[RANSOMWARE] >>READ 1st Post<< Deadbolt

[TRANSCENDENTMAN]

Can't find OP_Return on this transaction

bc1qdkkl0npq35lm0fds3s8nk8c0wg3dsc9f8u9z0a

Help

[jaysona]

@jaysona,

I would love to see a sticky thread on your list thus far... Perhaps it could be updated on post one as other contribute...

I have simplified my list somewhat. I just block the following QNAP related domains:

• update.qnap.com

• ncsi.qnap.com

• myqnapcloud.com

[OneCD]

Can't find OP_Return on this transaction

bc1qdkkl0npq35lm0fds3s8nk8c0wg3dsc9f8u9z0a

Your decryption key is: c19548c72ad04ddc8b7d26ba9707f942

[QNAS604]

@OneCD Can you determine if there is a decryption key for bc1qc0z6wuud2l25vy9vekd3udjzwdsf64zyhskcw7 ?

[dolbyman]

no transaction at all on that

https://www.blockchain.com/btc/address/ ... 64zyhskcw7

Sure you paid the ransom to the right address ?

[togetic271]

Our NAS just got hit with deadbolt. I'm frustrated that I did not know that this was happening sooner, but hindsight is 20/20.

Couple questions:

1. Is the only realistic solution to pay the ransom? Luckily we got attacked when BC is down.

2. Assuming I pay the ransom, I refuse to connect my device to the Internet ever again. How the hell would I do the decryption?

[ritters]

You do not have to pay; just reset and format everything and restore from your backup.

[togetic271]

You do not have to pay; just reset and format everything and restore from your backup.

Okay, then, let's make an assumption that there is no backup.

[QNAS604]

The NAS in question does not belong to me. Do we have to pay the entire ransom? Or can we obtain a decryption key with partial payment? The other post made it sound like there was some sort of decryption key available (or is this only made available upon payment?). Thanks.

[OneCD]

The NAS in question does not belong to me. Do we have to pay the entire ransom? Or can we obtain a decryption key with partial payment? The other post made it sound like there was some sort of decryption key available (or is this only made available upon payment?). Thanks.

It seems the decryption key is only made available via the blockchain network when the whole amount is paid.

Without payment, you can’t do anything else, except wipe the NAS and restore from your backups.

If you decide to pay, it may take a day-or-so for the decryption key to be published.

[OneCD]

1. Is the only realistic solution to pay the ransom?

If you have no backups, and desperately require access to the encrypted data, then unfortunately ... yes: your only option is to pay.

2. Assuming I pay the ransom, I refuse to connect my device to the Internet ever again. How the ** would I do the decryption?

I don't think your NAS requires access to the Internet to perform the decryption (someone please correct me if this is wrong.)

Please note: this problem didn't happen because your NAS had access to the Internet: it happened because the Internet had access to your NAS. This may sound like the same thing, but there’s a difference.

It really comes down to which side starts the conversation:

• If your NAS starts a conversation with another device on the Internet, this is usually safe (unless that specific Internet device is malicious).
• But if a device on the Internet is able to start a conversation with your NAS (because your router has active port-forward rules that allow this), this is when the hacking begins.

It has long been the practice of this community forum to advise against allowing access to your NAS from the Internet, and with good reason. QNAP NAS have an awful history of being hacked when exposed to the Internet.

So, disable UPnP in your router and NAS, and don't forward any ports from the Internet to your NAS.

If you need remote-access to your LAN (including your NAS) from the Internet, create a VPN server instance inside your router, and ensure any devices external to your LAN authenticate with the VPN server first before they can see your LAN. This is a free service you run yourself, and does not require a paid (commercial), anonymising VPN service.

[agesofman]

I am another klutz who has just been hit by deadbolt attack.
Like earlier posts I too am very frustrated that as a normal end user I was not informed by QNAP of this venerability, a simple email from QNAP would have sufficed.
I have the great majority, but not all, of my files backed up but stupidly kept a record of where backups are on the NAS drive! I assumed my PC was more vunerable than the NAS drive!

OK my questions;
1) There are some posts on the web that seem to indicate you can recover files and that hackers have released decryt key and that Emsisoft have an app that decrypts.
eg https://portswigger.net/daily-swig/decr ... s-infected
https://www.emsisoft.com/ransomware-dec ... s/deadbolt
Real or more pain?

2) I have updated NAS firmware to latest version and disabled UPnP but note an earlier post that states 'do not forward any ports from internet to NAS'
How do I check same and disable ports if required?

3) Earlier post gave decript key - am I correct in assuming this is unique to that single attack and would not help me with my attack?

[P3R]

There are some posts on the web that seem to indicate you can recover files and that hackers have released decryt key and that Emsisoft have an app that decrypts.

If you have bought your decryption key the Emisoft tool can help you with the decryption.

How do I check same and disable ports if required?

That is done in the router. Unless you or someone else that have administrative access to your router/firewall have forwarded ports to the internet, no ports should be open.

3) Earlier post gave decript key - am I correct in assuming this is unique to that single attack and would not help me with my attack?

You are correct.

[agesofman]

Thanks for really prompt reply P3R.

I also found this QNAP post that enabled me to make sure NAS drive cannot be accessed from internet:
https://www.qnap.com/en/security-news/2 ... e-qnap-nas

Sad that I had to disable a feature that was useful though

[dosborne]

Sad that I had to disable a feature that was useful though

What did you disable that you can't re-establish via a secure VPN connection?