[RANSOMWARE] >>READ 1st Post<< Deadbolt
-
- First post
- Posts: 1
- Joined: Wed May 04, 2022 9:48 am
Re: [RANSOMWARE] Deadbolt
Can't find OP_Return on this transaction
bc1qdkkl0npq35lm0fds3s8nk8c0wg3dsc9f8u9z0a
Help
bc1qdkkl0npq35lm0fds3s8nk8c0wg3dsc9f8u9z0a
Help
- jaysona
- Been there, done that
- Posts: 856
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Deadbolt ransomware
I have simplified my list somewhat. I just block the following QNAP related domains:
- update.qnap.com
- ncsi.qnap.com
- myqnapcloud.com
RAID is not a Back-up!
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
- OneCD
- Guru
- Posts: 12163
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
Your decryption key is: c19548c72ad04ddc8b7d26ba9707f942TRANSCENDENTMAN wrote: ↑Wed May 04, 2022 9:54 am Can't find OP_Return on this transaction
bc1qdkkl0npq35lm0fds3s8nk8c0wg3dsc9f8u9z0a
-
- New here
- Posts: 2
- Joined: Sat May 14, 2022 4:06 am
Re: [RANSOMWARE] Deadbolt
@OneCD Can you determine if there is a decryption key for bc1qc0z6wuud2l25vy9vekd3udjzwdsf64zyhskcw7 ?
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
no transaction at all on that
https://www.blockchain.com/btc/address/ ... 64zyhskcw7
Sure you paid the ransom to the right address ?
https://www.blockchain.com/btc/address/ ... 64zyhskcw7
Sure you paid the ransom to the right address ?
-
- New here
- Posts: 2
- Joined: Mon May 16, 2022 1:03 am
Re: [RANSOMWARE] Deadbolt
Our NAS just got hit with deadbolt. I'm frustrated that I did not know that this was happening sooner, but hindsight is 20/20.
Couple questions:
1. Is the only realistic solution to pay the ransom? Luckily we got attacked when BC is down.
2. Assuming I pay the ransom, I refuse to connect my device to the Internet ever again. How the hell would I do the decryption?
Couple questions:
1. Is the only realistic solution to pay the ransom? Luckily we got attacked when BC is down.
2. Assuming I pay the ransom, I refuse to connect my device to the Internet ever again. How the hell would I do the decryption?
-
- Know my way around
- Posts: 104
- Joined: Fri Apr 15, 2022 4:27 pm
Re: [RANSOMWARE] Deadbolt
You do not have to pay; just reset and format everything and restore from your backup.
-
- New here
- Posts: 2
- Joined: Mon May 16, 2022 1:03 am
-
- New here
- Posts: 2
- Joined: Sat May 14, 2022 4:06 am
Re: [RANSOMWARE] Deadbolt
The NAS in question does not belong to me. Do we have to pay the entire ransom? Or can we obtain a decryption key with partial payment? The other post made it sound like there was some sort of decryption key available (or is this only made available upon payment?). Thanks.
- OneCD
- Guru
- Posts: 12163
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
It seems the decryption key is only made available via the blockchain network when the whole amount is paid.QNAS604 wrote: ↑Mon May 16, 2022 7:29 am The NAS in question does not belong to me. Do we have to pay the entire ransom? Or can we obtain a decryption key with partial payment? The other post made it sound like there was some sort of decryption key available (or is this only made available upon payment?). Thanks.
Without payment, you can’t do anything else, except wipe the NAS and restore from your backups.
If you decide to pay, it may take a day-or-so for the decryption key to be published.
- OneCD
- Guru
- Posts: 12163
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
If you have no backups, and desperately require access to the encrypted data, then unfortunately ... yes: your only option is to pay.
I don't think your NAS requires access to the Internet to perform the decryption (someone please correct me if this is wrong.)togetic271 wrote: ↑Mon May 16, 2022 1:12 am 2. Assuming I pay the ransom, I refuse to connect my device to the Internet ever again. How the ** would I do the decryption?
Please note: this problem didn't happen because your NAS had access to the Internet: it happened because the Internet had access to your NAS. This may sound like the same thing, but there’s a difference.
It really comes down to which side starts the conversation:
- If your NAS starts a conversation with another device on the Internet, this is usually safe (unless that specific Internet device is malicious).
- But if a device on the Internet is able to start a conversation with your NAS (because your router has active port-forward rules that allow this), this is when the hacking begins.
So, disable UPnP in your router and NAS, and don't forward any ports from the Internet to your NAS.
If you need remote-access to your LAN (including your NAS) from the Internet, create a VPN server instance inside your router, and ensure any devices external to your LAN authenticate with the VPN server first before they can see your LAN. This is a free service you run yourself, and does not require a paid (commercial), anonymising VPN service.
-
- New here
- Posts: 4
- Joined: Thu May 24, 2018 12:06 am
Re: [RANSOMWARE] Deadbolt
I am another klutz who has just been hit by deadbolt attack.
Like earlier posts I too am very frustrated that as a normal end user I was not informed by QNAP of this venerability, a simple email from QNAP would have sufficed.
I have the great majority, but not all, of my files backed up but stupidly kept a record of where backups are on the NAS drive! I assumed my PC was more vunerable than the NAS drive!
OK my questions;
1) There are some posts on the web that seem to indicate you can recover files and that hackers have released decryt key and that Emsisoft have an app that decrypts.
eg https://portswigger.net/daily-swig/decr ... s-infected
https://www.emsisoft.com/ransomware-dec ... s/deadbolt
Real or more pain?
2) I have updated NAS firmware to latest version and disabled UPnP but note an earlier post that states 'do not forward any ports from internet to NAS'
How do I check same and disable ports if required?
3) Earlier post gave decript key - am I correct in assuming this is unique to that single attack and would not help me with my attack?
Like earlier posts I too am very frustrated that as a normal end user I was not informed by QNAP of this venerability, a simple email from QNAP would have sufficed.
I have the great majority, but not all, of my files backed up but stupidly kept a record of where backups are on the NAS drive! I assumed my PC was more vunerable than the NAS drive!
OK my questions;
1) There are some posts on the web that seem to indicate you can recover files and that hackers have released decryt key and that Emsisoft have an app that decrypts.
eg https://portswigger.net/daily-swig/decr ... s-infected
https://www.emsisoft.com/ransomware-dec ... s/deadbolt
Real or more pain?
2) I have updated NAS firmware to latest version and disabled UPnP but note an earlier post that states 'do not forward any ports from internet to NAS'
How do I check same and disable ports if required?
3) Earlier post gave decript key - am I correct in assuming this is unique to that single attack and would not help me with my attack?
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] Deadbolt
If you have bought your decryption key the Emisoft tool can help you with the decryption.
That is done in the router. Unless you or someone else that have administrative access to your router/firewall have forwarded ports to the internet, no ports should be open.How do I check same and disable ports if required?
You are correct.3) Earlier post gave decript key - am I correct in assuming this is unique to that single attack and would not help me with my attack?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- New here
- Posts: 4
- Joined: Thu May 24, 2018 12:06 am
Re: [RANSOMWARE] Deadbolt
Thanks for really prompt reply P3R.
I also found this QNAP post that enabled me to make sure NAS drive cannot be accessed from internet:
https://www.qnap.com/en/security-news/2 ... e-qnap-nas
Sad that I had to disable a feature that was useful though
I also found this QNAP post that enabled me to make sure NAS drive cannot be accessed from internet:
https://www.qnap.com/en/security-news/2 ... e-qnap-nas
Sad that I had to disable a feature that was useful though
-
- Experience counts
- Posts: 1827
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: [RANSOMWARE] Deadbolt
What did you disable that you can't re-establish via a secure VPN connection?
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]