[RANSOMWARE] >>READ 1st Post<< Deadbolt

[Vogstar]

So If you even pay the ransome how do you get the key there is no email attached to the request.

[dolbyman]

apparently the key is part of the blockchain transaction that you get a reply to the payment

https://www.reddit.com/r/sysadmin/comme ... &context=3

[nadim23@hotmail.com]

Deadbolt_QNAP.JPG

This also happened to me today...
I will contact QNAP and SEAGate to see what can I do but I'm fAngry

[Vogstar]

I have no choice but to pay. I’ll let you guys know what happens

[dolbyman]

Deadbolt_QNAP.JPGThis also happened to me today...
I will contact QNAP and SEAGate to see what can I do but I'm fAngry

where does seagate come into play here ?

[jaysona]

Deadbolt_QNAP.JPGThis also happened to me today...
I will contact QNAP and SEAGate to see what can I do but I'm fAngry

Da.mn! It looks like this malware replaces some of the QNAP web-admin page too. Clearly some thought and sophistication were out in to this one.

I wonder if the malware has its own thttpd server? I almost wish I had a spare sacrificial NAS just to explore the code.

[jaysona]

For those that found this thread via search engine, but do not have a forum account, here are the images reference on the first page of this thread.

Apparent message to QNAP Inc. from DEADBOLT



Ransomware message displayed on compromised NAS.

[skaox]

I don't know why but the little b@stard didn't had time to crypt anything.

If you want to have access to your NAS just connect to ssh with admin account (or root if you have Entware-alt installed and admin disabled) :

cd /home/httpd/
mv index.html index.html_deadlock
mv index.html.bak index.html

Now you can access again to the administration panel

The index.html start like that :

#!/bin/sh
echo "Content-Type: text/html"
echo ""
get_value () {
echo "$1" | awk -F "${2}=" '{ print $2 }' | awk -F '&' '{ print $1 }'
}
not_running() { echo '{"status":"not_running"}'; exit; }

PID_FILENAME=/tmp/deadbolt.pid
STATUS_FILENAME=/tmp/deadbolt.status
FINISH_FILENAME=/tmp/deadbolt.finish
TOOL=/mnt/HDA_ROOT/27855
CRYPTDIR=/share

In process list you should have a few (5-6) process related to /mnt/HDA_ROOT/27855 -> kill them
I've launched a scan with Malware Remover but nothing was found.
I didn't reboot the NAS for the moment and I'm searching if there is more.

When opening QuLog Center you will have a message :
You must configure the destination volume for storing logs before enabling this feature.
Go to Log Settings to configure the destination volume of the event logs.

In Log Settings, Event and Access Log Destination will be empty.

I can't rename, delete or move 27855 (ELF packed with UPX) and nothing in /etc/config/crontab.

To be continue

[okenny]

What is the consensus.....Is it good enough to disable port forwarding, disable qnap cloud and disable upnp?
Do I need to place the NAS on a VLAN without any WAN access too? I was hesitant to do this, as it's a pain in the a to run the NAS on a separate VLAN.

I am going to start building a freenas server I think, I'm sick of this.

[pofjybkh]

I don't know why but the little b@stard didn't had time to crypt anything.

If you want to have access to your NAS just connect to ssh with admin account (or root if you have Entware-alt installed and admin disabled) :

cd /home/httpd/
mv index.html index.html_deadlock
mv index.html.bak index.html

Now you can access again to the administration panel

The index.html start like that :

#!/bin/sh
echo "Content-Type: text/html"
echo ""
get_value () {
echo "$1" | awk -F "${2}=" '{ print $2 }' | awk -F '&' '{ print $1 }'
}
not_running() { echo '{"status":"not_running"}'; exit; }

PID_FILENAME=/tmp/deadbolt.pid
STATUS_FILENAME=/tmp/deadbolt.status
FINISH_FILENAME=/tmp/deadbolt.finish
TOOL=/mnt/HDA_ROOT/27855
CRYPTDIR=/share

In process list you should have a few (5-6) process related to /mnt/HDA_ROOT/27855 -> kill them
I've launched a scan with Malware Remover but nothing was found.
I didn't reboot the NAS for the moment and I'm searching if there is more.

When opening QuLog Center you will have a message :
You must configure the destination volume for storing logs before enabling this feature.
Go to Log Settings to configure the destination volume of the event logs.

In Log Settings, Event and Access Log Destination will be empty.

I can't rename, delete or move 27855 (ELF packed with UPX) and nothing in /etc/config/crontab.

To be continue

Mine was called 31888 (so the name is random), but I compared the content of mine with yours and they are identical.

Also, if it helps with your investigation, the initial payload seems to come from /mnt/HDA_ROOT/update_pkg/SDDPd.bin (this name might also be random), which writes the index.html, but neither of them actually starts the encryption process, so that's still unclear.

I powered-off mine as soon as I noticed, so I only lost a few files, but this way I lost the option of doing the 7z log trick.
I'll power it on again tomorrow with only one of the disks in and maybe the process will start again...

[luckydekko]

I just found out a few hours ago that I have this Deadbolt encryption, and honestly thought it was a joke. I have no idea where to start with this and from what I have read it sounds like logging in an trying to salvage is above my paygrade. Did Qnap ever pay one of these? It seems like there's definitely a problem with the software and I am surprised I haven't seen much about this online.

Is there a simple way to login? I keep seeing ssh but not sure the steps, is there a write up on this?

Do they have access to files or does this just encrypt it?

[Chadw1701a]

My qnap has also been infected. Only one volume was encrypted though so I shut it down and pulled the other drives for now. What a mess

[dolbyman]

As the system is on all disks, don't be too sure that these are safe when plugged back into a NAS, the ransomware might start right back up and use the next available volume

[Chadw1701a]

As the system is on all disks, don't be too sure that these are safe when plugged back into a NAS, the ransomware might start right back up and use the next available volume

Ugh. So much data lost. I did reboot without the other drives and so far the deadbolt script isn't running as far as I can tell. Nope, it did replace the index.html file again. The encryption script doesn't seem to be running though.

[brycem]

What is the consensus.....Is it good enough to disable port forwarding, disable qnap cloud and disable upnp?
Do I need to place the NAS on a VLAN without any WAN access too? I was hesitant to do this, as it's a pain in the a to run the NAS on a separate VLAN.

I am going to start building a freenas server I think, I'm sick of this.

I haven't seen any kind of analysis of Deadbolt yet - We don't yet know it affects fully patched machines and is in fact a 0-day as they claim. We don't yet know the attack vector. We don't yet know if it infects the DOM nor whether a factory reset can clear it, nor whether any further rootkits have been opportunistically squirreled away elsewhere on your LAN. We haven't yet even seen any reports that dealing with these terrorists (sending the mofos their requested 0.03 BTC) even results in the receipt of a key to decrypt the data.

Disable port-forwards and UPnP should be considered a bare minimum at this point.