ransomware hits 3,600 devices

QNAP force-updated customer's Network Attached Storage (NAS) devices with firmware containing the latest security updates to protect against the DeadBolt ransomware, which has already encrypted over 3,600 devices.

www.bleepingcomputer.com

QNAP force-updated customer's Network Attached Storage (NAS) devices with firmware containing the latest security updates to protect against the DeadBolt ransomware, which has already encrypted over 3,600 devices.

On Tuesday, BleepingComputer reported on a new ransomware operation named DeadBolt that was encrypting Internet-exposed QNAP NAS devices worldwide.

The threat actor claims to be using a zero-day vulnerability to hack QNAP devices and encrypt files using the DeadBolt ransomware, which appends the .deadbolt extension to file names.

QNAP owners and IT admins told BleepingComputer that QNAP forced this firmware update on devices even if automatic updates were disabled.

However, this update did not go off without a hitch, as some owners found that their iSCSI connections to the devices no longer worked after the update.

"Just thought I would give everyone a heads-up. A couple of our QNAPS lost ISCSI connection last night. After a day of tinkering and pulling our hair out we finally found it was because of the update. It has not done it for all of the QNAPs we manage but we finally found the resolution," a QNAP owner said on Reddit.

 

[LASER_oneXM]

QNAP users still struggling with Deadbolt ransomware after forced firmware updates

Censys said about 4,000 devices are still infected with Deadbolt ransomware.

www.zdnet.com

btw: I'm a QNAP customer. Currently running a tiny TS-253be (2 bay).

"Later that day, QNAP took more drastic action and force-updated the firmware for all customers' NAS devices to version 5.0.0.1891, the latest universal firmware which has been available since December 23rd, 2021," MalwareBytes explained.

"As you might expect after a forced update, a number of unexpected side-effects arose... The firmware update removed the ransomware executable and the ransom screen used to initiate decryption, which apparently caused some victims who had paid the ransom to be unable to proceed with decrypting the files after the update."

Even with the update, at least one user confirmed getting hit with Deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3. QNAP would not confirm or deny that there was another vulnerability being exploited, according to Bleeping Computer.

Recorded Future ransomware expert Allan Liska said this kind of specialty ransomware is very hard to defend against and commended QNAP for releasing a detailed guide to securing the appliance earlier this month.

Decryptor issues​

Security company Emsisoft released its own version of a decryptor after several victims reported having issues with the decryptor they received after paying a ransom. Some users even said they never got a decryptor after paying the ransom, while others said the decryptor malfunctioned.

Unfortunately, Emsisoft's decryptor requires users to have already paid the ransom and received the decryption keys from the Deadbolt ransomware operators.

Deadbolt's ransom note says victims need to pay 0.03 BTC (equivalent to USD 1,100) to unlock their hacked device and that it "is not a personal attack." They offered to give QNAP a universal decryptor for 50 BTC.

 

[upnorth]

 

[LASER_oneXM]

QNAP: DeadBolt ransomware exploits a bug patched in December

Taiwan-based network-attached storage (NAS) maker QNAP urges customers to enable firmware auto-updating on their devices to defend against active attacks.

www.bleepingcomputer.com

QNAP told BleepingComputer that they forced-installed this update as they believe the threat actors are using the remote code execution vulnerability fixed in the 5.0.0.1891 firmware version and mentioned in today's announcement.

According to QNAP, the security bug has been addressed in the following versions of QTS and QuTS hero:

• QTS 5.0.0.1891 build 20211221 and later
• QTS 4.5.4.1892 build 20211223 and later
• QuTS hero h5.0.0.1892 build 20211222 and later
• QuTS hero h4.5.4.1892 build 20211223 and later
• QuTScloud c5.0.0.1919 build 20220119 and later

However, a customer said in the QNAP forum that they were encrypted even when they had this firmware version installed, indicating that the threat actors are likely exploiting a different vulnerability.

Including the DeadBolt ransomware alert, QNAP issued three warnings in the last 12 months to alert customers of ransomware attacks targeting their Internet-exposed NAS devices.
QNAP previously warned rusers of AgeLocker ransomware attacks in April and eCh0raix ransomware attacks in May.