[RANSOMWARE] >>READ 1st Post<< Deadbolt

jswain · Post by **jswain** » Thu Jan 27, 2022 9:51 pm

FSC830 wrote: ↑Thu Jan 27, 2022 9:16 pm
rtioghl wrote: ↑Thu Jan 27, 2022 8:58 pm ...A few questions...
Some answers:
Q1: I do not know which type of files are affected, all or only a subset.
Q2, Q3, Q4: no on can give an exact advise at current point of time (except the f**k staff who programmed this code).
In the past (Qlocker) there was a possibility to get back at least some of the files, no idea, if the mechanism works for Deadbolt too.
Therefore all is possible, if you restart NAS, encryption may be continues.
If these guys have only a bit of brain, they would use an other way of encryption to gain their goal.
Q5: A complete reset of the NAS can be done by:
a) pull all disks, connect the disks directly or via an USB adapter to a pc and delete all partitions, formatting is not necessary.
b) install FW using Qfinder to NAS
c) re-insert the disks, power on and follow the installation wizard
d) if NAS is up again, check autorun.sh if there is any cryptic or unknown code. Ususally autorun.sh is empty if YOU did not put any command there!

Q6:
depends on NAS: for old Cat1 models (so called legacy firmware) use a Linux PC and mount the correct partition. For windows, there are existing drivers for reading ext4 file system, but I do not know, how the are handle the partitions.
For newer Cat2 models with HAL firmware (ability to create pools) it is much more difficult, there is an additional LVM layer you need to address. No idea, how this is to be done.
There are several threads dealing with that, but I did not see a solution which fits one-for-all.

Regards

I thought the firmware was on the drives so if you pull all drives it wont boot ... is that correct? or is the process:

1) pull the drives
2) switch on
3) Download the latest firmware
4) locate in QFinderPro on another computer across the network
5) Update firmware and wait for a restart
6) re-insert the drives
7) ?? what happens next ??

Thanks

FSC830 · Post by **FSC830** » Thu Jan 27, 2022 9:57 pm

No, a part of the firmware is at a special memory (DOM), that enables the NAS booting without any drive.
There are some very, very old NAS which can not boot (someone told me, I do not know such devices by myself).
But the possibilities are rather limited

, if you know the IP (Qfinder will tell you) you can access the webserver and see a page claiming for a disk.
Unless you do not put a disk into NAS, you can not proceed.

Regards

SimonKenoby · Post by **SimonKenoby** » Thu Jan 27, 2022 10:15 pm

genmaitya wrote: ↑Thu Jan 27, 2022 8:10 pm
Code: Select all
 ps | grep 13813
23851 admin       996 S   grep 13813
I guess that process is not running...
Execute the lsof command.(login:admin)
Code: Select all
$ lsof /mnt/HDA_ROOT/nnnnn         # "nnnnn" is your file name(ex. 13813) 
COMMAND     PID   USER  FD    TYPE DEVICE SIZE/OFF  NODE  NAME
xxxxx       ZZZZZ admin xxx   xxx    x,xx     xxxxx     xxxxxx  /mnt/HDA_ROOT/nnnnn
"ZZZZZ" is PID.
If nothing is displayed, it may not be running.

Execute the kill command.
Code: Select all
$ kill -9 ZZZZZ
$

Ok more info. I had already deleted the file xxxx but I still tried:

Code: Select all

 lsof | grep "/mnt/HDA_ROOT/"
cc3-fastc  2068          admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2070    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2071    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2074    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2075    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2077    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2078    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2084    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2085    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2086    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2087    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  2088    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068  3125    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068 10733    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
cc3-fastc  2068 12877    admin    4u      REG                9,9      61440       7302 /mnt/HDA_ROOT/.config/cloudconnector/CloudConnector3/config.db
python     8729          admin   16w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
python     8729  8730    admin   16w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
python     8729  8731    admin   16w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
python     8729  8732    admin   16w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
python     8729  8733    admin   16w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
python     8729  8734    admin   16w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
python     8784          admin    9w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
dhcpd     11784          admin    3w      REG                9,9     877080      13305 /mnt/HDA_ROOT/.logs/network/bootup.log
dhcpd     11784          admin    7w      REG                9,9        280       7449 /mnt/HDA_ROOT/.config/dhcp/dhcpd_docker0.leases
dhcpd     11787          admin    3w      REG                9,9     877080      13305 /mnt/HDA_ROOT/.logs/network/bootup.log
dhcpd     11787          admin    7w      REG                9,9        274       7248 /mnt/HDA_ROOT/.config/dhcp/dhcpd_lxcbr0.leases
dhclient  12148          admin    5w      REG                9,9       1010       7418 /mnt/HDA_ROOT/.config/dhclient/br0.leases
python    13069          admin    8w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
python    13069 13146    admin    8w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
python    13069 13148    admin    8w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
python    13069 13150    admin    8w      REG                9,9     961101      13340 /mnt/HDA_ROOT/.logs/nvs_event.log
proftpd   17044          guest    4r      REG                9,9         72       7296 /mnt/HDA_ROOT/.config/group
qulogdb   17416          admin  cwd       DIR                9,9       4096       7290 /mnt/HDA_ROOT/.config/qulog/db
qulogdb   17416          admin    3uW     REG                9,9         52       7363 /mnt/HDA_ROOT/.config/qulog/db/aria_log_control
qulogdb   17416          admin    4r      DIR                9,9       4096       7290 /mnt/HDA_ROOT/.config/qulog/db
qulogdb   17416          admin    5u      REG                9,9      24576       7379 /mnt/HDA_ROOT/.config/qulog/db/aria_log.00000001
qulogdb   17416          admin    8u      REG                9,9       4096       7383 /mnt/HDA_ROOT/.config/qulog/db/mysql/proc.MYI
qulogdb   17416          admin    9u      REG                9,9     154140       7387 /mnt/HDA_ROOT/.config/qulog/db/mysql/proc.MYD
qulogdb   17416          admin   10u      REG                9,9       2048       7453 /mnt/HDA_ROOT/.config/qulog/db/qulog/access_filter.MYI
qulogdb   17416          admin   13u      REG                9,9          0       7231 /mnt/HDA_ROOT/.config/qulog/db/qulog/access_filter.MYD
qulogdb   17416 17420    admin  cwd       DIR                9,9       4096       7290 /mnt/HDA_ROOT/.config/qulog/db
qulogdb   17416 17420    admin    3uW     REG                9,9         52       7363 /mnt/HDA_ROOT/.config/qulog/db/aria_log_control
qulogdb   17416 17420    admin    4r      DIR                9,9       4096       7290 /mnt/HDA_ROOT/.config/qulog/db
qulogdb   17416 17420    admin    5u      REG                9,9      24576       7379 /mnt/HDA_ROOT/.config/qulog/db/aria_log.00000001
qulogdb   17416 17420    admin    8u      REG                9,9       4096       7383 /mnt/HDA_ROOT/.config/qulog/db/mysql/proc.MYI
qulogdb   17416 17420    admin    9u      REG                9,9     154140       7387 /mnt/HDA_ROOT/.config/qulog/db/mysql/proc.MYD
qulogdb   17416 17420    admin   10u      REG                9,9       2048       7453 /mnt/HDA_ROOT/.config/qulog/db/qulog/access_filter.MYI
qulogdb   17416 17420    admin   13u      REG                9,9          0       7231 /mnt/HDA_ROOT/.config/qulog/db/qulog/access_filter.MYD
qulogdb   17416 17441    admin  cwd       DIR                9,9       4096       7290 /mnt/HDA_ROOT/.config/qulog/db
qulogdb   17416 17441    admin    3uW     REG                9,9         52       7363 /mnt/HDA_ROOT/.config/qulog/db/aria_log_control
qulogdb   17416 17441    admin    4r      DIR                9,9       4096       7290 /mnt/HDA_ROOT/.config/qulog/db
qulogdb   17416 17441    admin    5u      REG                9,9      24576       7379 /mnt/HDA_ROOT/.config/qulog/db/aria_log.00000001
qulogdb   17416 17441    admin    8u      REG                9,9       4096       7383 /mnt/HDA_ROOT/.config/qulog/db/mysql/proc.MYI
qulogdb   17416 17441    admin    9u      REG                9,9     154140       7387 /mnt/HDA_ROOT/.config/qulog/db/mysql/proc.MYD
qulogdb   17416 17441    admin   10u      REG                9,9       2048       7453 /mnt/HDA_ROOT/.config/qulog/db/qulog/access_filter.MYI
qulogdb   17416 17441    admin   13u      REG                9,9          0       7231 /mnt/HDA_ROOT/.config/qulog/db/qulog/access_filter.MYD
qulogdb   17416 17442    admin  cwd       DIR                9,9       4096       7290 /mnt/HDA_ROOT/.config/qulog/db
qulogdb   17416 17442    admin    3uW     REG                9,9         52       7363 /mnt/HDA_ROOT/.config/qulog/db/aria_log_control
qulogdb   17416 17442    admin    4r      DIR                9,9       4096       7290 /mnt/HDA_ROOT/.config/qulog/db
qulogdb   17416 17442    admin    5u      REG                9,9      24576       7379 /mnt/HDA_ROOT/.config/qulog/db/aria_log.00000001
qulogdb   17416 17442    admin    8u      REG                9,9       4096       7383 /mnt/HDA_ROOT/.config/qulog/db/mysql/proc.MYI
qulogdb   17416 17442    admin    9u      REG                9,9     154140       7387 /mnt/HDA_ROOT/.config/qulog/db/mysql/proc.MYD
qulogdb   17416 17442    admin   10u      REG                9,9       2048       7453 /mnt/HDA_ROOT/.config/qulog/db/qulog/access_filter.MYI
qulogdb   17416 17442    admin   13u      REG                9,9          0       7231 /mnt/HDA_ROOT/.config/qulog/db/qulog/access_filter.MYD
winbindd  19265          admin  mem       REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
winbindd  19265          admin    8u      REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
ncdb      19480          admin  cwd       DIR                9,9       4096       7047 /mnt/HDA_ROOT/.config/nc/db
ncdb      19480          admin    3uW     REG                9,9         52       7050 /mnt/HDA_ROOT/.config/nc/db/aria_log_control
ncdb      19480          admin    4r      DIR                9,9       4096       7047 /mnt/HDA_ROOT/.config/nc/db
ncdb      19480          admin    5u      REG                9,9      24576       7051 /mnt/HDA_ROOT/.config/nc/db/aria_log.00000001
ncdb      19480          admin    8u      REG                9,9       1024       7157 /mnt/HDA_ROOT/.config/nc/db/nc/policy_categories.MYI
ncdb      19480          admin    9u      REG                9,9       1024       7151 /mnt/HDA_ROOT/.config/nc/db/nc/sender.MYI
ncdb      19480          admin   10u      REG                9,9          0       7343 /mnt/HDA_ROOT/.config/nc/db/nc/sender.MYD
ncdb      19480          admin   12u      REG                9,9       2048       7172 /mnt/HDA_ROOT/.config/nc/db/nc/receiver.MYI
ncdb      19480          admin   13u      REG                9,9          0       7526 /mnt/HDA_ROOT/.config/nc/db/nc/policy_categories.MYD
ncdb      19480          admin   15u      REG                9,9          0       7518 /mnt/HDA_ROOT/.config/nc/db/nc/receiver.MYD
ncdb      19480          admin   18u      REG                9,9       2048       7190 /mnt/HDA_ROOT/.config/nc/db/nc/policy.MYI
ncdb      19480          admin   19u      REG                9,9          0       7473 /mnt/HDA_ROOT/.config/nc/db/nc/policy.MYD
ncdb      19480 19492    admin  cwd       DIR                9,9       4096       7047 /mnt/HDA_ROOT/.config/nc/db
ncdb      19480 19492    admin    3uW     REG                9,9         52       7050 /mnt/HDA_ROOT/.config/nc/db/aria_log_control
ncdb      19480 19492    admin    4r      DIR                9,9       4096       7047 /mnt/HDA_ROOT/.config/nc/db
ncdb      19480 19492    admin    5u      REG                9,9      24576       7051 /mnt/HDA_ROOT/.config/nc/db/aria_log.00000001
ncdb      19480 19492    admin    8u      REG                9,9       1024       7157 /mnt/HDA_ROOT/.config/nc/db/nc/policy_categories.MYI
ncdb      19480 19492    admin    9u      REG                9,9       1024       7151 /mnt/HDA_ROOT/.config/nc/db/nc/sender.MYI
ncdb      19480 19492    admin   10u      REG                9,9          0       7343 /mnt/HDA_ROOT/.config/nc/db/nc/sender.MYD
ncdb      19480 19492    admin   12u      REG                9,9       2048       7172 /mnt/HDA_ROOT/.config/nc/db/nc/receiver.MYI
ncdb      19480 19492    admin   13u      REG                9,9          0       7526 /mnt/HDA_ROOT/.config/nc/db/nc/policy_categories.MYD
ncdb      19480 19492    admin   15u      REG                9,9          0       7518 /mnt/HDA_ROOT/.config/nc/db/nc/receiver.MYD
ncdb      19480 19492    admin   18u      REG                9,9       2048       7190 /mnt/HDA_ROOT/.config/nc/db/nc/policy.MYI
ncdb      19480 19492    admin   19u      REG                9,9          0       7473 /mnt/HDA_ROOT/.config/nc/db/nc/policy.MYD
ncdb      19480 19539    admin  cwd       DIR                9,9       4096       7047 /mnt/HDA_ROOT/.config/nc/db
ncdb      19480 19539    admin    3uW     REG                9,9         52       7050 /mnt/HDA_ROOT/.config/nc/db/aria_log_control
ncdb      19480 19539    admin    4r      DIR                9,9       4096       7047 /mnt/HDA_ROOT/.config/nc/db
ncdb      19480 19539    admin    5u      REG                9,9      24576       7051 /mnt/HDA_ROOT/.config/nc/db/aria_log.00000001
ncdb      19480 19539    admin    8u      REG                9,9       1024       7157 /mnt/HDA_ROOT/.config/nc/db/nc/policy_categories.MYI
ncdb      19480 19539    admin    9u      REG                9,9       1024       7151 /mnt/HDA_ROOT/.config/nc/db/nc/sender.MYI
ncdb      19480 19539    admin   10u      REG                9,9          0       7343 /mnt/HDA_ROOT/.config/nc/db/nc/sender.MYD
ncdb      19480 19539    admin   12u      REG                9,9       2048       7172 /mnt/HDA_ROOT/.config/nc/db/nc/receiver.MYI
ncdb      19480 19539    admin   13u      REG                9,9          0       7526 /mnt/HDA_ROOT/.config/nc/db/nc/policy_categories.MYD
ncdb      19480 19539    admin   15u      REG                9,9          0       7518 /mnt/HDA_ROOT/.config/nc/db/nc/receiver.MYD
ncdb      19480 19539    admin   18u      REG                9,9       2048       7190 /mnt/HDA_ROOT/.config/nc/db/nc/policy.MYI
ncdb      19480 19539    admin   19u      REG                9,9          0       7473 /mnt/HDA_ROOT/.config/nc/db/nc/policy.MYD
ncdb      19480 19540    admin  cwd       DIR                9,9       4096       7047 /mnt/HDA_ROOT/.config/nc/db
ncdb      19480 19540    admin    3uW     REG                9,9         52       7050 /mnt/HDA_ROOT/.config/nc/db/aria_log_control
ncdb      19480 19540    admin    4r      DIR                9,9       4096       7047 /mnt/HDA_ROOT/.config/nc/db
ncdb      19480 19540    admin    5u      REG                9,9      24576       7051 /mnt/HDA_ROOT/.config/nc/db/aria_log.00000001
ncdb      19480 19540    admin    8u      REG                9,9       1024       7157 /mnt/HDA_ROOT/.config/nc/db/nc/policy_categories.MYI
ncdb      19480 19540    admin    9u      REG                9,9       1024       7151 /mnt/HDA_ROOT/.config/nc/db/nc/sender.MYI
ncdb      19480 19540    admin   10u      REG                9,9          0       7343 /mnt/HDA_ROOT/.config/nc/db/nc/sender.MYD
ncdb      19480 19540    admin   12u      REG                9,9       2048       7172 /mnt/HDA_ROOT/.config/nc/db/nc/receiver.MYI
ncdb      19480 19540    admin   13u      REG                9,9          0       7526 /mnt/HDA_ROOT/.config/nc/db/nc/policy_categories.MYD
ncdb      19480 19540    admin   15u      REG                9,9          0       7518 /mnt/HDA_ROOT/.config/nc/db/nc/receiver.MYD
ncdb      19480 19540    admin   18u      REG                9,9       2048       7190 /mnt/HDA_ROOT/.config/nc/db/nc/policy.MYI
ncdb      19480 19540    admin   19u      REG                9,9          0       7473 /mnt/HDA_ROOT/.config/nc/db/nc/policy.MYD
winbindd  19494          admin  mem       REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
winbindd  19494          admin    8u      REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
smbd      19521          admin  mem       REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
smbd      19521          admin    3u      REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
smbd-noti 19525          admin  mem       REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
smbd-noti 19525          admin    3u      REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
cleanupd  19526          admin  mem       REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
cleanupd  19526          admin    3u      REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
winbindd  19527          admin  mem       REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
winbindd  19527          admin    8u      REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
smbd      22813          admin  mem       REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
smbd      22813          admin    3u      REG                9,9     430080       6646 /mnt/HDA_ROOT/.config/secrets.tdb
rsyslogd  25312          admin    5w      REG                9,9    1040151      13285 /mnt/HDA_ROOT/.logs/kmsg
rsyslogd  25312 25313    admin    5w      REG                9,9    1040151      13285 /mnt/HDA_ROOT/.logs/kmsg
rsyslogd  25312 25314    admin    5w      REG                9,9    1040151      13285 /mnt/HDA_ROOT/.logs/kmsg
rsyslogd  25312 25315    admin    5w      REG                9,9    1040151      13285 /mnt/HDA_ROOT/.logs/kmsg
rsyslogd  25312 25316    admin    5w      REG                9,9    1040151      13285 /mnt/HDA_ROOT/.logs/kmsg
rsyslogd  25312 25317    admin    5w      REG                9,9    1040151      13285 /mnt/HDA_ROOT/.logs/kmsg
qdesk_sol 28449          admin  cwd       DIR                9,9       4096         17 /mnt/HDA_ROOT/update_pkg/helpdesk
qdesk_sol 28449          admin  255r      REG                9,9        287        154 /mnt/HDA_ROOT/update_pkg/helpdesk/diagnostic_tool/qdesk_soldier

Nothing looked like the filename I had, and also:

Code: Select all

[/mnt/HDA_ROOT] # lsof | grep "/mnt/HDA_ROOT/13813"
[/mnt/HDA_ROOT] #

In addition the index.html was replaced back with the ransomware one, I had to move back index.html.bak again. So either I didn't put if off internet correcly, or it have some form a cron or process scheduled.

yemartin · Post by **yemartin** » Thu Jan 27, 2022 10:41 pm

Comy86 wrote: ↑Thu Jan 27, 2022 6:38 pm I don t know much about crypto, blockchain etc., but i think that the transaction indicated with the green error is the commission fee (and with red arrow is the amount of 0.03)
https://www.blockchain.com/ru/btc/addre ... yylj65fvdm

If my understanding is correct:
- The transaction with the red arrow is the ransom being paid.
- The transaction with the green arrow is the hackers sending themselves a small amount to the same BTC address. It is that second transaction that contains the decryption key (as OP_RETURN code).

FabrizioA · Post by **FabrizioA** » Thu Jan 27, 2022 10:43 pm

antik wrote: ↑Wed Jan 26, 2022 4:46 pm Article: https://www.qnap.com/en/security-news/2 ... e-together

What about situation to use "If your NAS login page is hacked, please try to add "/cgi-bin/index.cgi" to the NAS login URL (e.g. http://nas_ip:8080/cgi-bin/index.cgi), and you should log in accordingly." and then the Snapshots to get back the data to its previous state?

I don't understand... if I put http://my_local_ip:8080/cgi-bin/index.cgi in my browser, I get the login page of QNAP (with user and password prompt).... so, I've been hacked or not????

pbch1 · Post by **pbch1** » Thu Jan 27, 2022 10:46 pm

NO real help from Qnap! --> Attachement!

Deadbold-1_page_2.jpg

Deadbold-1_page_1.jpg

Deadbold-1_page_3.jpg

Only help? Update and restore!

If you do not have a recent backup you will loose anything! So.. "Notice : once remove deadbolt from nas, you can’t decrypt files even have correct password".
Great! So they only way to at least TRY is to pay! But i don't know how to track a BTC-transfer to get a "OP-return" with a key.

dolbyman · Post by **dolbyman** » Thu Jan 27, 2022 11:02 pm

What did you expect?..We still dont know what encryption was used..7z with a changed file extension?..is there some extra salt involved that will get lost if the infection is removed?
all unknown

So if you have no clue what to do..get professional help

pbch1 · Post by **pbch1** » Thu Jan 27, 2022 11:17 pm

dolbyman wrote: ↑Thu Jan 27, 2022 11:02 pm .is there some extra salt involved that will get lost if the infection is removed?

So if you have no clue what to do..get professional help

Yes. I have NO chance to remove to encryption even i got my (pid) or any (Master?) Key and my Data is definitly lost.

Professional help? Users like you.... they will give a Hand to others?

dolbyman · Post by **dolbyman** » Thu Jan 27, 2022 11:21 pm

A local computer expert that can guide you through your options.(payment,recovery,whatnot).. it will cost you..no matter what you do

Sevenfeet · Post by **Sevenfeet** » Thu Jan 27, 2022 11:32 pm

nonojapan wrote: ↑Thu Jan 27, 2022 12:53 pm Sevenfeet, I think you are right about the 3 back-ups. On my site 70% was back-up on AWS3, so not everything is lost. May I ask, how to you do to automate the back-up from Qnap NAS to the back-up NAS ? What maker do you advise for the back-up NAS? Thanks a lot.

I'm mostly a Mac user in my home so I use Carbon Copy Cloner to do regular copies of my NAS shared folders to my old Mac and Drobo RAID which is now just my primary backup machine. Eventually I will upgrade the Drobo to something else later this year but right now, it still works. Carbon Copy Cloner is nice because I can set up jobs to do updates of individual folders from remote shares, not just everything. Also, because of the fluid nature of a ransomware attack, you don't need to do daily backups on stuff that doesn't change often, like your media libraries. Once a month works well enough for me since less likely your backup will be corrupted as well. A good copy/backup program can be configured to only copy changes to files, so you don't have to copy your entire multi-terabyte movie library every time. If there are files in your company that need to be backed up more often than that, then there are methods that may work better. For daily backups of critical data, you may create a job for Monday that backs up to a specific folder, then Tuesday backs up to a different folder, Wednesday, etc. After a week, the round robin process begins again. And if you're paranoid like me, you may have backups going back more time than that.

And it doesn't have to be Carbon Copy Cloner but there are other utilities out there on Mac and PC that can do this kind of work. You just need to find something you like that's reliable that works for you. An old computer that might be too slow for other tasks can still make a good backup machine. Just make sure that it's not so old that the vendor (Apple, Microsoft or your fave Linux distro) isn't providing it security updates.

One other thing about a backup strategy. First, RAID is NOT A BACKUP STRATEGY! It is a HIGH AVAILABILITY strategy. High availability is designed to ensure operations continue because of a hardware failure and in most cases, the thing in your computer/server likely to fail is that spinning disk thing. So when hard drives fail, RAID is designed to either give you enough time to effect a replacement or if you're really risk averse, have a backup drive at the ready already installed (hot spares or RAID 6). But that's not going to save you from a fire, tornado, flood, theft, vandalism or in this case, ransomware.

ALWAYS REVIEW YOUR BACKUPS! Backups are worthless if the strategy isn't working or the files on the other side are corrupted. I've had companies (well known companies) find out the hard way that a machine they thought was doing backups either wasn't or had corrupted data on the backup machine.

This morning after reading all the posts from this forum and Reddit, I went to my firewall logs to look for anything suspicious to my QNAP's LAN interface (there was nothing). I double verified that UPnP was off. I then powered up the NAS and began looking for signs of Deadlock. So far, I'm clean. But I'm now reviewing all of my backups and my own policies to make sure everything is good here. We can always do better with our data. And yes, there are some things that are beyond our control (like finding out you have a zero day vulnerability). But we all can do better and do the work for a credible backup strategy. Again, backups cost money, time and effort. But it's cheap compared to the alternative.

nimblefinger5 · Post by **nimblefinger5** » Thu Jan 27, 2022 11:42 pm

according to the release notes for firmware QTS 5.0.0.1891 build 20211221 the following CVE's were patched. Any ideas if they could have caused any of the attack vector's in previous firmware

CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719, CVE-2020-25722, CVE-2021-3738, CVE-2020-25721, and CVE-2021-23192

They all look related to samba escalations, just curious if samba is used for authentication onto the nas web page as opposed to just samba for SMB connections

also as CVE-2021-23192 looks like an injection vuln and CVE-2020-25721 with CVE-2020-25717 bypass auth. just curious if the three together all some kinda injection on the admin page and then allows escalated privileges

Kal Rubinson · Post by **Kal Rubinson** » Thu Jan 27, 2022 11:48 pm

I am uneasy about saying this but....................

My NAS got the DeadBolt attack on Tuesday when I noticed that there was an excessive amount of disc thrashing when no relevant activity was scheduled. I was unable to get past the ransom-ware page whether I logged in via QNAPCloud or directly via local address. So I shut it down. Tried again later in the day: same thing. However, throughout this, my PC-based music streamer was still able to access music files on the NAS by SMB and they seemed unaffected. Still, I checked my backups, figuring that I'd have to wipe the NAS and reload everything.

On Wednesday morning, after reading this thread and elsewhere (including QNAP), I powered it up again and after 3-4 failures to get anything but the DeadBolt page, I was able to log-in to the control page. It informed me that an update was ready and, after I did it, I deleted apps, tools, functions that Security Counselor (and other sources) suggested and disconnected cloud services. I installed QuFirewall.

It is now Thursday morning. All drives checked out in the overnight, nothing looks changed or corrupted and all seems to be functioning normally. I can live without the Cloud services; they were only for convenience, not necessity.

DeadBolt gone.JPG

Did I just luck out? Is there anything I can check that I am missing?

dolbyman · Post by **dolbyman** » Thu Jan 27, 2022 11:52 pm

Leaving the system as is would be crazy...reinfection could be only a matter of time

kill the NAS..restore from backups (has been said many times throughout the thread)

and of course disable all port forwards and upnp

SimonKenoby · Post by **SimonKenoby** » Thu Jan 27, 2022 11:54 pm

Kal Rubinson wrote: ↑Thu Jan 27, 2022 11:48 pm I am uneasy about saying this but....................

My NAS got the DeadBolt attack on Tuesday when I noticed that there was an excessive amount of disc thrashing when no relevant activity was scheduled. I was unable to get past the ransom-ware page whether I logged in via QNAPCloud or directly via local address. So I shut it down. Tried again later in the day: same thing. However, throughout this, my PC-based music streamer was still able to access music files on the NAS by SMB and they seemed unaffected. Still, I checked my backups, figuring that I'd have to wipe the NAS and reload everything.

On Wednesday morning, after reading this thread and elsewhere (including QNAP), I powered it up again and after 3-4 failures to get anything but the DeadBolt page, I was able to log-in to the control page. It informed me that an update was ready and, after I did it, I deleted apps, tools, functions that Security Counselor (and other sources) suggested and disconnected cloud services. I installed QuFirewall.

It is now Thursday morning. All drives checked out in the overnight, nothing looks changed or corrupted and all seems to be functioning normally. I can live without the Cloud services; they were only for convenience, not necessity.

Did I just luck out? Is there anything I can check that I am missing?

At first I though the same, but I still have some files affected, not all. Maybe you are just not looking at the right place.

In addition I just got the malware remover update, and notified my that the deadbolt malware had been removed. The good thing for me is that encrypted files are not the important one, the bad thing is as they are not important I didn't had any backup like the more important...

dolbyman · Post by **dolbyman** » Thu Jan 27, 2022 11:56 pm

So you trust malware remover to remove all traces of this ?...good luck then

QNAP NAS Community Forum

[RANSOMWARE] >>READ 1st Post<< Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt

Re: [RANSOMWARE] Deadbolt