[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] Deadbolt

Post by P3R »

Theliel wrote: Sat Jan 29, 2022 5:47 am Even those who say that the "solution" is accessing by VPN, is also in itself a risk, since at the end of the VPN server is a software, and therefore susceptible to contain security problems that could potentially allow a Hacker sneaking into the local network.
Yes, all communication have risks but to call well established VPN technologies a risk in comparison to a directly exposed Qnap is absolutely ridiculous. That Qnap managed to even mess up a VPN-service shouldn't be seen as a problem with the underlying technology but again, with their implementation.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
a13antichrist
Know my way around
Posts: 142
Joined: Tue Apr 17, 2018 10:06 pm
Location: Amsterdam, NL

Re: [RANSOMWARE] Deadbolt

Post by a13antichrist »

Hilarious all the people here & reddit yelling in exasperation "how could QNAP do this, I clicked DISABLE!!!!
Well, 1, restart might have bummed a few people but honestly if they think it's --really-- ---really-- critical I'm glad they have some way to force it anyway. I wouldn't have updated for some time, and even though I'm not publishing anything, I'd much rather suffer a little inconvienience of having things rebooted than suffer the big inconvenience of an attack of some sort.

And 2nd.. Just because the **GUI** shows a button with 'Disable' doesn't many in any manner that it has to exclusively, categorically do anything like what it says it will.. and certainly no reason to think that it must be a categorical full-stop-no-way-in-h_e_l_l-100000%-deactivation. It's a flag that QNAP gave in the OS. Only they know **exactly** what it does, what the precise code is, etc. I also wouldn't be at all surprised if there's a passage somewhere in the User Agreement that says something like 'even if you disable auto-update, QNAP reserves the right to push emergency security updates in extreme circumstances as determined necessary by QNAP team" or whatever.

It's not a sneaky, insidious backdoor. It's just a common-sense lesser-of-two-evils.
TVS-871 @ 58tb formatted R6, Mellanox MCX312b 10Gbe,
R9 5950x || RTX3090 || 64Gb 3600Mhz || Intel X520 10Gbe
MbP M1 Max || 32C GPU || 64Gb || QNAP T310G1S SFP+ 10Gbe
R3 2200G mini HTPC
Mikrotik switches & routers
OpenWRT & DD-WRT wifi
nomoqn@p
New here
Posts: 7
Joined: Sat Jan 29, 2022 5:14 am

Re: [RANSOMWARE] Deadbolt

Post by nomoqn@p »

Ninecows80 wrote: Sat Jan 29, 2022 5:59 am
dolbyman wrote: Sat Jan 29, 2022 4:59 am Just because someone says it doesn't make this true .. you fell for false advertisement and now you make up stuff.

We had this discussion may times over the last few years, where QNAP NAS were plagued with malware ... get those things out of the web and save the tears.
No sir. You and other people here had this discussion. Here. On this forum. The regular non-pro home users who just need remote access to files and don’t check this forum regularly have not been warned. Neither do I log in to the qnap regularly. It’s a box in the basement. It stores movies and music. I only log on to the admin part of it if there’s something wrong. If I log on and there’s an update I will update. But I don’t log into it on a daily basis to check for updates. I believe it was updated last time in December. We’re not talking months or years of neglecting updates. I use the Qapps on my phone. And not even on a daily basis. Imagine if Qmanager gave me a notification that a critical update was recommended? Or warned that a security breach was found and I should turn of service xyz or port xyz ASAP? But no. It had two days to encrypt my files without any pro-active warning from Qnap. And it seems like it did so.

Ordinary people use the advertised services and functions. Qnap failed on that promise. Neither did they advise me to check this forum on a daily basis. Now they have a lot of clean up to do. Don’t blame users for that.

Not blaming the individual tech-guy at qnap. I’m pretty certain they’re going through ** now and I hope/trust they will find a good solution. I’m blaming management and marketing at qnap for over promising and under delivering. Can’t defend that.

My box is completely turned off now. Don’t even know how to access it without it being on the internet. It’s normally plugged into my router.
I agree completely. I too have been hit by deadbolt. Fortunately, I do backup, unfortunately, not super-regularly, so I'm debating whether I've lost anything critical enough to warrant paying the ransom. I had no idea that one of the stated functions of the NAS would expose me to this malware; I was simply using it as advertised. And I don't see any critical alerts in my inbox from QNap. If changing these settings was such a critical security issue, I'd expect an email that says something to that effect in the subject line. Instead I get subject lines that talk about new apps available and the like. I'm not an IT person, so I'm not reading each of these newsletters where maybe this critical bit of news was buried.

Someone earlier in the thread compared setting the NAS to be exposed to the internet to be like driving a car at 100 miles an hour into a wall. That's not a good analogy since cars aren't advertised as being good for that. A better analogy would be you're driving your car at 55, turn on the radio and the car dies. You can then patch it up, but now you don't know what will happen when you use a turn signal or your high beams. In my opinion, the blame for this falls squarely at QNap's feet. They should do the right thing and get the universal key, but I'm sure they won't. I have no faith in the company at this point, nor in the security of their devices. My new Synology box is already here and I'm setting it up to replace the QNap. Do I expect it to be more secure? Hopefully, but it's hard to be worse...
User avatar
Cbrad01
Know my way around
Posts: 245
Joined: Fri Jan 15, 2016 9:17 pm

Re: [RANSOMWARE] Deadbolt

Post by Cbrad01 »

Not that I support the actions, but to point out Microsoft, Apple and Google all have pushed out updates to their platforms without warning or notice when they deemed it was necessary.
Microsoft has gotten so tired of people not patching that they have made it next to impossible for people not to patch.
Apple has always updated or patched macOS when they decide with updates that do not even show up.
Google for a time ignores android updates playing its the vendors problem until a lot of devices are nothing but massive malware platforms.
It’s a lot more common then not that vendors force updates.
I don’t agree with forced updates without warning, but to be clear Qnap is far from alone here.
And for the forced update I have 4 systems on different versions hand none have auto updated and each can reach out to the Qnap store.


Sent from my iPhone using Tapatalk
darcon
Starting out
Posts: 11
Joined: Wed Jan 26, 2022 5:59 am

Re: [RANSOMWARE] Deadbolt

Post by darcon »

nomoqn@p wrote: Sat Jan 29, 2022 9:06 am
I agree completely. I too have been hit by deadbolt. Fortunately, I do backup, unfortunately, not super-regularly, so I'm debating whether I've lost anything critical enough to warrant paying the ransom. I had no idea that one of the stated functions of the NAS would expose me to this malware; I was simply using it as advertised. And I don't see any critical alerts in my inbox from QNap. If changing these settings was such a critical security issue, I'd expect an email that says something to that effect in the subject line. Instead I get subject lines that talk about new apps available and the like. I'm not an IT person, so I'm not reading each of these newsletters where maybe this critical bit of news was buried.

Someone earlier in the thread compared setting the NAS to be exposed to the internet to be like driving a car at 100 miles an hour into a wall. That's not a good analogy since cars aren't advertised as being good for that. A better analogy would be you're driving your car at 55, turn on the radio and the car dies. You can then patch it up, but now you don't know what will happen when you use a turn signal or your high beams. In my opinion, the blame for this falls squarely at QNap's feet. They should do the right thing and get the universal key, but I'm sure they won't. I have no faith in the company at this point, nor in the security of their devices. My new Synology box is already here and I'm setting it up to replace the QNap. Do I expect it to be more secure? Hopefully, but it's hard to be worse...
It's fine if you want to expose your box, that's your call. Just know it can all go down in flames if something goes wrong and backup accordingly. You should also keep up on the happenings on whatever product you are using. Sadly, you can't just set and forget stuff that's internet facing anymore. You have to ensure timely patching and sometimes take action during an attack to protect your assets. Even then, you can do everything right and sometimes it's just not your day.

If you do want to forward ports, look into proxying your traffic through CloudFlare, it's free to do so. If you are tech minded you will be able to figure it out, there are plenty of guides out there. Not sure if it would've helped in this particular attack though. It doesn't work for every service (eg WireGuard), but most will tolerate it just fine.
genmaitya
Starting out
Posts: 26
Joined: Wed May 19, 2021 10:10 pm

Re: [RANSOMWARE] Deadbolt

Post by genmaitya »

darcon wrote: Sat Jan 29, 2022 5:49 am I'm new to QNAP, and I'm just curious if they have ever said it was okay to open the admin port to the internet? I know they don't recommend it now, just wondering if that's a new thing. I believe a lot of this is just QNAP being slow to adjust to the ever changing security landscape, and their customers are paying the price.

I do have a degree in CS and was not affected by this attack. I knew from experience what was a good idea and what wasn't. Most people aren't in IT and don't deal with cybersecurity on a daily basis. They rely on QNAP for that, and QNAP is failing.

I expose services (Nextcloud, Plex, WireGuard) on my Unraid NAS. I leverage a reverse proxy, LE, proxy everything through CloudFlare which does my Geoblock/WAF/misc traffic rules, and sandboxed containers. Just to show how safe I feel this setup is, I use my QNAP (LAN only) for daily scheduled backups, also have a few big external HDD's that I manually plug in for weekly backups, and finally I back up to tape once every month or so. This is excessive, the gear was free for me, so why not. Backing up your data to external hard drive(s) is sufficient. This is not trivial to setup (or maintain), but it shows what needs to be done to keep your data safe. Now, if my house gets hit by a tornado I'm screwed, but I'll take that risk. I have never had an issue with exposing these services, I won't be surprised if it happens though.
Using myqnapcloud exposes the management port to the internet.
In addition, it is easy to find from others.
For this reason, QNAP recommends using a VPN when using from the Internet (on the blog) :D
https://blog.qnap.com/nas-internet-connect-en/
This post was created by machine translation.
darcon
Starting out
Posts: 11
Joined: Wed Jan 26, 2022 5:59 am

Re: [RANSOMWARE] Deadbolt

Post by darcon »

genmaitya wrote: Sat Jan 29, 2022 10:15 am Using myqnapcloud exposes the management port to the internet.
In addition, it is easy to find from others.
For this reason, QNAP recommends using a VPN when using from the Internet (on the blog) :D
https://blog.qnap.com/nas-internet-connect-en/
Oh, I think it's myQNAPcloud Link. myQNAPcloud (no Link) is the prior version which requires opening the admin port. Love the naming QNAP!

https://www.qnap.com/solution/myqnapcloud-link/en/

Regardless, at this point QNAP has said nothing, so we can't trust anything they control.
destruya
Starting out
Posts: 19
Joined: Mon Aug 11, 2014 6:37 am

Re: [RANSOMWARE] Deadbolt

Post by destruya »

I had a Russian skript kiddie using spoofed IPs on my NAS for months trying to brute force my password and evade the attempt lockout, so there's no way in hell I'm bringing it back online now if there's a known way to bypass 2FA, which SHOULD be enough.

So right now my NAS is *offline* until QNAP can be bothered to put out a F/W update to not just 5.x but 4.5.x as well.
User avatar
spile
Been there, done that
Posts: 638
Joined: Tue May 24, 2016 12:13 am

Re: [RANSOMWARE] Deadbolt

Post by spile »

P3R wrote: Sat Jan 29, 2022 6:58 am
QNAPDanielFL wrote: Sat Jan 29, 2022 6:39 am The encryption should not continue if you turn the NAS back on after it has been turned off.
We haven't always agreed on security matters and I've come down hard on you from time to time but kudos for not hiding now but trying your best to help when it's really, really bad. I have great respect for that!
I would echo those comments Qnap_Daniel has been a lone (and very much appreciated) voice from Qnap support who posts on this and the Reddit Qnap forum.
chatchat
New here
Posts: 4
Joined: Fri Feb 26, 2016 9:47 pm

Re: [RANSOMWARE] Deadbolt

Post by chatchat »

Hello,

I activated the QuFirewall with "Basic Protection". Since that, I can't access to my NAS from local network, I just can login from external IP address ?
Is it normal ? My local IP address is 192.168.1.8 and the NAS is on 192.168.1.21.
https://i.ibb.co/kDyYXNx/Greenshot-2022 ... -46-57.png
https://i.ibb.co/dtrsvbc/Greenshot-2022 ... -47-42.png
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [RANSOMWARE] Deadbolt

Post by FSC830 »

No, it is not!
But you should not hijack this thread for such questions. :wink:

Regards
Ninecows80
Starting out
Posts: 33
Joined: Sat Nov 20, 2021 2:23 am

Re: [RANSOMWARE] Deadbolt

Post by Ninecows80 »

So followed the steps here https://www.qnap.com/en/how-to/faq/arti ... y-deadbolt. Seems like the malware remover did its job, but too late. I can confirm that basically anything we have of valuable files on the qnap has been encrypted. Not just renamed, but encrypted. First file (going alphabetically) was attacked on 25th in the evening (CET) and last file (out of 9TB or so) next morning at 10. Roughly 36 h later the malware remover picks up the activity and removes it asks me to restart the nas... but doing so in the middle of the night, not pinging my phone or anything is useless. I'm not a pro so no - I don't check the log on my nas on a daily basis.

So what's the deal from here? Wait and hope that QNAP or someone else can somehow help me recover the files? What do you think the odds are for that?

It's really ironic how the title of that FAQ document is really not answered in the instructions. It shows how to stop the attack, but nothing else. Doesn't even say: "Oh yeah... and wrt to your encrypted files: tough luck!"

I have a back up (off-site at work, but it is obviously not recent enough)... It's not like we have a lot of changes. Its mostly just media files. Most other things are also in iCloud. But its 10ths of hours of ripping CD's and DVD. Definitely not worth paying 1100USD for getting back. If they were asking for 1/10th we might consider it...
Last edited by Ninecows80 on Sat Jan 29, 2022 7:53 pm, edited 1 time in total.
chumbo
Know my way around
Posts: 130
Joined: Sun May 03, 2020 8:43 pm

Re: [RANSOMWARE] Deadbolt

Post by chumbo »

QNAPDanielFL wrote: Sat Jan 29, 2022 6:39 am The encryption should not continue if you turn the NAS back on after it has been turned off.
I just don't feel comfortable with the should part. Is there further info on this? My NAS has been off for the last 3 days since this started and I haven't dared to turn it on for that very reason!
So, is there a general consensus that it's safe to turn the NAS back on and that the encryption won't resume (while keeping the NAS offline of course)?
Thanks!
QNAP TS-251+ 8Gb, Windows 10 x64.
I'm a total noob when it comes to networking and security so please address me as if I were your grandmother
genmaitya
Starting out
Posts: 26
Joined: Wed May 19, 2021 10:10 pm

Re: [RANSOMWARE] Deadbolt

Post by genmaitya »

chatchat wrote: Sat Jan 29, 2022 5:56 pm Hello,

I activated the QuFirewall with "Basic Protection". Since that, I can't access to my NAS from local network, I just can login from external IP address ?
Is it normal ? My local IP address is 192.168.1.8 and the NAS is on 192.168.1.21.
https://i.ibb.co/kDyYXNx/Greenshot-2022 ... -46-57.png
https://i.ibb.co/dtrsvbc/Greenshot-2022 ... -47-42.png
Is this automatically generated?
Is "Denied IP addresses" set correctly?

Added "ALL IPv4 any any 192.168.1.0/24".
or
Changed to "Include Subnets Only".

Is there any change?

I think that access to the management port other than 192.168.1.0/24 should be prohibited.
Last edited by genmaitya on Sat Jan 29, 2022 7:45 pm, edited 1 time in total.
This post was created by machine translation.
lousyfool
Getting the hang of things
Posts: 74
Joined: Tue Apr 20, 2021 1:45 pm

Re: [RANSOMWARE] Deadbolt

Post by lousyfool »

Ninecows80 wrote: Sat Jan 29, 2022 6:53 pm... So what's the deal from here? ...
Sorry you've been hit as well. Your questions and complaints are understandable. They've also been asked by others (and answered as far as possible) in this thread, alongside similar complaints and related comments.

At least you have backups, even if "all over the place" (which no one else can be blamed for, of course). Good luck!
Post Reply

Return to “Users' Corner”