[RANSOMWARE] >>READ 1st Post<< Deadbolt

[remainz]

When I run

Code: Select all

$ kill 11943*
-sh: kill: (11943) - Operation not permitted

Am I not admin because I logged in as admin?

[chumbo]

So you actually believe QNAP is gonna pay 2 million bucks ransom?...riiight

I didn't say I believe they will, I said I hope they will, because it's the right and fair thing to do (or else quickly provide a patch that unlocks all the files).
And with the attitude the it's so unlikely for them to do so, you are only encouraging that very outcome. ("Well if nobody believes we would do it, why should we?" kind of thing).
Better be righteous than incredulous.

[dolbyman]

You cannot "patch" encrypted files back to the way they were...

Just remove the drives, hope for a miracle and setup your NAS from scratch with empty drives .. anything else is fairy tales and lies.

btw .. you were warned a while ago .. and you ignored the warning
viewtopic.php?f=21&t=154832

[Hulli]

When I run

Code: Select all

$ kill 11943*
-sh: kill: (11943) - Operation not permitted

Am I not admin because I logged in as admin?

Try this

Kill -9 11943

[P3R]

Official QNAP news release on Deadbolt: https://www.qnap.com/en/security-news/2 ... e-together

The only thing they did is that they took the January 7th statement (that probably was an attempt to mitigate the effects of the QLocker2 campaign though they never spelled that out) and mention Deadbolt by name.

Oh yes, they also tell us that we now "Fight Against Ransomware Together". That may backfire as it could be perceived as an attempt to shift some responsibility away from the company...

If you didn't read and follow the January 7th statement and is now a victim of Deadbolt, it's useless information. It's of course good that they do that if there are any exposed systems that are still unaffected by Deadbolt but as usual when it come to security with Qnap, it's far too late. This time at least two years too late.

[P3R]

I didn't say I believe they will, I said I hope they will, because it's the right and fair thing to do...

It may be fair to the affected customers but it's not the right thing to do. Paying ransoms and thereby financing organized crime to continue and strengthen their activities is, or at least should be, very controversial. Except for the relatively few affected victims, it's negative for the rest of the world that use IT equipment. Paying the ransom is never the right thing to do, it's at best the least awful thing to do.

Also since we now have users paying ransom that report the unlock key didn't work, how could Qnap be sure that the master key they may receive would work? They could be throwing 2 million dollars into a black hole...

[jswain]

What alternative NAS drivers are you also using and are they better when it comes to security?

[dolbyman]

Unclear what you mean by drivers ? .. what drivers are you talking about ?

[darcon]

I'm sorry that some of you got hit and it's not your fault, but QNAP should not pay the ransom. If they do pay it will only increase the target on their back and this will likely happen again.

QNAP does need to better educate their customer base about the risks of putting your NAS on the Internet. It's fine to do so if you want, but adequate, timely backups is a minimum requirement if you want to prevent data loss going forward. They should also trim their app gallery significantly to help reduce the surface area of attack and give them more time to secure the apps that are kept. The more code you have running on your NAS, the more vulnerable to these sorts of zero-days it is. Also, they should create a locked down "NAS Mode" for people like me who only use their QNAP for a backup target, or at least let us disable unneeded apps (I'm looking at you myQNAPcloud).

[Chadw1701a]

Has anyone tested to see if a factory reset gets rid of the ransomware yet?

[chumbo]

Are there any recommendations on how to behave if one is a victim of Deadbolt?

I've simply turned off my NAS altogether. Is that taking it too far? Is simply disconnecting it from the internet enough?
I don't know anything about how ransomware work but my assumption is that it's like a virus/trojan in that, once a device is infected, it no longer needs the internet to operate. So I'm assuming that as soon as I'd turn my NAS back on, Deadbolt would wake up and continue encrypting my files.
I had made a quick search on one part of my drive for the .deadbolt extension and found nothing so I know that not all my files have yet been encrypted so....is my approach the right one? And then just wait for some additional news/solutions from QNAP.
(I also shut off all my other USB connected HDD).

[QNAPDanielFL]

I am sorry for not responding yesterday. This all happened while I was taking a sick day so I was not very active on the forums.

I hope to have more to say soon.

We are also testing on our end. But I want to ask for user experience if people find the snapshots are deleted or if they can recover from snapshots?
Does running programs like PhotoRec allow for recovering files, (though without file structure)?

I saw a reference to the 7z log trick and I was not sure what that is. Does anyone know?
"I powered-off mine as soon as I noticed, so I only lost a few files, but this way I lost the option of doing the 7z log trick."

We are working on figuring out a better solution on our end. But if you have information you think I should share with the PSIRT team, please let me know.

If you have questions you would like me to ask the PSIRT team, please let me know.

[robdou]

I own 2 NAS at 2 location both affected. This morning, when I connected to the web user interface I saw the classic modified interface telling me to pay 0.03BC. At same time I saw that accessing the filestation was still possible. Another way to manage the NAS was via QManager App on my Iphone. With that app I was able to turn off the NAS remotely

[luckydekko]

I am sorry for not responding yesterday. This all happened while I was taking a sick day so I was not very active on the forums.

I hope to have more to say soon.

We are also testing on our end. But I want to ask for user experience if people find the snapshots are deleted or if they can recover from snapshots?
Does running programs like PhotoRec allow for recovering files, (though without file structure)?

I saw a reference to the 7z log trick and I was not sure what that is. Does anyone know?
"I powered-off mine as soon as I noticed, so I only lost a few files, but this way I lost the option of doing the 7z log trick."

We are working on figuring out a better solution on our end. But if you have information you think I should share with the PSIRT team, please let me know.

If you have questions you would like me to ask the PSIRT team, please let me know.

On my end after I lucked out by getting to the dash board it was as if someone went in and turned off all security to let this happen. Even saw that malware ran a check… nothing

[Comy86]

Someone on bleepingcomputer forum has paid and received the decrypt key and someone else is trying to find a solution with that key and the original crypted files
Maybe someone with QNAP SSH knowledge can lend him a hand
https://www.bleepingcomputer.com/forums ... ion/page-3