Do you happen to know whether the QNAP in question was up to date on its' patches and which services and ports it was exposing to the Interwebz?
[RANSOMWARE] >>READ 1st Post<< Deadbolt
-
- New here
- Posts: 9
- Joined: Fri Oct 08, 2021 7:08 pm
- OneCD
- Guru
- Posts: 12038
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [Ransomware] .deadbolt Jan 25th, 2022
Hi and welcome to the forum.
Excellent questions.
-
- Starting out
- Posts: 16
- Joined: Tue Jan 22, 2019 8:17 pm
Re: Deadbolt ransomware
This has just happened to me.
I thought 2 factor authentication would be enough for me.
Obviously QNAP are to blame.
I am not at all savvy to this problem though and dont know what to do.
Luckily I have not found any files that are encrypted though. But I cannot access the QNAP OS and get the same deadbolt screen as above and I can access the NAS over local Ethernet.
Will I be able to reinstall the system files without wiping the system?
thanks for any advice
I thought 2 factor authentication would be enough for me.
Obviously QNAP are to blame.
I am not at all savvy to this problem though and dont know what to do.
Luckily I have not found any files that are encrypted though. But I cannot access the QNAP OS and get the same deadbolt screen as above and I can access the NAS over local Ethernet.
Will I be able to reinstall the system files without wiping the system?
thanks for any advice
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Deadbolt ransomware
Said it many times .. disabling admin account, strong passwords, 2FA are ALL smoke and mirrors, as QNAP's programming is not secure enough and is all bypassed by exploits ...
You will have to clean all drives and check your startup file for infections .. nothing will be left
You will have to clean all drives and check your startup file for infections .. nothing will be left
-
- Starting out
- Posts: 16
- Joined: Tue Jan 22, 2019 8:17 pm
Re: Deadbolt ransomware
I had already done all that. And funnily enough I dont read all your posts!
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Deadbolt ransomware
You had already done all what ? .. All the stuff that is smoke and mirrors and does not help ? ..
read some of these posts .. same procedure to get rid of the malware (kill everything)
viewtopic.php?f=45&t=160849
read some of these posts .. same procedure to get rid of the malware (kill everything)
viewtopic.php?f=45&t=160849
- jaysona
- Been there, done that
- Posts: 846
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Deadbolt ransomware
Bold by me I am not convinced of that stance anymore. My past diggings in to QTS and its apps left me gobsmacked when I realized just what could be done. I'm talking about silently modifying the DOM image level of possibilities.
Part of the problem is that QNAP makes all sorts of quiet outbound requests too. So even if in-bound port forwarding is disabled, QNAP NASes make all sort of outbound requests.
That is one of the reasons why I removed the QNAP Malware Remover and I have black-holed (using PiHole) as many QNAP IP address ranges as I can. No more phone home for my QNAP NASes, QNAP's home is just too insecure.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
- jaysona
- Been there, done that
- Posts: 846
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: [Ransomware] .deadbolt Jan 25th, 2022
2 Factor Authentication is utterly useless for QNAP when their OS is just a dumpster fire of vulnerabilities. QNAP's use of 2 Factor auth is nothing more than attempting to put a lot of lipstick on an already very ugly pig. 2 Factor auth is ideal for use in a corporate environment as a means of helping to ensure access is limited to authorized personnel and nothing more. 2 Factor auth should be considered or used as a foundational security measure.Bob Zelin wrote: ↑Wed Jan 26, 2022 5:27 am just saw this today. This unfortunately is real. I did a Google search on .deadbolt, and cannot find anything on it. But my client just got it. 2 Factor Authentication did not prevent this.
I hope to God that this is not a true Zero Day virus, but just another variation of QLocker. If you are reading this, I would pull your QNAP off the internet for now.
Bob Zelin
In the context of QNAP, basically, 2 Factor auth keeps the honest people honest and does little to impede the dishonest.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
- jaysona
- Been there, done that
- Posts: 846
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Deadbolt ransomware
I have been saying this for years, but you'll find there are some QNAP fanbois here that will always blame the user, because the user believed the deceitful marketing employed by QNAP.
Probably not, it would be best to completely wipe the system and re-install. I would even recommend performing a firmware recover first before reinstalling the system.Will I be able to reinstall the system files without wiping the system?
https://wiki.qnap.com/wiki/Firmware_Recovery
Unfortunately QNAP has never published a SHA checksum of their recovery images, so there is no way to really confirm with any level of certainty if the images on their download sites have been modified with malware or not.
QNAP just fails as so many basic levels of software and information security. Shm.
Last edited by jaysona on Wed Jan 26, 2022 7:07 am, edited 1 time in total.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
- Starting out
- Posts: 11
- Joined: Wed Jan 26, 2022 5:59 am
Re: Deadbolt ransomware
Wouldn't it be more reliable (don't have to deal with IP's) to just deny the QNAP from accessing the Internet on your router? This was our solution to get rid of the chatter.
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Deadbolt ransomware
you quoted the wrong person here, but you can isolate the QNAP on router, yes .. it might complain about DNS/internet connectivity issues, but you can switch that off.
-
- Starting out
- Posts: 11
- Joined: Wed Jan 26, 2022 5:59 am
Re: Deadbolt ransomware
Oops, sorry about that! Quote within a quote threw me off. Yes, it did complain quite a bit when I disabled it, works just fine though.
If you don't use VLANS you could also set the default gateway and DNS to 0.0.0.0 on the QNAP, then it would only have access to the local LAN.
Last edited by darcon on Wed Jan 26, 2022 7:10 am, edited 3 times in total.
-
- New here
- Posts: 8
- Joined: Mon Sep 04, 2017 3:05 pm
Re: Deadbolt ransomware
My NAS is infected as well. 10 years of work are gone.
I unfortunately can not afford to pay 1.000 EUR/1.100 USD to get the encyption-key.
And I am pretty sure QNAP won't pay the 50 Bitcoins to get the master-encryption key for all affected users.
I have taken my NAS from the internet and shut it down, because the malware hasn't finished it's work. I was able to follow it's progres and shutting everything down seemed like toe only option to stop ist from progressing.
Besides that I noticed a system-message saying, that the Raid startet to mirror to other drives.
Does that mean that I probably do have chance to recover my files from other raid drives, that haven't been updated until now?
How would I have to progress?
Is there a way to stop the mirroring of the disks other than shutting the system down?
Hope someone can help me to recover the files.
Beste regards
Bacardi Man
I unfortunately can not afford to pay 1.000 EUR/1.100 USD to get the encyption-key.
And I am pretty sure QNAP won't pay the 50 Bitcoins to get the master-encryption key for all affected users.
I have taken my NAS from the internet and shut it down, because the malware hasn't finished it's work. I was able to follow it's progres and shutting everything down seemed like toe only option to stop ist from progressing.
Besides that I noticed a system-message saying, that the Raid startet to mirror to other drives.
Does that mean that I probably do have chance to recover my files from other raid drives, that haven't been updated until now?
How would I have to progress?
Is there a way to stop the mirroring of the disks other than shutting the system down?
Hope someone can help me to recover the files.
Beste regards
Bacardi Man
- jaysona
- Been there, done that
- Posts: 846
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Deadbolt ransomware
It would, but the systems in question run custom software and the software is regularly accessed from the Internet. Since the QNAP QTS Operating Environment and its associated apps are the real goo here, I just keep them isolated. The apps were written staring in 2007, and I have no desire to port them to something else, because I know that if I started that exercise, I'd probably re-write them from scratch, and I just don't have the time or inclination to do so.
The apps themselves are of no real concern for me, since the apps required hardware token based auth before any other functions can be accessed.
No hardware based authentication certificate, no access.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
- Starting out
- Posts: 11
- Joined: Wed Jan 26, 2022 5:59 am