[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] Deadbolt

Post by P3R »

dosborne wrote: Thu May 19, 2022 9:54 pm QNAP Bulletin https://www.qnap.com/en/security-news/2 ... le-version
The January 7th message was much more clear about how to not expose the Qnap on the internet and that didn't help so I doubt this will.

So it's another bunch of users that will learn the importance of the backups they know they should have had but thought was too expensive or too complicated. Now they will have to pay to just get their data back and the criminals will become stronger and attack even more users. It's sad on so many levels... :cry:
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
dolbyman
Guru
Posts: 35020
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

the bleeping computer thread here had a constant drizzel of people with infections, so far reddit is quiet too

https://www.bleepingcomputer.com/forums ... -extension

let's see if there will be an uptick soon
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] Deadbolt

Post by P3R »

I guess it won't be the same huge numbers as in January-March as it appear to be limited to systems that run outdated QTS branches and as we well know several of these TS-X51 and TS-X53 have already died...
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
anotherusername
Starting out
Posts: 42
Joined: Sat Mar 02, 2013 10:36 pm

Re: [RANSOMWARE] Deadbolt

Post by anotherusername »

"So it's another bunch of users that will learn the importance of the backups they know they should have had but thought was too expensive or too complicated. Now they will have to pay to just get their data back and the criminals will become stronger and attack even more users. It's sad on so many levels..."

It's saddest on the level where QNAP don't take security seriously - maybe its too expensive or complicated for them. If you've bought your NAS as a mail server or a cloud server for a small business then the advice to take it off the web isn't very useful and their sales staff/channels should be warning potential buyers that this kit isn't really safe enough to be left unsupervised on the inernet.

Backups? - yeah - obvs - but if you've bought a NAS because you've got 30TB of data to deal with then backup probably means another NAS - a cynic would say that these attacks are good business for QNAP. Even basic prevention by the user, such as removing attack vectors by removing apps that you don't need or use, is intentionally made difficult by QNAP because many of the apps can't be deleted and those that can often reappear on the next update. The biggest joke (if it weren't so serious) is that the only way to get notifications of when new firmware is available is to have the NAS connected to the web. Why won't QNAP email me when there's an update?

The main thing they could do for users who aren't tech-savvy is to have a big button on the main page that says "Disconnect All Ports and Apps from Web", given that this is their only sure way of keeping their kit secure.

I'm lucky - my QNAP is tucked firmly behind the firewall and never sees the internet, but the main lesson that I've learned in the last year or so is that I shouldn't have bought a QNAP NAS.
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] Deadbolt

Post by P3R »

anotherusername wrote: Sat May 21, 2022 4:23 pm It's saddest on the level where QNAP don't take security seriously...
That's only one of the issues.
Backups? - yeah - obvs - but if you've bought a NAS because you've got 30TB of data to deal with then backup probably means another NAS...
If you can't afford to backup your data then you try to save too much of it. The ransomware situtation is only one of many threats so without external backups, you're gambling with your data. It doesn't matter if it's complicated or expensive to backup, you should have backups of all data that have any value to you!
Even basic prevention by the user, such as removing attack vectors by removing apps that you don't need or use, is intentionally made difficult by QNAP because many of the apps can't be deleted and those that can often reappear on the next update.
Valid complaint but teh apps aren't really a significant security risk so is totally the wrong focus to have when you lack backups.
The biggest joke (if it weren't so serious) is that the only way to get notifications of when new firmware is available is to have the NAS connected to the web.
Outgoing connections from the Qnap isn't really a risk so cutting that off may be easy but you're making your life hard without any real security gains so it's not what I would recommend.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

OneCD wrote: Thu May 19, 2022 2:49 am
FiDiLady wrote: Wed May 18, 2022 9:00 pm QNAP strikes again. It dropped the page with instructions on how to restore the ransom page ...
Agree, looks like QNAP have been retooling their support system and the original article has been lost. :roll:
Oh good, QNAP have restored this article. Image

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
need_help
New here
Posts: 4
Joined: Wed Jun 01, 2022 1:50 am

Re: [RANSOMWARE] Deadbolt

Post by need_help »

hello guys this is my first post so thanks in advance for the support!

im trying to restore the malware page on my Qnap (TS563, fw 5.0.0.1986), i've tried v3 and v4 script with no results (index.html page was not created)

the qnap script gives me that output (malware removal disabled):
sh extract_deadbolt_v4.sh
[O] Found malware executable 18818 30073 and restored it to /mnt/HDA_ROOT/
[X] Couldn't find malware index.html
[O] Found malware pkg and used it to generate index.html under /home/httpd/

but:
http://NASIP:8080/index.cgi gives not found error
http://NASIP:8080/index.html takes me to the nas standard homepage
http://NASIP:8080/cgi.bin/index.html takes me to white page
http://NASIP:8080/cgi.bin/index.html takes me to the nas standard homepage

the SDDPd.bin file is missing, i trird to recover the file but i don't find it in the quarantine files (i've opened them all, finded the malware executables but nothing else. folder was finded via the grep method)

if i restart the nas i found this index.html in /home/httpd
-rw-r--r-- 1 admin administrators 580 2022-03-23 22:34 index.html

any help or hint would be great thanks!!


script v3 output:
sh extract_deadbolt_v3.sh
BusyBox v1.24.1 (2022-03-24 03:12:29 CST) multi-call binary.

Usage: basename FILE [SUFFIX]

Strip directory path and .SUFFIX from FILE
359685+0 records in
359685+0 records out
3596850 bytes (3.4MB) copied, 0.537559 seconds, 6.4MB/s
cp: cannot stat `30073': No such file or directory
chmod: 30073: No such file or directory
Found /mnt/HDA_ROOT/18818
30073
User avatar
dolbyman
Guru
Posts: 35020
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

did you use the admin user when running this script ?
need_help
New here
Posts: 4
Joined: Wed Jun 01, 2022 1:50 am

Re: [RANSOMWARE] Deadbolt

Post by need_help »

yes, i also tried to run the script with sudo but with same results :(
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [RANSOMWARE] Deadbolt

Post by FSC830 »

I guess the question was if you have used the origin admin account, not an user from administrators group or sudo.

Regards
need_help
New here
Posts: 4
Joined: Wed Jun 01, 2022 1:50 am

Re: [RANSOMWARE] Deadbolt

Post by need_help »

yes im using the admin account!
what can i do? import the SDDPd.bin file from another NAS?
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [RANSOMWARE] Deadbolt

Post by FSC830 »

No idea! I was never hit by any malware (fingers cross)! Also never noticed about a SDDPd.bin file!?
Did you already contacted QNAP support for further help/information?

Regards
mustard
Getting the hang of things
Posts: 86
Joined: Sat Jun 15, 2013 7:24 pm

Re: [RANSOMWARE] Deadbolt

Post by mustard »

P3R wrote: Sat May 21, 2022 7:43 pm
anotherusername wrote: Sat May 21, 2022 4:23 pm It's saddest on the level where QNAP don't take security seriously...
That's only one of the issues.
Backups? - yeah - obvs - but if you've bought a NAS because you've got 30TB of data to deal with then backup probably means another NAS...
If you can't afford to backup your data then you try to save too much of it. The ransomware situtation is only one of many threats so without external backups, you're gambling with your data. It doesn't matter if it's complicated or expensive to backup, you should have backups of all data that have any value to you!
Yeah. And I should have a spare car so I can still get around if my main one breaks down. That's ideal worlds for you, eh? (I personally have three or four levels of backup, but I also have sympathy for those that don't)
User avatar
dolbyman
Guru
Posts: 35020
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

A car can easily replaced with a rental or different model. Personal data is not replaceable like that.

Do you backup your tax records ? (yes)
Do you backup your irreplaceable only copy of family photos? (yes)
Do you backup your TB of downloaded movies or ripped blurays? (not really if you don't have the budget for it)

If you differentiate between data types, backups (mostly) become much more feasible
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] Deadbolt

Post by P3R »

mustard wrote: Fri Jun 03, 2022 11:03 pm ...but I also have sympathy for those that don't
I don't lack sympathy but in my opinion it's nicer to explain what people should do to avoid making the same mistake again than to cry with them over what they have lost.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Post Reply

Return to “Users' Corner”