[RANSOMWARE] >>READ 1st Post<< Deadbolt

[FSC830]

Depends! I am guessing the racketeers will treat this as "great news"
So question is to whom he address this.

Regards

[fairzack]

Thier wallet: bc1qns5aegfcghznp40smewqzret9c0zcrtkwvmec4

Your decryption key is: 43ee1743f2b1cd285cba1d900eeb3046

Hi all

How did you get the decryption key ?
A new customer came to my office with a QNAP NAS infected.

After firmware upgrade and use malware remover, i tried this to restore the html page : https://www.qnap.com/fr-fr/how-to/faq/a ... t-de-passe

When i try to access to the deadbolt html page, i only get a white page with command.
On this page i can see this :

[ "x$SUM" == "xa7e1a856466cc58344cf9fe67c3e25573ce83a9955a763d6e12ef73f25adedee" ]; then echo '{"msg":"correct key"}' if [ -f /usr/bin/nohup ]; then (nohup ${T00L} -d "$KEY" "$CRYPTDIR" >/dev/null 2>/dev/null) & exec >&- exec 2>&- else exec >&- exec 2>&- ${T00L} -d "$KEY" "$CRYPTDIR" fi elif [ "x$SUM" == "x93f21756aeeb5a9547cc62dea8d58581b0da4f23286f14d10559e6f89b078052" ]; then echo '{"msg":"correct master key"}

Do you think we can do something with thoses "keys" ? or not ?

Thanks for your help

[OneCD]

Thier wallet: bc1qns5aegfcghznp40smewqzret9c0zcrtkwvmec4

Your decryption key is: 43ee1743f2b1cd285cba1d900eeb3046

Hi all

How did you get the decryption key ?

The user paid the ransom amount, and their decryption key was posted on the blockchain network. To locate your decryption key after payment, please read this post: viewtopic.php?f=45&t=164797&p=818604#p818604

Do you think we can do something with thoses "keys" ? or not ?

No. Those are comparison hashes. They can't be used to decrypt data.

[ladasan]

Hello guys, yesterday my QNAP got attacked by Deadbolt...

I've got open port 20,21 for FTP, then ports needed for VPN (PPTP, L2TP)
and older firmware on my qnap (i think something like 4.5.x),

do you think its because of old firmware? Is it safe to have open ports for FTP and using FTP with external ip?

Thx for info

[Guapo81]

Hello guys, yesterday my QNAP got attacked by Deadbolt...

I've got open port 20,21 for FTP, then ports needed for VPN (PPTP, L2TP)
and older firmware on my qnap (i think something like 4.5.x),

do you think its because of old firmware? Is it safe to have open ports for FTP and using FTP with external ip?

Thx for info

Loooking at the last security advisory, it looks as if your assumption could be right;
https://www.qnap.com/nl-nl/security-advisory/QSA-22-19

States the following:
Summary
QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running outdated versions of QTS 4.x.
We are thoroughly investigating the case and will provide further information as soon as possible.

Anyway concerning open ports I would say every open port which is accessable over WAN is a potential danger, I would stay with VPN connection only and on a different device than your QNAP.

[ladasan]

What to do next, if i have second qnap TS-639, which newest firmware has 4.2.6?

(https://www.qnap.com/cs-cz/download?mod ... y=firmware)

[FSC830]

Anyway concerning open ports I would say every open port which is accessable over WAN is a potential danger, I would stay with VPN connection only and on a different device than your QNAP.

That is exactly the outstanding solution for security!
Replace your router with a device which is capable to setup a VPN server and a reasonable firewall.

As an alternative think about using a solution like pfSense/opnSense/Sophos/... (there are more) for securing your LAN.

Regards

Edit: A firmware 4.2.6 is rather old! But there are security updates available, my latest 4.2.6 is from March 2022.
Anyhow, any open port is a possible entry for hackers!

[OneCD]

What to do next, if i have second qnap TS-639, which newest firmware has 4.2.6?

QTS introduced some big changes when version 4.3.0 was released (so many, it probably should have been called QTS 5). It seems this also allowed a whole mess of bugs and vulnerabilities to make their way into the OS, and it’s been flakey ever-since.

I’m hesitant to state this as I’d rather not give anyone potentially unsafe advice, but my own observations suggest 4.2.6 may actually be safer and more stable than the later 4.3.0+ versions.

I still wouldn’t expose any QNAP software services to the Internet, no-matter which version you’re running. QNAP has a long way to go on their Internet-facing software.

[burfdaycake]

Looking for some assistance. Ransom paid but no OP_RETURN showed.

Address bc1qqw39fctvawrldc3du7zw7m7e27rzgur08zzxed

[juliosousasp]

Hello.
I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?

Transaction id: 69af3f6847e839b40a88fb64182e43281be856451e950f3adx79c0fa531f22408

wallet: bc1qu3ynnjusea3cwezxkh3vkxh63xqxv6wkxq7srdh

Thanks in advanced

[burfdaycake]

Hello.
I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?

Transaction id: 69af3f6847e839b40a88fb64182e43281be856451e950f3ad79c0fa531f22408

wallet: bc1qu3ynnjusea3cwezkh3vkxh63xqxv6wkxq7srdh

Thanks in advanced

75a8c20f6f58b2f7173475223c0de607

Ours took about 12 hours if that helps anyone in the future.

[FSC830]

??? Dont think, that your key will help anyone else?
The keys are individual.

Regards

[juliosousasp]

Hello.
I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?

Transaction id: 69af3f6847e839b40a88fb64182e43281be856451e950f3ad79c0fa531f22408

wallet: bc1qu3ynnjusea3cwezkh3vkxh63xqxv6wkxq7srdh

Thanks in advanced

75a8c20f6f58b2f7173475223c0de607

Ours took about 12 hours if that helps anyone in the future.

Thanks!

[ANDRA87]

Hello,
Can't find OP_Return on this transaction - bc1qj5tseuz62jlfea4wxgc7dzvhcx4zsdl9c390k7
Please help me! Thank's!

[dolbyman]

Hello,
Can't find OP_Return on this transaction - bc1qj5tseuz62jlfea4wxgc7dzvhcx4zsdl9c390k7
Please help me! Thank's!

Op_return is

c9dbc34b1291c2be3e8ef3d3648be0de