[RANSOMWARE] >>READ 1st Post<< Deadbolt

[gabell]

Well, having been hit by COVID for the last 2 weeks, to be hit by DEADBOLT is taking the biscuit.....
Machine completed hacked by Deadbolt. All files and backup disk attached to USB are encrypted. Even a mounted samba share on another machine has been attacked by way of the Qnap having access to this share. The only thing that doesnt seem to be encrypted is the QVR Pro recorded files on my two NVME's.
What is the best way to start from scratch ?
Is anything salvageable ?
Do I risk deleting only the encrypted files and leave QVR-pro setup as is. ?
Really disappointing..... forums suggest QANPs are insecure and should not have anything accessable from the internet..... if so, whats the point with any qnap apps... ???

Is there a simple guide/instructions that detail how to set up from scratch with nothing exposed to the internet.
Was considering jumping ship to Unraid or TrueNas, but I have 4 cams running in QVR-PRO which is about as easy as it gets and i've just purchased the Smart Search function..............

Any help or direction appreciated..

[gabell]

I'm gonna have to take a risk....... I had my old nas (about 2 month old) with my precious data..... great I thought...I'll boot that up with no ethernet and connect direct to monitor and keyboard/mouse. Only to be told on the screen, I need to connect to the internet to download HDStation or something, so that I can view the NAS from the HDMI output..... What a going on..... I have to expose my system to the web, to be able to get at it and set security up like no UPNP to see if my old data is there..... in the mean time...expose it such that DEADBOLT can have another go..... WOW

[FSC830]

If you are connect the NAS only to an internal LAN there is no need for a HDMI connection!
You can setup and access every data.
A how-to for setting up from scratch is here: viewtopic.php?f=45&t=164887.

Clearly to say: you need NOT to expose the NAS to web to find if old data is available!

Just pull out the WAN line from router if you are unsure. But even with WAN plugged in, the NAS is as long not exposed as no port forwardings or UPNP settings, myqnapcloud or any other of this nasty beasts are existent.
Access FROM NAS TO web is not the same as access FROM web TO NAS. Only the last is called "exposed".

Regards

[Moogle Stiltzkin]

If you are connect the NAS only to an internal LAN there is no need for a HDMI connection!
You can setup and access every data.
A how-to for setting up from scratch is here: viewtopic.php?f=45&t=164887.

Clearly to say: you need NOT to expose the NAS to web to find if old data is available!

Just pull out the WAN line from router if you are unsure. But even with WAN plugged in, the NAS is as long not exposed as no port forwardings or UPNP settings, myqnapcloud or any other of this nasty beasts are existent.
Access FROM NAS TO web is not the same as access FROM web TO NAS. Only the last is called "exposed".

Regards

like u said, not to be exposed means, not to portforward and making sure upnp disabled on router/qnap. and having appropriate router settings, most by default are safe, pfsense stock setting is safe, just change password and usually thats enough to be ok to use without worry (just update it regularly).

but if his nas is suspected to already have been infected, then what he should have done is just do a proper disinfection, pull out the drives and then do factory reset/reinitialize (not sure if necessary, but possibly reflash dom as well?). Then once that is all done, recover data from a backup elsewhere.

If no backup.... this is what he should have in place for next time or the same problem will happen. if the data is precious, then it's worth investing in a backup. raid is not a backup by itself. the data you want backed up needs to be stored on 2 separate storage devices e.g. 2 nas, 1 nas 1 cloud remote backup, 1 nas with external usb backup as an example
https://www.reddit.com/r/qnap/comments/ ... _a_backup/


hdmi not needed..... the fact you use hdmi sounds like you are accessing the nas locally. Usually local access people use ethernet from the qnap to the switch connected to the rest of your devices on your local lan. Then to access, you do so via smb file explorer to the shares, or the qnap web admin ui.

[gabell]

Thanks guys. Was just using local HDMI for the old NAS to ensure it wasn't connected to anything .....

As regards backup, yes I need to rethink this.
My setup was.....
Qnap 4 bay, with 4 x 8GB HDD's in a raid 10 config, plus a 4TB external USB for backups.
Plus an Unraid server on the same network to also backup important files from the Qnap to the Unraid.
I thought I had covered all the bases, but obviously not.
I Made the fatal mistake of using HyBrid Mount to mount the shares on the Unraid........ARGHHHH
Qnap became infected with DeadBolt, which encrypted my backups on the USB disk and the Shares on the Unraid, all because the Qnap had access to them all.....
So I think I was over protected for a possible hardware failure, but NOT for a ransom attack.
Luckily, My Qnap 4 bay (i3) had only just been set up 4 weeks ago and replaced an old celeron 4 bay (TS-453B, which I had put to one side ready to sell), so i've managed to get the old nas up and running - no internet connection and using the HDMI output locally, to pull off all my files onto multiple usb hard disks ready for a rebuild/reset of the new 4 bay nas.

My biggest question now, is do I trust the Qnap, or do I look at installing TRUENAS or UNRAID directly on it.

I'm still in the process of getting the data of the old NAS, haven't even started anything on the new NAS other than powering down... I think i'm going to be busy for the week trying to get back to normality, and then praying it doesn't happen again....

[Skwor]

QNAP is fine, keep it off the open net, practice good security habits (which you should do the same for Truenas or Unraid anyway).

[gabell]

cheers

[Nabo_23]

Thank you, now is there a way to completely stop the encryption? I have over 40TB of information on my server. I believe the virus was running for about an hour and to my understanding it can take up to 5 hours to encrypt 1 tb. Is this correct? As of right now that my system is off, and I am asking if there is a way to stop the encryption so that I can assess the damage before considering the ransom. I have backups of most stuff so stopping the encryption and getting rid of encrypted files might not be very painful at this point.

[FSC830]

Referring to other posters the encryption stops if NAS is rebooted.
I do not have experience of myself ascI am not affected.

Regards

[roycegerikchua]

hi where can i find the deadbolt address it was removed by the malware remover and i need to pay them to get my files back.

[OneCD]

hi where can i find the deadbolt address it was removed by the malware remover and i need to pay them to get my files back.

Hope this helps: https://www.qnap.com/en/how-to/faq/arti ... t-password

[roycegerikchua]

hi where can i find the deadbolt address it was removed by the malware remover and i need to pay them to get my files back.

Hope this helps: https://www.qnap.com/en/how-to/faq/arti ... t-password

Will this not make a new wallet address? i'm afraid of paying for it then getting the wrong password because i was unable to take note of the original attack page.

[OneCD]

No, it reinstates the original page (and address).

[Declankh]

I currently have my nas powered down to stop further encryption.
Can anyone *confirm* either way if I reboot will the encryption resume?

I'd like to assess how many files have been encrypted but don't wish to make matters worse.

Has anyone got any neat script to count impacted files

I guess i could do something basic like

find / -name '*.deadbolt' -ls | wc -l

but if anyone has something more sophisticated that would be great

[Spydyr]

I have a quick question for anyone. Since my NAS was hit with Deadbolt and it was my Plex media server, how is it that the media is encrypted and yet my Plex stills plays the videos fine? I can't get the files (to play) on Windows, but Plex has no issues??? I do not have a cloud backup of any videos, so I'm either stumped, or there is some nifty way Plex decrypts these files for playing. Just curious as it would give me insight to recovering other files lost on this server. I shut it down so I could take drive by drive for RAID recovery currently.

QNAP TS-469 Pro 4x6Tb RAID 5 (not hit)
QNAP TS-453 Pro 4x10Tb RAID 5 (Deadbolt down)