[RANSOMWARE] >>READ 1st Post<< Deadbolt
-
- Experience counts
- Posts: 2043
- Joined: Thu Mar 03, 2016 1:11 am
Re: [RANSOMWARE] Deadbolt
Depends! I am guessing the racketeers will treat this as "great news"
So question is to whom he address this.
Regards
So question is to whom he address this.
Regards
A raid is never a substitute for backup! Never!
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
-
- First post
- Posts: 1
- Joined: Sun Jun 19, 2022 5:12 pm
Re: [RANSOMWARE] Deadbolt
Hi allOneCD wrote: ↑Sun Jun 19, 2022 4:34 amYour decryption key is: 43ee1743f2b1cd285cba1d900eeb3046fisken920112! wrote: ↑Sun Jun 19, 2022 3:40 am Thier wallet: bc1qns5aegfcghznp40smewqzret9c0zcrtkwvmec4
How did you get the decryption key ?
A new customer came to my office with a QNAP NAS infected.
After firmware upgrade and use malware remover, i tried this to restore the html page : https://www.qnap.com/fr-fr/how-to/faq/a ... t-de-passe
When i try to access to the deadbolt html page, i only get a white page with command.
On this page i can see this :
Do you think we can do something with thoses "keys" ? or not ?[ "x$SUM" == "xa7e1a856466cc58344cf9fe67c3e25573ce83a9955a763d6e12ef73f25adedee" ]; then echo '{"msg":"correct key"}' if [ -f /usr/bin/nohup ]; then (nohup ${T00L} -d "$KEY" "$CRYPTDIR" >/dev/null 2>/dev/null) & exec >&- exec 2>&- else exec >&- exec 2>&- ${T00L} -d "$KEY" "$CRYPTDIR" fi elif [ "x$SUM" == "x93f21756aeeb5a9547cc62dea8d58581b0da4f23286f14d10559e6f89b078052" ]; then echo '{"msg":"correct master key"}
Thanks for your help
- OneCD
- Guru
- Posts: 12141
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
The user paid the ransom amount, and their decryption key was posted on the blockchain network. To locate your decryption key after payment, please read this post: viewtopic.php?f=45&t=164797&p=818604#p818604
No. Those are comparison hashes. They can't be used to decrypt data.
-
- New here
- Posts: 2
- Joined: Tue Jun 21, 2022 3:13 pm
Re: [RANSOMWARE] Deadbolt
Hello guys, yesterday my QNAP got attacked by Deadbolt...
I've got open port 20,21 for FTP, then ports needed for VPN (PPTP, L2TP)
and older firmware on my qnap (i think something like 4.5.x),
do you think its because of old firmware? Is it safe to have open ports for FTP and using FTP with external ip?
Thx for info
I've got open port 20,21 for FTP, then ports needed for VPN (PPTP, L2TP)
and older firmware on my qnap (i think something like 4.5.x),
do you think its because of old firmware? Is it safe to have open ports for FTP and using FTP with external ip?
Thx for info
- Guapo81
- Know my way around
- Posts: 160
- Joined: Tue Jun 21, 2011 4:22 pm
- Location: Netherlands
Re: [RANSOMWARE] Deadbolt
Loooking at the last security advisory, it looks as if your assumption could be right;ladasan wrote: ↑Tue Jun 21, 2022 3:21 pm Hello guys, yesterday my QNAP got attacked by Deadbolt...
I've got open port 20,21 for FTP, then ports needed for VPN (PPTP, L2TP)
and older firmware on my qnap (i think something like 4.5.x),
do you think its because of old firmware? Is it safe to have open ports for FTP and using FTP with external ip?
Thx for info
https://www.qnap.com/nl-nl/security-advisory/QSA-22-19
States the following:
Summary
QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running outdated versions of QTS 4.x.
We are thoroughly investigating the case and will provide further information as soon as possible.
Anyway concerning open ports I would say every open port which is accessable over WAN is a potential danger, I would stay with VPN connection only and on a different device than your QNAP.
QNAP TS-h886-64G 2x Samsung 970PRO NVMe SSD (RAID1, System), 2x Samsung 860 PRO SSD (RAID1, VM) 4x Seagate EXOS X16 16TB (RAID5, Data) - FW: QuTS-hero
QNAP TVS-682-i3-32G 4x HGST HUH728060ALN600 (RAID5, Backup) - FW: QTS
QNAP TVS-463 4x Seagate ST2000VN000 (RAID5, Surveillance, Backup) - FW: QTS
Former units: TS-469Pro, TS-459ProII, TS-269Pro, Qgenie
QNAP TVS-682-i3-32G 4x HGST HUH728060ALN600 (RAID5, Backup) - FW: QTS
QNAP TVS-463 4x Seagate ST2000VN000 (RAID5, Surveillance, Backup) - FW: QTS
Former units: TS-469Pro, TS-459ProII, TS-269Pro, Qgenie
-
- New here
- Posts: 2
- Joined: Tue Jun 21, 2022 3:13 pm
Re: [RANSOMWARE] Deadbolt
What to do next, if i have second qnap TS-639, which newest firmware has 4.2.6?
(https://www.qnap.com/cs-cz/download?mod ... y=firmware)
(https://www.qnap.com/cs-cz/download?mod ... y=firmware)
-
- Experience counts
- Posts: 2043
- Joined: Thu Mar 03, 2016 1:11 am
Re: [RANSOMWARE] Deadbolt
That is exactly the outstanding solution for security!
Replace your router with a device which is capable to setup a VPN server and a reasonable firewall.
As an alternative think about using a solution like pfSense/opnSense/Sophos/... (there are more) for securing your LAN.
Regards
Edit: A firmware 4.2.6 is rather old! But there are security updates available, my latest 4.2.6 is from March 2022.
Anyhow, any open port is a possible entry for hackers!
A raid is never a substitute for backup! Never!
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
- OneCD
- Guru
- Posts: 12141
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
QTS introduced some big changes when version 4.3.0 was released (so many, it probably should have been called QTS 5). It seems this also allowed a whole mess of bugs and vulnerabilities to make their way into the OS, and it’s been flakey ever-since.
I’m hesitant to state this as I’d rather not give anyone potentially unsafe advice, but my own observations suggest 4.2.6 may actually be safer and more stable than the later 4.3.0+ versions.
I still wouldn’t expose any QNAP software services to the Internet, no-matter which version you’re running. QNAP has a long way to go on their Internet-facing software.
-
- New here
- Posts: 2
- Joined: Wed Jun 22, 2022 2:01 pm
Re: [RANSOMWARE] Deadbolt
Looking for some assistance. Ransom paid but no OP_RETURN showed.
Address bc1qqw39fctvawrldc3du7zw7m7e27rzgur08zzxed
Address bc1qqw39fctvawrldc3du7zw7m7e27rzgur08zzxed
-
- New here
- Posts: 2
- Joined: Wed Jun 22, 2022 7:55 pm
Re: [RANSOMWARE] Deadbolt
Hello.
I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?
Transaction id: 69af3f6847e839b40a88fb64182e43281be856451e950f3adx79c0fa531f22408
wallet: bc1qu3ynnjusea3cwezxkh3vkxh63xqxv6wkxq7srdh
Thanks in advanced
I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?
Transaction id: 69af3f6847e839b40a88fb64182e43281be856451e950f3adx79c0fa531f22408
wallet: bc1qu3ynnjusea3cwezxkh3vkxh63xqxv6wkxq7srdh
Thanks in advanced
Last edited by juliosousasp on Wed Jun 22, 2022 10:57 pm, edited 1 time in total.
-
- New here
- Posts: 2
- Joined: Wed Jun 22, 2022 2:01 pm
Re: [RANSOMWARE] Deadbolt
juliosousasp wrote: ↑Wed Jun 22, 2022 7:57 pm Hello.
I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?
Transaction id: 69af3f6847e839b40a88fb64182e43281be856451e950f3ad79c0fa531f22408
wallet: bc1qu3ynnjusea3cwezkh3vkxh63xqxv6wkxq7srdh
Thanks in advanced
75a8c20f6f58b2f7173475223c0de607
Ours took about 12 hours if that helps anyone in the future.
-
- Experience counts
- Posts: 2043
- Joined: Thu Mar 03, 2016 1:11 am
Re: [RANSOMWARE] Deadbolt
??? Dont think, that your key will help anyone else?
The keys are individual.
Regards
The keys are individual.
Regards
A raid is never a substitute for backup! Never!
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
-
- New here
- Posts: 2
- Joined: Wed Jun 22, 2022 7:55 pm
Re: [RANSOMWARE] Deadbolt
Thanks!burfdaycake wrote: ↑Wed Jun 22, 2022 10:29 pmjuliosousasp wrote: ↑Wed Jun 22, 2022 7:57 pm Hello.
I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?
Transaction id: 69af3f6847e839b40a88fb64182e43281be856451e950f3ad79c0fa531f22408
wallet: bc1qu3ynnjusea3cwezkh3vkxh63xqxv6wkxq7srdh
Thanks in advanced
75a8c20f6f58b2f7173475223c0de607
Ours took about 12 hours if that helps anyone in the future.
-
- First post
- Posts: 1
- Joined: Mon Jun 27, 2022 5:51 pm
Re: [RANSOMWARE] Deadbolt
Hello,
Can't find OP_Return on this transaction - bc1qj5tseuz62jlfea4wxgc7dzvhcx4zsdl9c390k7
Please help me! Thank's!
Can't find OP_Return on this transaction - bc1qj5tseuz62jlfea4wxgc7dzvhcx4zsdl9c390k7
Please help me! Thank's!
- dolbyman
- Guru
- Posts: 35248
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada