DeadBolt ransomware targets QNAP devices, QNAP force-updates firmware

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide using what they claim is a zero-day vulnerability in the device's software.
The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a .deadbolt file extension.

Instead of creating ransom notes in each folder on the device, the QNAP device's login page is hijacked to display a screen stating, "WARNING: Your files have been locked by DeadBolt," as shown in the image below.
... ...


BleepingComputer is aware of at least fifteen victims of the new DeadBolt ransomware attack, with no specific region being targeted.

As with all ransomware attacks against QNAP devices, the DeadBolt attacks only affect devices accessible to the Internet.
As the threat actors claim the attack is conducted through a zero-day vulnerability, it is strongly advised that all QNAP users disconnect their devices from the Internet and place them behind a firewall.

With QNAP owners being targeted by ongoing attacks from two other ransomware families known as Qlocker and eCh0raix, all owners should follow these steps to prevent future attacks.
BleepingComputer has created a DeadBolt ransomware support topic that can be used to discuss the attacks and potentially receive help from other QNAP owners.
 

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
QNAP force-updated customer's Network Attached Storage (NAS) devices with firmware containing the latest security updates to protect against the DeadBolt ransomware, which has already encrypted over 3,600 devices.

On Tuesday, BleepingComputer reported on a new ransomware operation named DeadBolt that was encrypting Internet-exposed QNAP NAS devices worldwide.
The threat actor claims to be using a zero-day vulnerability to hack QNAP devices and encrypt files using the DeadBolt ransomware, which appends the .deadbolt extension to file names.

QNAP owners and IT admins told BleepingComputer that QNAP forced this firmware update on devices even if automatic updates were disabled.

However, this update did not go off without a hitch, as some owners found that their iSCSI connections to the devices no longer worked after the update.

"Just thought I would give everyone a heads-up. A couple of our QNAPS lost ISCSI connection last night. After a day of tinkering and pulling our hair out we finally found it was because of the update. It has not done it for all of the QNAPs we manage but we finally found the resolution," a QNAP owner said on Reddit.
 

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520

btw: I'm a QNAP customer. Currently running a tiny TS-253be (2 bay).

"Later that day, QNAP took more drastic action and force-updated the firmware for all customers' NAS devices to version 5.0.0.1891, the latest universal firmware which has been available since December 23rd, 2021," MalwareBytes explained.

"As you might expect after a forced update, a number of unexpected side-effects arose... The firmware update removed the ransomware executable and the ransom screen used to initiate decryption, which apparently caused some victims who had paid the ransom to be unable to proceed with decrypting the files after the update."

Even with the update, at least one user confirmed getting hit with Deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3. QNAP would not confirm or deny that there was another vulnerability being exploited, according to Bleeping Computer.

Recorded Future ransomware expert Allan Liska said this kind of specialty ransomware is very hard to defend against and commended QNAP for releasing a detailed guide to securing the appliance earlier this month.

Decryptor issues

Security company Emsisoft released its own version of a decryptor after several victims reported having issues with the decryptor they received after paying a ransom. Some users even said they never got a decryptor after paying the ransom, while others said the decryptor malfunctioned.

Unfortunately, Emsisoft's decryptor requires users to have already paid the ransom and received the decryption keys from the Deadbolt ransomware operators.

Deadbolt's ransom note says victims need to pay 0.03 BTC (equivalent to USD 1,100) to unlock their hacked device and that it "is not a personal attack." They offered to give QNAP a universal decryptor for 50 BTC.
 

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520

QNAP told BleepingComputer that they forced-installed this update as they believe the threat actors are using the remote code execution vulnerability fixed in the 5.0.0.1891 firmware version and mentioned in today's announcement.

According to QNAP, the security bug has been addressed in the following versions of QTS and QuTS hero:

  • QTS 5.0.0.1891 build 20211221 and later
  • QTS 4.5.4.1892 build 20211223 and later
  • QuTS hero h5.0.0.1892 build 20211222 and later
  • QuTS hero h4.5.4.1892 build 20211223 and later
  • QuTScloud c5.0.0.1919 build 20220119 and later
However, a customer said in the QNAP forum that they were encrypted even when they had this firmware version installed, indicating that the threat actors are likely exploiting a different vulnerability.

Including the DeadBolt ransomware alert, QNAP issued three warnings in the last 12 months to alert customers of ransomware attacks targeting their Internet-exposed NAS devices.
QNAP previously warned rusers of AgeLocker ransomware attacks in April and eCh0raix ransomware attacks in May.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top