[RANSOMWARE] >>READ 1st Post<< Deadbolt

[steve614]

Hope someone can help me out, please?

Paid the 0.03 BTC ransom earlier today, and can't figure out how to get the decryption key from looking through the transactions.

bc1qp6tgylf3mltlvasvtswxsplgju5mq27rm8857c

Thank you!

[OneCD]

Paid the 0.03 BTC ransom earlier today, and can't figure out how to get the decryption key from looking through the transactions.

Your decryption key is: 57011ac198f35490f5dbf536e806d1e3

[steve614]

Paid the 0.03 BTC ransom earlier today, and can't figure out how to get the decryption key from looking through the transactions.

Your decryption key is: 57011ac198f35490f5dbf536e806d1e3

Just popped it into the Deadbolt decryptor program by Emsisoft and it worked!

You are a bloody legend, OneCD!!

[OneCD]

No worries mate. Looks like you saved a couple of hundred bucks too, as BTC is down at the moment.

[steve614]

No worries mate. Looks like you saved a couple of hundred bucks too, as BTC is down at the moment.

Too true! Can I buy you a beer? You've just helped save a small business in Australia.

And where did you find the decryption key info? If a magician never tells, I can live with that, but it might help others out there that decide to pay the ransom (as horrible as that is).

[OneCD]

Too true! Can I buy you a beer? You've just helped save a small business in Australia.

No, but please have one (or maybe two) for me.

And where did you find the decryption key info?

Use https://www.blockchain.com for this.

• When you've loaded that site, use the search bar (near the top-right of the web-page) and copy-paste your specific ransomware bitcoin address into the search field, then push <enter>.
  
  That will take you to this page: https://www.blockchain.com/btc/address/ ... q27rm8857c

• Scroll down to the "Transactions" section.

• There are presently 2 transactions with this hash. We're interested in the transaction for +0.00005460 BTC, as this is the amount the hackers pay to the same bitcoin address to provide your decryption key. So, click on the "Hash" value for that transaction: https://www.blockchain.com/btc/tx/cf42a ... d6af367b18

• Now, we're on a new page with the transaction details. Scroll down to the "Outputs" section - it's the last one on the page.

• Then find index 2 (OP_RETURN). The attached hexadecimal number is the decryption key.

[P3R]

You've just helped save a small business in Australia.

The lessons that you hopefully learnt from this experience is that you:

1. Never expose the Qnap directly on the internet again.
2. Always do regular backups to external storage with at least one stored at another site.

The first would have prevented this incident and the second one could have saved you from this and many other threats that can (and probably will) hit your data storage in the future.

[OneCD]

1. Never expose the Qnap directly on the internet again.
2. Always do regular backups to external storage with at least one stored at another site.

[naslkw]

Hello All, please help ...
our NAS got hit by ransomware-deadbolt, cannot avoid to pay ransom 0.03BTC.
while trying to do the payment, got the "error" sign that said the bitcoin given address is wrong.
the given btc-add: bc1q7nn53642uxtqhkse7yhdj46e7hvqvm21dg4wxs
is there anyway to check the correct address?
hopefully can get some help from you guys ...

[FiDiLady]

QNAP strikes again. It dropped the page with instructions on how to restore the ransom page - and they didn't respond to my open ticket. Finally scraped together the funds to pay the ransom, and now we can't get to the ransom page. Thanks to those who have provided instructions through this 65 page thread (pain the arse going through to find what you're looking for) - hoping that works.

[dolbyman]

please check the first page of this topic for an answer to your issue

[OneCD]

the given btc-add: bc1q7nn53642uxtqhkse7yhdj46e7hvqvm21dg4wxs
is there anyway to check the correct address?

Can you please post a screenshot of the ransomware screen? I'd like to confirm the address you were given.

[OneCD]

QNAP strikes again. It dropped the page with instructions on how to restore the ransom page ...

Agree, looks like QNAP have been retooling their support system and the original article has been lost.

[OneCD]

Found a cached copy of the page: https://webcache.googleusercontent.com/ ... clnk&gl=au

Grab it while you can.

[dosborne]

QNAP Bulletin https://www.qnap.com/en/security-news/2 ... le-version

Code: Select all

2022-05-19
Take Immediate Actions to Secure QNAP NAS, and Update QTS to the latest available version.
security
Taipei, Taiwan, May 19, 2022 - QNAP® Systems, Inc. recently detected a new attack by the DEADBOLT Ransomware. According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series . QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet.

 

About QNAP Systems, Inc.

QNAP (Quality Network Appliance Provider) is devoted to providing comprehensive solutions in software development, hardware design and in-house manufacturing. Focusing on storage, networking and smart video innovations, QNAP now introduce a revolutionary Cloud NAS solution that joins our cutting-edge subscription-based software and diversified service channel ecosystem. QNAP envisions NAS as being more than simple storage and has created a cloud-based networking infrastructure for users to host and develop artificial intelligence analysis, edge computing and data integration on their QNAP solutions.

Media Contacts

marketing@qnap.com