[RANSOMWARE] >>READ 1st Post<< Deadbolt

[Theliel]

myQNAPcloud Link isn't the same as the myQNAPcloud DDNS service that you think it is. myQNAPcloud Link is cloud access to the Qnap so it's a completely different service with a different attack surface. It's better than direct exposure but it isn't what I would recommend either as it's Internet access to the NAS operated by Qnap.

I know. I said that because I seem to recall that myQNAPcloud DDNS requires myQNAPcloud, at least initially. And therefore I recommended you to use any other DDNS provider

And that will be effective long-term because luckily the bad guys are too stupid to use a VPN-service and also absolutely will never have access to global botnets that would allow them to attack natively from any country they wanted? You're only buying time...

I would recommend that you re-read what I put. We are talking, again, about indiscriminate attacks that seek the greatest possible impact in the shortest time (before the entry vector is identified and patched). No one is going to spend even 1 minute trying to infect someone in particular, unless they are a specific target with name/surname looking for something specific. There is no hacker monitoring the millions of hosts they try to infect one by one. You just try to send to as many IPs as possible, sometimes to a specific company, an AS or even a country, but that's it.

It is not a question of whether the hackers use a proxy/VPN server to carry out the attacks, or even the botnets they use, it is a statistical case. More than 70% of exploit traffic originates from China and Russia. It doesn't matter if they do it from there by direct connections or using proxy servers/vpn/bonets from there. If we add to the list the USA, the Emirates and some other country on the periphery of Russia, we have more than 90%. That means unless you live in one of the more "evil" countries, you're reducing any risk massively. Moreover, even living in one of the most complicated countries, you would also be reducing the risk considerably.

It's too much money in this criminal industry as so many are willing to pay the ransom to stop here. The criminals will continue even when it mean they have to use a little more effort to get that money. When there aren't thousands of users on port 443 any more (and at this rate they disappear by the hour when they become infected), the criminals will adapt. They will use bots that search for and build databases of targets using non-default ports.

No. Then you totally do not know how these attacks are carried out. Obviously they will be trying to attack the usual Web ports on each destination, they are not stupid, not just 8080. It is very likely that they are trying 8080/80/443, even 8081/8082. Yes, it's true, there are botnets that constantly scan destinations for ports and services, but excluding (again) targeted attacks, those scanners are essentially limited to known ports and little else. Again it is a matter of numbers. Which would you rather, let's say you put a botnet to work for an hour, discovering 100 different destinations with port 80 open or a single destination with 2 high unknown ports open? (times are just an example, I just want to illustrate why it's not done)

Precisely because the aim is to maximize economic profit, it is infinitely more lucrative to invest time in sending it to as many destinations as possible to a couple of ports, than to send the exploit to thousands of ports from the same address. Not to mention that most likely those that use ports by default are generally much more careless about security

The difference between us is that you base your advice on what the the criminals have done and do today. You still think that if you you just hide a little you're safe. Qnap have tried to recommend that ostrich tactic as well...
Me and several other oldtimers here have said that Qnap software isn't hardened enough to be directly exposed on the Internet since long before QSnatch (revealed late 2019 but started much earlier).
Your advice will probably buy users some months, maybe a year. It will give them hope that they can continue what they're doing and in the end it will lead to even more victims when that bubble burst as well. Ooops!

You're wrong. I have not said that a port change or a region lock makes you safe. I have said that it greatly reduces any possible risk, and that in the end, whatever we do, we are always assuming a risk, as a result of usability/services/features. Whether it's using a VPN, whether it's having the phone connected to the Internet, using a Web browser...

I will never tell anyone what they should do. We totally agree that if you don't take a car you can't have a car accident (leaving aside the joke that you can always get hit by one). There will be many that this is enough to never have a car, and there will be many others who will take the risk, I understand perfectly. On the other hand, of those who take the risk, some will not even know how to drive, others will be geniuses behind the wheel, others F1 drivers!! But everyone who takes the risk of having a car will not have to walk to places. Everyone decides.

Yes, all communication have risks but to call well established VPN technologies a risk in comparison to a directly exposed Qnap is absolutely ridiculous. That Qnap managed to even mess up a VPN-service shouldn't be seen as a problem with the underlying technology but again, with their implementation.

As always happens, 99% of the time it is a bug in the implementation, not in the protocol/system itself. You say that it is more dangerous to expose a port on the NAS than a VPN server? Well, that depends. If both have an exploit that allows access, in the first case you will have access only to the NAS, in the second case you will have (potential) access to the entire network. In fact, an exploit that affects a VPN server is sold on the black market infinitely more expensive than an exploit on a NAS. And better not even enter, as has been seen even in this same thread, that more than one uses PPTP.

It is highly contradictory to say that you can never trust A, which exposes a single device, but you can trust B, which potentially exposes the entire internal network. VPN accesses are by far the most delicate services out there, with which you have to be more careful, precisely because of the access they grant

[lousyfool]

The encryption should not continue if you turn the NAS back on after it has been turned off.

I just don't feel comfortable with the should part. Is there further info on this? My NAS has been off for the last 3 days since this started and I haven't dared to turn it on for that very reason!
So, is there a general consensus that it's safe to turn the NAS back on and that the encryption won't resume (while keeping the NAS offline of course)?
Thanks!

Reading this thread, you'll likely find that no one is able or willing to guarantee you anything in this regard, at least at this point.
So, it appears wise to treat it "worst case": follow instructions given here by listing running processes and killing the DeadBolt one immediately after booting up. Then proceed with your best option.
Or, if you have a backup or are not willing to pay the ransom, nuke the NAS and rebuild it from scratch.

[Ninecows80]

... So what's the deal from here? ...

Sorry you've been hit as well. Your questions and complaints are understandable. They've also been asked by others (and answered as far as possible) in this thread, alongside similar complaints and related comments.

At least you have backups, even if "all over the place" (which no one else can be blamed for, of course). Good luck!

Well... I see a lot of frustrated people in the thread and a lot of useless blaming back and forth. Obviously most people are still just guessing here. That's understandable. And then quite a few people are going down the "pay the ransom" route, which I would absolutely not do. Not blaming those who need to of course. Sorry for those. That's just not an option for me.

Anyway backup is not really "all over the place". It's on a JBOD in an icybox something and file & folder structure per main folder (eg multimedia) is the same as on the nas. Only difference is that on the nas everything is encrypted and has deadlock as file-type and that there are files on the nas that is NOT on the backup (because it's not that recent).

So any guidance to a non-tech savvy on how to proceed?

I can connect the back up JBOD to the nas (TS-453A) directly with USB 3.

First thing should be to do some kind of write protection I guess on the backup? Don't know how exactly? Can I somehow mount an external drive as (temporarily) write-protected? Obviously I need to be able to back up to that thing again and would prefer that it should not chew through all the files more than needed...

Then it should start going through and if it finds a deadlock file where there's an unencrypted twin on the backup the deadlock file should be overwritten.
If there's a deadlock file without a backup it should just stay untouched and preferably keep the deadlock name so I know it's encrypted for the odd chance that QNAP or others at some point can fix this.

I'm guessing such a script or job would benefit many people?

We're talking about 1000s of movies and tv shows here. And a lot of music as well... Anyway I can do this efficiently?

I have started manually with many of the old documents and backups from previous computers doing it through macOS, but it fails frequently with some error -50. I suspect that there is some file-sharing-rights that might be causing this, but I have honestly no idea.

Thanks in advance and good luck to all of you out there...

[Theliel]

So any guidance to a non-tech savvy on how to proceed?

I'm guessing such a script or job would benefit many people?

We're talking about 1000s of movies and tv shows here. And a lot of music as well... Anyway I can do this efficiently?

I have started manually with many of the old documents and backups from previous computers doing it through macOS, but it fails frequently with some error -50. I suspect that there is some file-sharing-rights that might be causing this, but I have honestly no idea.

Thanks in advance and good luck to all of you out there...

I understand the procedure you would like to take. Making a script for it is easy and we can make one without much trouble. The only problem (and a big one) that I see here is that due to the large number of unknowns that we still have, not wiping all the NAS could have consequences later. Quite possibly not, but a backdoor or safeguard could have been left in place by hackers.

In my opinion, perhaps the best strategy in your case would be to do it the other way around. Copy all encrypted files from the NAS (that do not exist in the main external copy), completely clean the NAS, and copy back to the NAS what you want

[Various6]

Its a shame for qnap support that they dont answer any questions on help desk... Lost all snapshots after their advice and didnt recover all files (especially docker databases that are very important for me)... On qnap tech days they advertised snapshots like somethink that is unable to break/cipher and generally immortal, now i see they talkink **.

[luckydekko]

Saw this on Bleepingcomputerforum in case someone didnt see it.

“Demonslay335:

We have released a decryptor for DeadBolt that requires your key from the OP_RETURN after paying the criminals.

The tool will only run on Windows, and you'll need to have your encrypted data accessible as a mounted drive.”

https://www.emsisoft.com/ransomware-dec ... s/deadbolt


So only usable if you have paid and have a key from our new best friends.

[rudycloud]

Its a shame for qnap support that they dont answer any questions on help desk... Lost all snapshots after their advice and didnt recover all files (especially docker databases that are very important for me)... On qnap tech days they advertised snapshots like somethink that is unable to break/cipher and generally immortal, now i see they talkink **.

Can I ask what happens when you restore from a snapshot? The old ones are deleted due to no more space left? Did you try to make those snapshots "permanent" before restoring? Did you make a new snapshot of the current drive before restoring( such that causing a no more space issue)

Just want to know why a snapshot can be unintentionally deleted

[nomoqn@p]

I agree completely. I too have been hit by deadbolt. Fortunately, I do backup, unfortunately, not super-regularly, so I'm debating whether I've lost anything critical enough to warrant paying the ransom. I had no idea that one of the stated functions of the NAS would expose me to this malware; I was simply using it as advertised. And I don't see any critical alerts in my inbox from QNap. If changing these settings was such a critical security issue, I'd expect an email that says something to that effect in the subject line. Instead I get subject lines that talk about new apps available and the like. I'm not an IT person, so I'm not reading each of these newsletters where maybe this critical bit of news was buried.

Someone earlier in the thread compared setting the NAS to be exposed to the internet to be like driving a car at 100 miles an hour into a wall. That's not a good analogy since cars aren't advertised as being good for that. A better analogy would be you're driving your car at 55, turn on the radio and the car dies. You can then patch it up, but now you don't know what will happen when you use a turn signal or your high beams. In my opinion, the blame for this falls squarely at QNap's feet. They should do the right thing and get the universal key, but I'm sure they won't. I have no faith in the company at this point, nor in the security of their devices. My new Synology box is already here and I'm setting it up to replace the QNap. Do I expect it to be more secure? Hopefully, but it's hard to be worse...

It's fine if you want to expose your box, that's your call. Just know it can all go down in flames if something goes wrong and backup accordingly. You should also keep up on the happenings on whatever product you are using. Sadly, you can't just set and forget stuff that's internet facing anymore. You have to ensure timely patching and sometimes take action during an attack to protect your assets. Even then, you can do everything right and sometimes it's just not your day.

If you do want to forward ports, look into proxying your traffic through CloudFlare, it's free to do so. If you are tech minded you will be able to figure it out, there are plenty of guides out there. Not sure if it would've helped in this particular attack though. It doesn't work for every service (eg WireGuard), but most will tolerate it just fine.

If I had been aware of the risk, I would have taken the appropriate steps to secure my box. 'If' being the key word. QNap never sent out an urgent notice advising people to change their settings, at least to the best of my knowledge. As to keeping up on the happenings on whatever product I am using, that's just not possible nor even reasonable. I do not check before I go out for a drive that there isn't a new recall on my car or tires, nor do I constantly check that my refrigerator, stove, etc haven't had some notice issued on them. Most people don't even check their tire pressure (other than trusting their TPMS, if they have one) and oil before going out for a drive even though it's advised that you do. My computers regularly update themselves, and though I often postpone those updates, I would never postpone a critical security one. Yet here's a situation where, presuming the company was aware of the risks, which it seems they were, they could simply have sent out an email. My NAS is registered, so they have my email address, as my inbox that has regular pat-themselves-on-the-back newsletters will attest.

The NAS was promoted as an easy way for relatively non-technical people to have large amount of storage on a network device with remote access. It has failed spectacularly.

[Ninecows80]

So any guidance to a non-tech savvy on how to proceed?

I'm guessing such a script or job would benefit many people?

We're talking about 1000s of movies and tv shows here. And a lot of music as well... Anyway I can do this efficiently?

I have started manually with many of the old documents and backups from previous computers doing it through macOS, but it fails frequently with some error -50. I suspect that there is some file-sharing-rights that might be causing this, but I have honestly no idea.

Thanks in advance and good luck to all of you out there...

I understand the procedure you would like to take. Making a script for it is easy and we can make one without much trouble. The only problem (and a big one) that I see here is that due to the large number of unknowns that we still have, not wiping all the NAS could have consequences later. Quite possibly not, but a backdoor or safeguard could have been left in place by hackers.

In my opinion, perhaps the best strategy in your case would be to do it the other way around. Copy all encrypted files from the NAS (that do not exist in the main external copy), completely clean the NAS, and copy back to the NAS what you want

Thanks

Well... I don't have enough hard-drive space to do such a trick. Neither do I know how to copy only those that are not available on the backup... apart from manually going through the files. I am willing to take the risk of having to redo it all in case they left a back-door. As long as I have my original back-up and can mount that as write-protected.

[dolbyman]

QNAP only knew about deadbolt AFTER hundreds if not thousands of units were compromised....

We still dont know the infection vector, but the attacker claimed a 0day. Thats by definition something a manufacturer does not know about beforehand...

Oh and now that QNAP is pushing out "recommended" updates to NAS units..you have tons of people complaining about that...

[Kim28]

I'm new to QNAP, and I'm just curious if they have ever said it was okay to open the admin port to the internet? I know they don't recommend it now, just wondering if that's a new thing. I believe a lot of this is just QNAP being slow to adjust to the ever changing security landscape, and their customers are paying the price.

I do have a degree in CS and was not affected by this attack. I knew from experience what was a good idea and what wasn't. Most people aren't in IT and don't deal with cybersecurity on a daily basis. They rely on QNAP for that, and QNAP is failing.

I expose services (Nextcloud, Plex, WireGuard) on my Unraid NAS. I leverage a reverse proxy, LE, proxy everything through CloudFlare which does my Geoblock/WAF/misc traffic rules, and sandboxed containers. Just to show how safe I feel this setup is, I use my QNAP (LAN only) for daily scheduled backups, also have a few big external HDD's that I manually plug in for weekly backups, and finally I back up to tape once every month or so. This is excessive, the gear was free for me, so why not. Backing up your data to external hard drive(s) is sufficient. This is not trivial to setup (or maintain), but it shows what needs to be done to keep your data safe. Now, if my house gets hit by a tornado I'm screwed, but I'll take that risk. I have never had an issue with exposing these services, I won't be surprised if it happens though.

Using myqnapcloud exposes the management port to the internet.
In addition, it is easy to find from others.
For this reason, QNAP recommends using a VPN when using from the Internet (on the blog)
https://blog.qnap.com/nas-internet-connect-en/

I'm new with the Qnap Nas and networking. I must be missing something with the QNAP recommending that you turn off port forwarding on the router. I have been using QBelt for VPN which seems to require port forwarding? Am I missing something

[dolbyman]

yes..you are missing that even qnap vpn programs had security vulnerabilities in them(mentioned several times in this thread)...do not forward any ports to the nas..use a different vpn server(router/firewall/raspi)

[darcon]

I'm new with the Qnap Nas and networking. I must be missing something with the QNAP recommending that you turn off port forwarding on the router. I have been using QBelt for VPN which seems to require port forwarding? Am I missing something

According to the email I got from them on 1/26 they are only asking to not forward the admin page (default ports 443,8080). At least that's how it reads.

Still better to use a different device for your VPN access. Using a Raspberry Pi for VPN access is recommended quite frequently, but there is some setup required.

[WilcoNL]

Anyone tryed Qrescue?

[WilcoNL]

Running Photorec right now (before running Qrescue). First time i use this. Didn’t know about this before.

Now there are coming recup_dir. Maps on my external drive, where i can see jpg files AND i can open them. Fingers crossed while this process is going on.