I must agree. Creating a monitoring script would only encourage users to leave their NAS exposed - a bad idea.dolbyman wrote: ↑Fri Jan 28, 2022 3:32 amWhy bother? .. how about not forwarding ports to your NAS ? .. How difficult is this to follow ?millercentral wrote: ↑Fri Jan 28, 2022 3:28 am While pulling the NAS offline is the best defense, I wonder based on what has been learned if there would be value/peace of mind if a shell script expert could create a script that could monitor for the random file being added to /MNT/HDA_ROOT and immediately kill it/delete it if discovered?
[RANSOMWARE] >>READ 1st Post<< Deadbolt
- OneCD
- Guru
- Posts: 12160
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
-
- Starting out
- Posts: 15
- Joined: Thu Jan 27, 2022 2:15 am
Re: [RANSOMWARE] Deadbolt
Immediately after i saw that the nas has been infected, i shut it down, disconnect it from the internet and deactivated the PF on 8080, 443 and disabled UPNP in router.
Now, i was ready to pay the ransom but the lock screen doesn t show up.
Anybody ran into this?
Now, i was ready to pay the ransom but the lock screen doesn t show up.
Anybody ran into this?
- dolbyman
- Guru
- Posts: 35275
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
I don't know how that deadbolt login/ransom page works, but if it needs web access to work, then disconnecting the NAS from the web could be counterproductive.
One would need to see the source-code of that page
One would need to see the source-code of that page
- dolbyman
- Guru
- Posts: 35275
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
Yup .. that normally happens every time (was it half a dozen large malware campaigns in the last 2-3 years?) .. anyone ever heard of successful lawsuits/arbitration ?
-
- Starting out
- Posts: 15
- Joined: Thu Jan 27, 2022 2:15 am
Re: [RANSOMWARE] Deadbolt
I connected everything and it didn t work until I added /index.html after the IP
- OneCD
- Guru
- Posts: 12160
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
Nope, but I've also never heard of a group bringing a suit against a company in these circumstances. Then again, I'm not a lawyer so that could be why I've never heard of one.
-
- Starting out
- Posts: 15
- Joined: Thu Jan 27, 2022 2:15 am
Re: [RANSOMWARE] Deadbolt
another "happy customer"
https://www.blockchain.com/btc/address/ ... yvd6caneul
https://www.blockchain.com/btc/address/ ... yvd6caneul
You do not have the required permissions to view the files attached to this post.
- dolbyman
- Guru
- Posts: 35275
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
still wondering about the code of that login page .. what is the decryption invoking ? a custom script ? 7z ?
-
- New here
- Posts: 2
- Joined: Tue Dec 15, 2020 1:58 am
Re: [RANSOMWARE] Deadbolt
Has anyone found anything out about the attack vector yet?
My NAS is (more or less) exposed to the internet. I didn't buy it for backups, I bought it to be my do-it-all private cloud with Plex, photo sharing, home assistant, VPN etc, so "taking it offline" sounds a bit ridiculous as a long term solution.
It has Qfirewall and sits behind a reverse proxy running on a rasp pi, which itself runs behind a Unifi Dream Machine. There are very specific rules set on the Unifi firewall, as well as in Qfirewall - only specific IP ranges from my ISP and mobile operator should have access. So if the attack vector is the administration web page, then I'm more or less fine with it as to be able to find me they would need to scan from the whitelisted IP ranges and know the exact hostname for the admin page.
Now if they're using HBS3 again or QVPN to gain access, then I might be in trouble. I have many many HBS jobs to many types of targets, and QVPN is reachable with a more relaxed Geo restriction.
AgeLocker, Qlocker, eCh0raix, now deadbolt. This is getting very worrisome.
My NAS is (more or less) exposed to the internet. I didn't buy it for backups, I bought it to be my do-it-all private cloud with Plex, photo sharing, home assistant, VPN etc, so "taking it offline" sounds a bit ridiculous as a long term solution.
It has Qfirewall and sits behind a reverse proxy running on a rasp pi, which itself runs behind a Unifi Dream Machine. There are very specific rules set on the Unifi firewall, as well as in Qfirewall - only specific IP ranges from my ISP and mobile operator should have access. So if the attack vector is the administration web page, then I'm more or less fine with it as to be able to find me they would need to scan from the whitelisted IP ranges and know the exact hostname for the admin page.
Now if they're using HBS3 again or QVPN to gain access, then I might be in trouble. I have many many HBS jobs to many types of targets, and QVPN is reachable with a more relaxed Geo restriction.
AgeLocker, Qlocker, eCh0raix, now deadbolt. This is getting very worrisome.
-
- Know my way around
- Posts: 124
- Joined: Tue Jun 12, 2018 4:52 am
Re: [RANSOMWARE] Deadbolt
there is no legal basis, simply. It doesn't matter if they demand 10 or 10,000. Every system is vulnerable, it is practically impossible to hold responsible or sue a company because its software has security flaws. In the history of the Internet we have seen infinitely more sophisticated attacks and affecting a huge number including multinationals, governments... unless it could be shown that the company created a backdoor with malicious arts, there would be no case at all. If a company could be sued because programmers are human and it is totally impossible to create perfect software, programmers would not exist.
Regardless of all the affected users (which I understand is a big problem for them), this happens 24/7. Any device exposed to the Internet will be constantly bombarded with all kinds of "noise" produced by careless users, botnets, hackers, security experts... The vast majority of said noise is harmless, even malicious traffic is usually old and ineffective today in most cases. But as is natural when a "juicy" xploit appears, things get complicated and there is real danger. Almost all of these attacks are completely indiscriminate, they do not look for specific targets, they simply analyze the Internet in search of specific ports used by the service they want to attack, most of the time they do not even "search", they simply try.
This is the reason why exposing any application/service to the Internet on its default ports is the greatest recklessness that a home user can commit, be it a NAS, a Web Server/VPN/Telnet/SSH/FTP..., it is like putting a luminous sign on the door of the house so that the noise of the Internet reaches. upnp greatly enhances this, since if the listening ports are not correctly changed and all the services that are not really used are disabled, it can expose a large number of services to the Internet, and the more services exposed, potentially more services / applications vulnerable can be reached.
It is not complex at all to create a small script to completely stop the attack, even to cut off communication with the attackers as soon as it is detected, without even allowing them to download or execute code on our NAS. The problem is that in order to solve all this, it is necessary to be able to "infect" yourself with the malware in a controlled environment, and in this way know what the attack vector is, affected services, networks from which the attacks are being carried out. .. until a real infection is caught and can be studied, everything else counts for little. At this point, a quick and simple solution could be launched to be protected while the bug involved is resolved by QNAPmillercentral wrote: ↑Fri Jan 28, 2022 3:28 am While pulling the NAS offline is the best defense, I wonder based on what has been learned if there would be value/peace of mind if a shell script expert could create a script that could monitor for the random file being added to /MNT/HDA_ROOT and immediately kill it/delete it if discovered?
-
- First post
- Posts: 1
- Joined: Fri Jan 28, 2022 4:39 am
Re: [RANSOMWARE] Deadbolt
And it worked? were you able to retrieve the information?Comy86 wrote: ↑Fri Jan 28, 2022 3:56 am another "happy customer"
https://www.blockchain.com/btc/address/ ... yvd6caneul
-
- Starting out
- Posts: 18
- Joined: Sun Nov 11, 2012 8:04 pm
- dolbyman
- Guru
- Posts: 35275
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [Ransomware] .deadbolt Jan 25th, 2022
A VPN server that is running on your router or a dedicated appliance (e.g. raspi) .. that has been mentioned in this thread at least a dozen times now
-
- New here
- Posts: 3
- Joined: Thu Jan 27, 2022 2:50 pm
Re: [Ransomware] .deadbolt Jan 25th, 2022
There are several choices:
1) You don't. I mean: reevaluate your use of QNAP to access files remotely. If it is just a small convenience, maybe it is not worth the risk.
2) You understand the risk but have have money to burn and don't mind paying ransoms (risky: unlocking may not always be an option).
3) You understand the risk but your data is disposable so you don't mind loosing it.
4) You understand the risk but have a solid backup strategy, and don't mind restoring from backups when needed.
5) You only access your QNAP through a VPN. This allows remote access without exposing the NAS to the open Internet.
PS: as others mentioned, for 5), do not use the VPN from the NAS itself, given the poor track record of QNAP regarding security. Use the VPN from your router, or a dedicated appliance.
-
- Starting out
- Posts: 11
- Joined: Wed Jan 26, 2022 5:59 am
Re: [Ransomware] .deadbolt Jan 25th, 2022
As others have said, use a VPN. I have run WireGuard on a Raspberry Pi before without issue. There are a few guides around the internet that walk you through the setup process. WireGuard has apps for Android, Apple (I assume), PC, Linux, and Mac, so you can use it on pretty much everything.