[RANSOMWARE] >>READ 1st Post<< Deadbolt

[QNAPDanielFL]

hello everyone.

i got the ransware too.
I noticed that the files are not really encrypted.
If you rename the file with the original extension it comes back as before.
Es.

file.jpg.deadbolt
rename
File.jpg
the file opens normally

I know, it sounds stupid but it works.

Has anyone else tried this? And did it work for them?

In my case I was copying my files from the NAS to Dropbox.
Using the dropbox copy and renaming it, I can open all the .deadbolt files.
Now my NAS is offline but tomorrow I would like to try to do the same thing on the files still there.

I hope this will work for you guys as well.

My attack happened on Feb 25th after the automatic firmware update.

Do you mean Feb 25? or Jan 25?
I am not aware of anyone getting deadbolt in Feb of 2021. Can you confirm the date?

[genmaitya]

hello everyone.

i got the ransware too.
I noticed that the files are not really encrypted.
If you rename the file with the original extension it comes back as before.
Es.

file.jpg.deadbolt
rename
File.jpg
the file opens normally

I know, it sounds stupid but it works.

I think that the Deadbolt file name is changed and encryption does not run at the same time.
I think it is encrypted after changing the file name (such as a folder unit).
However, many video files may not be encrypted.

#QNAP does not have a file command

[genmaitya]

5) You only access your QNAP through a VPN. This allows remote access without exposing the NAS to the open Internet.

My use case is having a number of independent sales contractors (about 50 of them) needing to view and (more importantly) upload files from their tablets and smartphones while in the field.
Qfile works like a charm for this particular purpose and I'm not sure how I'd accomplish a similar user-friendly (none of them are very tech savvy) experience with VPN. Having to first connect VPN on their iPad's, iPhone's or Android before then using Qfile is going to be off-putting for the majority of these guys.

Qfile (SSL enabled) can be setup to use any other but the default 443 HTTPS port, eg port 19443. Would that somewhat mitigate the risk/exposure against threats/exploits like these while still benefiting from the ease-of-use that Qfile natively offers?

Changing the port is meaningless if the server administrator is using myQNAPcloud with the default settings.

[remapp]

So I got the ransomware popup when trying to use Qfinder Pro. I immediately powerdown my nas. Then disconnected the home internet, then power it back on. It looked like there were no files with the .deadbolt extension. I got a 14TB easystorage drive and started copying off all the files that my windows 11 mapped drives and file explorer could find. I think I got them all now on my external EasyStorage drive. Took a couple of days to complete it and compare to make sure I got everything...some missing files but minimal.

I then use the cgi-cin/index.cgi and logged onto the device with no popup. yay. What do I do next? When I try Qfinder Pro after that the popup come up. I am assuming I am not safe. what are my next steps to do to get back to normal?

I disabled the UpNP and stopped any port forwarding in QNAP. Turn off the webserver. I have an EERO mesh router and the only thing I could see was UPNP was enable but not now... no port forward or ipv6.

I think my new approach is to buy another huge external and make a backup of the backup and just use the NAS for LAN. I guess I will have to find a cloud storage place to share family photos and videos (+5TB)....any suggestion are appreciated.

[genmaitya]

hello everyone.

i got the ransware too.
I noticed that the files are not really encrypted.
If you rename the file with the original extension it comes back as before.
Es.

file.jpg.deadbolt
rename
File.jpg
the file opens normally

I know, it sounds stupid but it works.

It did not work for me. Have you tried it by yourself? I am sure the attackers are not that dumb.

About extension ".DeadBolt" file.
What happens to CTIME and MTIME of encrypted files and unencrypted files?

Code: Select all

ls -l filename.deadbolt
ls -cl filename.deadbolt

[BacardiMan]

Hello to everyone,

I follow the topic on an hourly basis and do find some interesting new bits of information possibly leading to a solution, but they are not followed up on consequently.
Let's try to get a little structure into that process by finding answers to these questions.

1. Is there anyone who was successful at extracting the password out of an still running decryption process?
2. Is there anyone who can confirm, that an firmwareupdate after the decryption has started makes it impossible to recover files by applying the correct passphrase?
3. Is there anyone who truly believes that it is worth waiting because QNAP will come up with an solution?

What we already seem to know is, that

• there are people, who have paid the money and received a working passphrase.
• there is a possibility, that some files with an deadbolt file extension could be recovered by simply restoring the old file extension.

I am really curious, if we can find definite answers to the questions above.

Best regards
Bacardi Man

[skaox]

Hi I have done the following:

1. changed the index.html in /mnt/HDA_ROOT/ with SSH to the original one (index.html.bak which was still there). Now access to the nas is available again.

2. found a file 27139 which was loaded in the tasklist. I have killed the process (in SSH use following command: kill PID#).

3. found the file in /mnt/HDA_ROOT/ and deleted it (attention it has the attribute i which means immutable you have first SSH and do the following command: chattr -i /path/filename) Filename was 27139 in my case.

4. checked how many files are encryped and luckily did not found one file so far. So I was quick to find the ransomeware before it started decrypting.

5. shut down the NAS

6. Firewall is set up to block all traffic to the NAS

7 open this as a ticket in QNAP support and waiting for their advice


brgds

Hulli

Good to know ; it was perfect a big THANK YOU !


Usage: lsattr [-Radlv] [FILE]...
List file attributes on an ext2 fs

Usage: chattr [-R] [-+=AacDdijsStTu] [-v VERSION] [FILE]...
Change file attributes on an ext2 fs


For those interested to find (ssh) which files are encrypted with .deadbolt :

find / -type f -name "*.deadbolt" //or scaning a specific folder// find /folder_we_want_to_scan/ -type f -name "*.deadbolt"


Saving the result in a file :

find / -type f -name "*.deadbolt" > file_result.txt //or// find / -type f -name "*.deadbolt" | tee file_result.txt



For adding more info when the system was compromised :
QTS 4.5.4.1800
UPNP disable
open port on internet 80 (not 8080 with forced redirection on 443 that's all.


Jan 27 00:00 without asking QTS was automatically upgraded from version 4.5.4.1800 -> 5.0.0 1891 (not 1900).

After that an update was available for Malware Remover (4.6.1.1 -> 5.6.1.2) but nothing detected and the same thing later with automatic scan at 03:00.

Tonight Jan 27 20:34 another manual scan and finally the DEADBOLT portal was found and files deleted (index.hmtl, SDDPD.bin and 27139).

[FabrizioA]

Article: https://www.qnap.com/en/security-news/2 ... e-together

What about situation to use "If your NAS login page is hacked, please try to add "/cgi-bin/index.cgi" to the NAS login URL (e.g. http://nas_ip:8080/cgi-bin/index.cgi), and you should log in accordingly." and then the Snapshots to get back the data to its previous state?

I don't understand... if I put http://my_local_ip:8080/cgi-bin/index.cgi in my browser, I get the login page of QNAP (with user and password prompt).... so, I've been hacked or not????

[nonojapan]

Article: https://www.qnap.com/en/security-news/2 ... e-together

What about situation to use "If your NAS login page is hacked, please try to add "/cgi-bin/index.cgi" to the NAS login URL (e.g. http://nas_ip:8080/cgi-bin/index.cgi), and you should log in accordingly." and then the Snapshots to get back the data to its previous state?

I don't understand... if I put http://my_local_ip:8080/cgi-bin/index.cgi in my browser, I get the login page of QNAP (with user and password prompt).... so, I've been hacked or not????

If you put http://my_local_ip:8080/cgi-bin/index.cgi, you bypass the hacker page. Try just http://my_local_ip:8080

[aspitko]

hello everyone.

i got the ransware too.
I noticed that the files are not really encrypted.
If you rename the file with the original extension it comes back as before.
Es.

file.jpg.deadbolt
rename
File.jpg
the file opens normally

I know, it sounds stupid but it works.

Has anyone else tried this? And did it work for them?

Not for me, if I open the .deadbolt file via ssh with vi editor, it’s obvious it’s header is different (and includes DEADBOLT string also) - I attach comparison of original and .deadbolt files.

[aspitko]

So, to recover all files, it is better to cut off the internet from the local network so that Qnap does not update automatically, yes ?.

Another idea would be to simply disable auto update of the firmware...

And more importantly Malware Remover, which is responsible for remowal of the deadbolt threat (at least the portal).
Yesterday I have a log in my system with a notice:
„[Malware Remover] Detected and quarantined the DEADBOLT portal. If you have a decryption key and need to access the portal, contact QNAP Technical Support by submitting a request via QNAP Helpdesk. Add [Ransomware] to the ticket subject.“

[Comy86]

I've decided to pay the ransom. I know that's not how we should deal with this kind of situations, but I have no choice, the information that I had is essential. Unfortunately, it's a hard-learned lesson.
I'll let you know how it goes.
After it will decrypt the files, I'll copy them on another HDD and then deal with the NAS and the NAS HDD's (while I'll keep the NAS disconnected from the internet)
After this, I'll come back and ask advices on how to protect&back-up my NAS

Did you recive valid key?
Tell more. Let me know if it was possible to decrypt it, or whether the swindlers.

Yes, i've received a valid key
I've managed to decrypt 7746 files before QNAP forced an update and I couldn't stop it. After update, i searched for files with the extension *.deadbolt and found 10234 files, but my luck is that out of all of those, 9606 files i can copy from the server at work, 527 files we're in the Recycle folder (so old files) and another 101 files that don't have much value. I managed to recover the essential.

Regarding the steps i took, you can follow this steps
https://www.bleepingcomputer.com/forums ... try5313557

I paid with coinbase. Be sure to have more than just 0.03 btc, otherwise the commission for the transaction will be deducted from the sum you are paying (0.03 btc)

update!!
I deactivated the malware removal tool, and after about 5 minute, I managed to get the lockscreen back with the adress http://IP:8080//index.html (there are 2 "/" between the port and the index.html)
I entered the key and started decrypting the remaining files. After it finished decrypting, the lockscreen disappeared and i was again in the qnap gui

[Plecotus]

Changing the port is meaningless if the server administrator is using myQNAPcloud with the default settings.

Another learning opportunity! Can you elaborate on this a little? Which default settings would needlessly expose the QNAP?
I do have myQNAPCloud enabled but:

- UPnP disabled
- myDDNS enabled
- don't have any services published
- do have the myQNAPcloud Link enabled with default UDP setting
- access control is set to private (me only)
- active SSL certificate

[FSC830]

...
update!!
I deactivated the malware removal tool, and after about 5 minute, I managed to get the lockscreen back with the adress http://IP:8080//index.html (there are 2 "/" between the port and the index.html)
I entered the key and started decrypting the remaining files. After it finished decrypting, the lockscreen disappeared and i was again in the qnap gui

And how can you be sure that the malware did not put any backdoor to your system???
I would never - NEVER - trust an infected device, and much less the guys who press money from me!

Regards

[Centaurx]

hello everyone.

i got the ransware too.
I noticed that the files are not really encrypted.
If you rename the file with the original extension it comes back as before.
Es.

file.jpg.deadbolt
rename
File.jpg
the file opens normally

I know, it sounds stupid but it works.

Has anyone else tried this? And did it work for them?

In my case I was copying my files from the NAS to Dropbox.
Using the dropbox copy and renaming it, I can open all the .deadbolt files.
Now my NAS is offline but tomorrow I would like to try to do the same thing on the files still there.

I hope this will work for you guys as well.

My attack happened on Feb 25th after the automatic firmware update.

Do you mean Feb 25? or Jan 25?
I am not aware of anyone getting deadbolt in Feb of 2021. Can you confirm the date?

It happened on January 25th, sorry for the typo.
My case is odd, but I was applying backup from QNAP to Dropbox.
I realized the problem when I found the .deadbolt files on Dropbox.

On a hunch, I opened them with Atom and saw that the txts were not encrypted, so I renamed jpg, pdf and other files to confirm.
I admit I don't know what happened and immediately took my NAS offline, in the next few days I will check the contents inside as well.