[RANSOMWARE] >>READ 1st Post<< Deadbolt

[nimblefinger5]

Recently, such addresses appear in VPN logs
91.191.209.234, 91.191.209.235, 91.191.209.236, 78.128.113.68, 78.128.113.67, 78.128.113.66, 78.128.113.70, 80.66.88.60
These addresses include attempts to log in to random users, recorded in the logs as "login failed".
It wouldn't be surprising, but every now and then I see a pppd process on my system with a connection set up for these addresses. This is confirmed by the netstat command.

For example, IP 78.128.113.68 in logs (login attempt on January 19)
log.png

The same IP address is visible on another day in the processes (January 20)
ps.png

and in netstaton on January 20
netstat.png

Login attempts do not coincide with pppd sessions (sometimes they are one day earlier and sometimes later).
Jednak w ostatnich kilku tygodniach nawiązywane sa płączenia z serweram z usługą pppd, która ma uprawnienia roota.

that last ip 80.66.88.60 comes up with some strange stuff
https://myip.ms/view/ip_owners/1177741/ ... honko.html

these are in bulgaria 78.128.113.68, 78.128.113.67, 78.128.113.66, 78.128.113.70
and these 91.191.209.234, 91.191.209.235 belong to L&L Investment Ltd

[QNAPDanielFL]

hello everyone.

i got the ransware too.
I noticed that the files are not really encrypted.
If you rename the file with the original extension it comes back as before.
Es.

file.jpg.deadbolt
rename
File.jpg
the file opens normally

I know, it sounds stupid but it works.

Has anyone else tried this? And did it work for them?

[dolbyman]

That's why a PPTP is outdated and should be considered breached.

https://en.wikipedia.org/wiki/Point-to- ... l#Security

Only use VPN's with certs in addition to User/Pass auth (e.g. Ovpn)

[krzychos7]

I've decided to pay the ransom. I know that's not how we should deal with this kind of situations, but I have no choice, the information that I had is essential. Unfortunately, it's a hard-learned lesson.
I'll let you know how it goes.
After it will decrypt the files, I'll copy them on another HDD and then deal with the NAS and the NAS HDD's (while I'll keep the NAS disconnected from the internet)
After this, I'll come back and ask advices on how to protect&back-up my NAS

Did you recive valid key?
Tell more. Let me know if it was possible to decrypt it, or whether the swindlers.

Yes, i've received a valid key
I've managed to decrypt 7746 files before QNAP forced an update and I couldn't stop it. After update, i searched for files with the extension *.deadbolt and found 10234 files, but my luck is that out of all of those, 9606 files i can copy from the server at work, 527 files we're in the Recycle folder (so old files) and another 101 files that don't have much value. I managed to recover the essential.

Regarding the steps i took, you can follow this steps
https://www.bleepingcomputer.com/forums ... try5313557

I paid with coinbase. Be sure to have more than just 0.03 btc, otherwise the commission for the transaction will be deducted from the sum you are paying (0.03 btc)

So, to recover all files, it is better to cut off the internet from the local network so that Qnap does not update automatically, yes ?.

[Centaurx]

hello everyone.

i got the ransware too.
I noticed that the files are not really encrypted.
If you rename the file with the original extension it comes back as before.
Es.

file.jpg.deadbolt
rename
File.jpg
the file opens normally

I know, it sounds stupid but it works.

Has anyone else tried this? And did it work for them?

In my case I was copying my files from the NAS to Dropbox.
Using the dropbox copy and renaming it, I can open all the .deadbolt files.
Now my NAS is offline but tomorrow I would like to try to do the same thing on the files still there.

I hope this will work for you guys as well.

My attack happened on Feb 25th after the automatic firmware update.

[Comy86]

I've decided to pay the ransom. I know that's not how we should deal with this kind of situations, but I have no choice, the information that I had is essential. Unfortunately, it's a hard-learned lesson.
I'll let you know how it goes.
After it will decrypt the files, I'll copy them on another HDD and then deal with the NAS and the NAS HDD's (while I'll keep the NAS disconnected from the internet)
After this, I'll come back and ask advices on how to protect&back-up my NAS

Did you recive valid key?
Tell more. Let me know if it was possible to decrypt it, or whether the swindlers.

Yes, i've received a valid key
I've managed to decrypt 7746 files before QNAP forced an update and I couldn't stop it. After update, i searched for files with the extension *.deadbolt and found 10234 files, but my luck is that out of all of those, 9606 files i can copy from the server at work, 527 files we're in the Recycle folder (so old files) and another 101 files that don't have much value. I managed to recover the essential.

Regarding the steps i took, you can follow this steps
https://www.bleepingcomputer.com/forums ... try5313557

I paid with coinbase. Be sure to have more than just 0.03 btc, otherwise the commission for the transaction will be deducted from the sum you are paying (0.03 btc)

So, to recover all files, it is better to cut off the internet from the local network so that Qnap does not update automatically, yes ?.

Yes

Also, if you're unable to see the lockscreen, try to add index.html after the ip of the NAS (which can be found in QFinder)
example:
192.168.1.1:8080/index.html

[Plecotus]

A VPN server that is running on your router or a dedicated appliance (e.g. raspi) .. that has been mentioned in this thread at least a dozen times now

I've been reading this thread chronologically. I quoted a comment from page 1 or 2, as I read it. I've now made it to page 16. Sorry to be such a nuisance

[P3R]

So, to recover all files, it is better to cut off the internet from the local network so that Qnap does not update automatically, yes ?.

Another idea would be to simply disable auto update of the firmware...

[star1007]

hello everyone.

i got the ransware too.
I noticed that the files are not really encrypted.
If you rename the file with the original extension it comes back as before.
Es.

file.jpg.deadbolt
rename
File.jpg
the file opens normally

I know, it sounds stupid but it works.

It did not work for me. Have you tried it by yourself? I am sure the attackers are not that dumb.

[Plecotus]

5) You only access your QNAP through a VPN. This allows remote access without exposing the NAS to the open Internet.

My use case is having a number of independent sales contractors (about 50 of them) needing to view and (more importantly) upload files from their tablets and smartphones while in the field.
Qfile works like a charm for this particular purpose and I'm not sure how I'd accomplish a similar user-friendly (none of them are very tech savvy) experience with VPN. Having to first connect VPN on their iPad's, iPhone's or Android before then using Qfile is going to be off-putting for the majority of these guys.

Qfile (SSL enabled) can be setup to use any other but the default 443 HTTPS port, eg port 19443. Would that somewhat mitigate the risk/exposure against threats/exploits like these while still benefiting from the ease-of-use that Qfile natively offers?

[P3R]

1) You don't. I mean: reevaluate your use of QNAP to access files remotely. If it is just a small convenience, maybe it is not worth the risk.
2) You understand the risk but have have money to burn and don't mind paying ransoms (risky: unlocking may not always be an option).
3) You understand the risk but your data is disposable so you don't mind loosing it.
4) You understand the risk but have a solid backup strategy, and don't mind restoring from backups when needed.
5) You only access your QNAP through a VPN. This allows remote access without exposing the NAS to the open Internet.

OMG!

In my opinion only 1 and 5 are valid options.

2-4 are hugely irresponsible and I'm surprised to see anyone even suggest them. It's not only the data on the NAS that is at stake. Every time criminals own the system they can do anything. The criminals could plant a trojan on the NAS, they could use it as a relay in further criminal activities, they could use it as a foothold to attack other systems like the backups, a work laptop (so suddenly you're giving the intruder a foothold into your employers network), surveillance cameras to spy on you or anything else in the network.

This is true madness!

[P3R]

Qfile (SSL enabled) can be setup to use any other but the default 443 HTTPS port, eg port 19443. Would that somewhat mitigate the risk/exposure against threats/exploits like these while still benefiting from the ease-of-use that Qfile natively offers?

You're living with the risk for intrusions into a corporate network because you like the ease-of-use?

[Taigrow]

hello everyone.

i got the ransware too.
I noticed that the files are not really encrypted.
If you rename the file with the original extension it comes back as before.
Es.

file.jpg.deadbolt
rename
File.jpg
the file opens normally

I know, it sounds stupid but it works.

Has anyone else tried this? And did it work for them?

Did not work for me. I tried a video file and a PDF

[Plecotus]

You're living with the risk for intrusions into a corporate network because you like the ease-of-use?

"Corporate network" is probably somewhat of a reach. This is literally a 2-Bay QNAP sitting in my house's electrical closet doing real-time and periodic backup (HBS3) to OneDrive over a residential DSL circuit

To be clear: my system is not infected, but following this thread with great interest because I'm looking to learn and improve. And prevent!

And yes, up until this moment in time, ease-of-use is an important factor for my users that needs to be part of the equation. If I lock it down too tightly and it becomes too tiresome to access, users will walk away.

[Theliel]

5) You only access your QNAP through a VPN. This allows remote access without exposing the NAS to the open Internet.

My use case is having a number of independent sales contractors (about 50 of them) needing to view and (more importantly) upload files from their tablets and smartphones while in the field.
Qfile works like a charm for this particular purpose and I'm not sure how I'd accomplish a similar user-friendly (none of them are very tech savvy) experience with VPN. Having to first connect VPN on their iPad's, iPhone's or Android before then using Qfile is going to be off-putting for the majority of these guys.

Qfile (SSL enabled) can be setup to use any other but the default 443 HTTPS port, eg port 19443. Would that somewhat mitigate the risk/exposure against threats/exploits like these while still benefiting from the ease-of-use that Qfile natively offers?

Undoubtedly. Changing the ports used by default greatly decreases any intrusion attempts. It is not a guarantee that it cannot be attacked, but for practical purposes it eliminates more than 99% of the problems. Why?

As I said, these types of attacks are indiscriminate. They do not search for a specific device, but instead try to infect as many devices as possible. What is done in this type of attack (the vast majority of the time), is to launch the xploit directly to the ports where the vulnerable services are located. Yes, you can send the exploit to all 65535 ports on a device, but the time it takes is exponential, not to mention that many router firewalls themselves will detect a clear anomaly and drop traffic. They could also do an investigation to try to find out the port to which it has moved, but I repeat that this is not the case in indiscriminate attacks of this type.

For practical and real purposes, and especially in "home" environments, simply changing the default ports reduces any problem to a minimum. In other words, I'm pretty sure there haven't been any infected users qith DeadBolt that had the ports changed. It wouldn't prevent a premeditated attack or a very conscientious attack, that's usually not a problem.

Another recommendation that I always make together with the above, and makes the system practically free of infections, is to correctly configure the Firewall of the NAS or the Router that we put ahead, with something as simple as filtering the traffic that comes outside our country. 99% of malware of these attacks all come from the same countries, so unless you live in precisely one of those countries, filtering international traffic makes you pretty safe.

Applying these and other practices that are the A-B-C of security, I have never had a single problem of attempted intrusion/infection in my systems. In other words, my computers are essentially "invisible" to the background noise of the Internet. That doesn't make them invulnerable, targeted or well-planned attacks would possibly achieve the goal, but no one performs such attacks for home users or small businesses.