[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
brycem
New here
Posts: 9
Joined: Fri Oct 08, 2021 7:08 pm

Re: [Ransomware] .deadbolt Jan 25th, 2022

Post by brycem »

Bob Zelin wrote: Wed Jan 26, 2022 5:27 am my client just got it. 2 Factor Authentication did not prevent this.
Do you happen to know whether the QNAP in question was up to date on its' patches and which services and ports it was exposing to the Interwebz?
User avatar
OneCD
Guru
Posts: 12038
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [Ransomware] .deadbolt Jan 25th, 2022

Post by OneCD »

Hi and welcome to the forum. :)
brycem wrote: Wed Jan 26, 2022 5:54 am
Bob Zelin wrote: Wed Jan 26, 2022 5:27 am my client just got it. 2 Factor Authentication did not prevent this.
Do you happen to know whether the QNAP in question was up to date on its' patches and which services and ports it was exposing to the Interwebz?
Excellent questions.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
remainz
Starting out
Posts: 16
Joined: Tue Jan 22, 2019 8:17 pm

Re: Deadbolt ransomware

Post by remainz »

This has just happened to me.
I thought 2 factor authentication would be enough for me.
Obviously QNAP are to blame.

I am not at all savvy to this problem though and dont know what to do.
Luckily I have not found any files that are encrypted though. But I cannot access the QNAP OS and get the same deadbolt screen as above and I can access the NAS over local Ethernet.

Will I be able to reinstall the system files without wiping the system?


thanks for any advice
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Deadbolt ransomware

Post by dolbyman »

Said it many times .. disabling admin account, strong passwords, 2FA are ALL smoke and mirrors, as QNAP's programming is not secure enough and is all bypassed by exploits ...

You will have to clean all drives and check your startup file for infections .. nothing will be left
remainz
Starting out
Posts: 16
Joined: Tue Jan 22, 2019 8:17 pm

Re: Deadbolt ransomware

Post by remainz »

I had already done all that. And funnily enough I dont read all your posts!
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Deadbolt ransomware

Post by dolbyman »

You had already done all what ? .. All the stuff that is smoke and mirrors and does not help ? ..

read some of these posts .. same procedure to get rid of the malware (kill everything)

viewtopic.php?f=45&t=160849
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Deadbolt ransomware

Post by jaysona »

dolbyman wrote: Wed Jan 26, 2022 5:15 am ... if your do not expose services, your have no issues
Bold by me I am not convinced of that stance anymore. My past diggings in to QTS and its apps left me gobsmacked when I realized just what could be done. I'm talking about silently modifying the DOM image level of possibilities. :shock:

Part of the problem is that QNAP makes all sorts of quiet outbound requests too. So even if in-bound port forwarding is disabled, QNAP NASes make all sort of outbound requests.

That is one of the reasons why I removed the QNAP Malware Remover and I have black-holed (using PiHole) as many QNAP IP address ranges as I can. No more phone home for my QNAP NASes, QNAP's home is just too insecure.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [Ransomware] .deadbolt Jan 25th, 2022

Post by jaysona »

Bob Zelin wrote: Wed Jan 26, 2022 5:27 am just saw this today. This unfortunately is real. I did a Google search on .deadbolt, and cannot find anything on it. But my client just got it. 2 Factor Authentication did not prevent this.

I hope to God that this is not a true Zero Day virus, but just another variation of QLocker. If you are reading this, I would pull your QNAP off the internet for now.
Bob Zelin
2 Factor Authentication is utterly useless for QNAP when their OS is just a dumpster fire of vulnerabilities. QNAP's use of 2 Factor auth is nothing more than attempting to put a lot of lipstick on an already very ugly pig. 2 Factor auth is ideal for use in a corporate environment as a means of helping to ensure access is limited to authorized personnel and nothing more. 2 Factor auth should be considered or used as a foundational security measure.

In the context of QNAP, basically, 2 Factor auth keeps the honest people honest and does little to impede the dishonest.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Deadbolt ransomware

Post by jaysona »

remainz wrote: Wed Jan 26, 2022 5:58 am ...
Obviously QNAP are to blame.
I have been saying this for years, but you'll find there are some QNAP fanbois here that will always blame the user, because the user believed the deceitful marketing employed by QNAP.
Will I be able to reinstall the system files without wiping the system?
Probably not, it would be best to completely wipe the system and re-install. I would even recommend performing a firmware recover first before reinstalling the system.
https://wiki.qnap.com/wiki/Firmware_Recovery

Unfortunately QNAP has never published a SHA checksum of their recovery images, so there is no way to really confirm with any level of certainty if the images on their download sites have been modified with malware or not.

QNAP just fails as so many basic levels of software and information security. Shm.
Last edited by jaysona on Wed Jan 26, 2022 7:07 am, edited 1 time in total.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
darcon
Starting out
Posts: 11
Joined: Wed Jan 26, 2022 5:59 am

Re: Deadbolt ransomware

Post by darcon »

dolbyman wrote: Wed Jan 26, 2022 5:15 am
That is one of the reasons why I removed the QNAP Malware Remover and I have black-holed (using PiHole) as many QNAP IP address ranges as I can. No more phone home for my QNAP NASes, QNAP's home is just too insecure.
Wouldn't it be more reliable (don't have to deal with IP's) to just deny the QNAP from accessing the Internet on your router? This was our solution to get rid of the chatter.
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Deadbolt ransomware

Post by dolbyman »

you quoted the wrong person here, but you can isolate the QNAP on router, yes .. it might complain about DNS/internet connectivity issues, but you can switch that off.
darcon
Starting out
Posts: 11
Joined: Wed Jan 26, 2022 5:59 am

Re: Deadbolt ransomware

Post by darcon »

dolbyman wrote: Wed Jan 26, 2022 6:52 am you quoted the wrong person here, but you can isolate the QNAP on router, yes .. it might complain about DNS/internet connectivity issues, but you can switch that off.
Oops, sorry about that! Quote within a quote threw me off. Yes, it did complain quite a bit when I disabled it, works just fine though.

If you don't use VLANS you could also set the default gateway and DNS to 0.0.0.0 on the QNAP, then it would only have access to the local LAN.
Last edited by darcon on Wed Jan 26, 2022 7:10 am, edited 3 times in total.
BacardiMan
New here
Posts: 8
Joined: Mon Sep 04, 2017 3:05 pm

Re: Deadbolt ransomware

Post by BacardiMan »

My NAS is infected as well. 10 years of work are gone. :cry:
I unfortunately can not afford to pay 1.000 EUR/1.100 USD to get the encyption-key.
And I am pretty sure QNAP won't pay the 50 Bitcoins to get the master-encryption key for all affected users.


I have taken my NAS from the internet and shut it down, because the malware hasn't finished it's work. I was able to follow it's progres and shutting everything down seemed like toe only option to stop ist from progressing.
Besides that I noticed a system-message saying, that the Raid startet to mirror to other drives.

Does that mean that I probably do have chance to recover my files from other raid drives, that haven't been updated until now?
How would I have to progress?
Is there a way to stop the mirroring of the disks other than shutting the system down?

Hope someone can help me to recover the files.

Beste regards
Bacardi Man
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Deadbolt ransomware

Post by jaysona »

darcon wrote: Wed Jan 26, 2022 6:47 am Wouldn't it be more reliable (don't have to deal with IP's) to just deny the QNAP from accessing the Internet on your router? This was our solution to get rid of the chatter.
It would, but the systems in question run custom software and the software is regularly accessed from the Internet. Since the QNAP QTS Operating Environment and its associated apps are the real goo here, I just keep them isolated. The apps were written staring in 2007, and I have no desire to port them to something else, because I know that if I started that exercise, I'd probably re-write them from scratch, and I just don't have the time or inclination to do so.

The apps themselves are of no real concern for me, since the apps required hardware token based auth before any other functions can be accessed.

No hardware based authentication certificate, no access.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
darcon
Starting out
Posts: 11
Joined: Wed Jan 26, 2022 5:59 am

Re: Deadbolt ransomware

Post by darcon »

jaysona wrote: Wed Jan 26, 2022 7:11 am It would, but the systems in question run custom software and the software is regularly accessed from the Internet.
Ahh ok, I gotcha. I feel your pain with home grown legacy software.
Post Reply

Return to “Users' Corner”