[RANSOMWARE] >>READ 1st Post<< Deadbolt
-
- First post
- Posts: 1
- Joined: Mon Jul 04, 2022 11:14 pm
Re: [RANSOMWARE] Deadbolt
Hi all, I'm new to this board and looking for some very specific advice regarding the DEADBOLT attack. Very much appreciate any guidance you can give me.
- I am a casual home user, using my TS-451 mainly for media storage.
- Got attacked by DEADBOLT a couple weeks ago, NAS has been shut down since I noticed it.
- A few weeks before the attack, I upgraded my 4 hard drives to larger ones (replaced them 1 by 1 in the RAID5 array).
- I think there's a very good chance the older drives, which I still have on hand, are unimpacted by the ransomware.
- I have no problem wiping the new drives, and reverting to the data on my older drives. Data loss would be minimal.
If possible at all, how would I go about doing that? Is it as simple as removing & wiping the new drives on a PC, upgrading the QNAP firmware with no media attached, and then plugging the old drives? Then I would go through the 1-by-1 drive upgrade again? I've been reading the steps on viewtopic.php?f=45&t=164887 and there's no mention of removing the actual malware - is that because it physically resides on the infected hard drives only?
Any advice is much welcome - I'm very concerned about plugging my old drives in a still-infected device and losing my only "clean" copy of the data, so I want to make sure I do my homework before trying anything.
Thanks in advance for your help!
- I am a casual home user, using my TS-451 mainly for media storage.
- Got attacked by DEADBOLT a couple weeks ago, NAS has been shut down since I noticed it.
- A few weeks before the attack, I upgraded my 4 hard drives to larger ones (replaced them 1 by 1 in the RAID5 array).
- I think there's a very good chance the older drives, which I still have on hand, are unimpacted by the ransomware.
- I have no problem wiping the new drives, and reverting to the data on my older drives. Data loss would be minimal.
If possible at all, how would I go about doing that? Is it as simple as removing & wiping the new drives on a PC, upgrading the QNAP firmware with no media attached, and then plugging the old drives? Then I would go through the 1-by-1 drive upgrade again? I've been reading the steps on viewtopic.php?f=45&t=164887 and there's no mention of removing the actual malware - is that because it physically resides on the infected hard drives only?
Any advice is much welcome - I'm very concerned about plugging my old drives in a still-infected device and losing my only "clean" copy of the data, so I want to make sure I do my homework before trying anything.
Thanks in advance for your help!
- dolbyman
- Guru
- Posts: 35269
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
if you changed the drives one by one, they will be desynced amongst each other (with many hours or days in between) and a consistent state is very unlikely
So the old drives do (probably) not contain a "clean version" of your data
So the old drives do (probably) not contain a "clean version" of your data
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] Deadbolt
Maybe the malware only existed in RAM and was gone when the system was shut down. With a ransomware, continuos reinfections aren't really necessary when the data have been encrypted so there's a good chance that it's gone now. But the huge problem is that only the bad guys can know that for sure so reinitializing all removable media that can be used for permanent data storage is the easy thing to do.fullzeit wrote: ↑Mon Jul 04, 2022 11:35 pm I've been reading the steps on viewtopic.php?f=45&t=164887 and there's no mention of removing the actual malware - is that because it physically resides on the infected hard drives only?
Don't forget that the extremely important lesson to be learned from this is that your data is constantly at risk if it isn't backed up on at least one other system. Ransomware is just one of the many threats that could have caused your data loss so even if you do the right thing now and stop exposing the NAS on internet, all the other threats are still there.Any advice is much welcome - I'm very concerned about plugging my old drives in a still-infected device and losing my only "clean" copy of the data, so I want to make sure I do my homework before trying anything.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- New here
- Posts: 3
- Joined: Wed May 24, 2017 3:01 am
Re: [RANSOMWARE] Deadbolt
At long last, the Emsisoft decryptor is chugging through some 150 thousand files that got deadbolted mid-June. I had been skeptical but am finally recovering the files successfully. I'd never dealt in cryptocurrency, so learning about bitcoin, verifying an account, waiting for my balance to come available for transfer, fretting whether I got the thieves' address correct (were those 1s or ls in the address??), gritting my teeth to pay the ransom, then waiting for the return transaction with the decryption key, made for a long, painful process. Thank you to all the helpful contributors on this forum for guiding us through this ordeal and advising how to avoid such nightmares next time.
I want to alert folks to a problem I caused via Qsync through ignorance and confusion about its Space-Saving Mode options. I had been using the QNAP to backup files saved on local hard drive and to access them remotely. [Now I know better to make extra backups and turn off port-forwarding.] Soon after I detected deadbolt on the NAS, I hastily, stupidly changed some folder pair setting in Qsync, thinking I could restore the backup from the local files. I can't remember for sure which mode I enabled (locally available or always available), but when it got through syncing, it had done exactly the reverse of what I'd hoped, and now those local files were overwritten with encrypted deadbolt versions! Be careful with paired folders and Space-Saving modes.
I want to alert folks to a problem I caused via Qsync through ignorance and confusion about its Space-Saving Mode options. I had been using the QNAP to backup files saved on local hard drive and to access them remotely. [Now I know better to make extra backups and turn off port-forwarding.] Soon after I detected deadbolt on the NAS, I hastily, stupidly changed some folder pair setting in Qsync, thinking I could restore the backup from the local files. I can't remember for sure which mode I enabled (locally available or always available), but when it got through syncing, it had done exactly the reverse of what I'd hoped, and now those local files were overwritten with encrypted deadbolt versions! Be careful with paired folders and Space-Saving modes.
-
- New here
- Posts: 9
- Joined: Thu Nov 24, 2016 9:20 pm
Re: [RANSOMWARE] Deadbolt
Did this failing company ever sent an apology to its users?
- dolbyman
- Guru
- Posts: 35269
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
Just more security bulletins and hopefully less prominent "private cloud" buzzwords.. nothing otherwise.
What exactly do you expect them to do .. or are you just here to 'stir the pot'?
What did other manufacturers do about deadbolt?
https://www.asustor.com/knowledge/detail/?group_id=630
What exactly do you expect them to do .. or are you just here to 'stir the pot'?
What did other manufacturers do about deadbolt?
https://www.asustor.com/knowledge/detail/?group_id=630
-
- New here
- Posts: 2
- Joined: Wed Jul 13, 2022 2:10 pm
Re: [RANSOMWARE] Deadbolt
Hello,
we have a similar problem deadbolt caught us.
I have the key for which we made the payment - unfortunately it was a bit higher 0.05080000 BTC.
Can someone help, has the deactivation key been provided to us?
Deadbolt - bc1q0ms068nwy8977s3ynehcay0dpkrsj6e4dug3r4
Thank you in advance for your help.
Adam
we have a similar problem deadbolt caught us.
I have the key for which we made the payment - unfortunately it was a bit higher 0.05080000 BTC.
Can someone help, has the deactivation key been provided to us?
Deadbolt - bc1q0ms068nwy8977s3ynehcay0dpkrsj6e4dug3r4
Thank you in advance for your help.
Adam
You do not have the required permissions to view the files attached to this post.
- OneCD
- Guru
- Posts: 12146
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
I think this is Deadbolt v2. The previous version requests 0.03 BTC, and the screens look different.problem2022 wrote: ↑Wed Jul 13, 2022 2:15 pm I have the key for which we made the payment - unfortunately it was a bit higher 0.05080000 BTC.
How long has it been since you paid? It can take a few hours for the decryption key to be published.
-
- New here
- Posts: 2
- Joined: Wed Jul 13, 2022 2:10 pm
Re: [RANSOMWARE] Deadbolt
We paid yesterday morning - this sh*t happens yesterday morning about 5 a.m. - we paid 9 a.m., before was 0.03 BTC, right now increase as you can see - up to 0.05 BTC
-
- Experience counts
- Posts: 1819
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: [RANSOMWARE] Deadbolt
I presume the ransom has gone up as the value of Bitcoin has gone down.problem2022 wrote: ↑Wed Jul 13, 2022 2:44 pm We paid yesterday morning - this sh*t happens yesterday morning about 5 a.m. - we paid 9 a.m., before was 0.03 BTC, right now increase as you can see - up to 0.05 BTC
It has received a total of 0.05080000 BTC ($1,001.31)
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
- OneCD
- Guru
- Posts: 12146
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
I've just rechecked and there's now the expected transaction for +0.00005460 BTC shown.problem2022 wrote: ↑Wed Jul 13, 2022 2:15 pm I have the key for which we made the payment - unfortunately it was a bit higher 0.05080000 BTC.
Can someone help, has the deactivation key been provided to us?
Deadbolt - bc1q0ms068nwy8977s3ynehcay0dpkrsj6e4dug3r4
Your decryption key is: 67a045b357f5d700fec426d6402964cb
-
- First post
- Posts: 1
- Joined: Sat Jul 16, 2022 2:46 am
Re: [RANSOMWARE] Deadbolt
Hello, everyone.
Maybe someone cares where all the money ends up or can we do something?
A friend of mine got it, too. and I ve just looked from boredom where the money now goes.
It wanders long:D
37Tqm71HdSpGCqXUBzbAzhLuDGhpnUntL5 ( one of the Account )
38JyV1kPHPcGo3W2YXiZ5fT8WPhaQFmtiE ( A Big Main Account )
32yWE85WtzSeuEtCZgHKTBC1zsuhnF2Jar ( A second )
bc1q2frckgjcnk3hnsm7j4gycqpup8ad6ljkcn9nxe ( Maybe a small private )
1CtUASFxYRaWKg3RH6aAn6YHtqfRALhzTH
3Lgdy2QWpWgmPETwgb8VKxMfaCpjwPfyz8
3HGGfNtkwKHFDjzhKRH4Mty2UUTvXt64hm
bc1q5ch73jv88czngker5s73wwmkljwpfupfw9cj96 ( here they copie everytime to another accounts)
But i think the money didn't come back
So much money
Or it is simply the accounts of the services with which they rotate the money.
Maybe someone cares where all the money ends up or can we do something?
A friend of mine got it, too. and I ve just looked from boredom where the money now goes.
It wanders long:D
37Tqm71HdSpGCqXUBzbAzhLuDGhpnUntL5 ( one of the Account )
38JyV1kPHPcGo3W2YXiZ5fT8WPhaQFmtiE ( A Big Main Account )
32yWE85WtzSeuEtCZgHKTBC1zsuhnF2Jar ( A second )
bc1q2frckgjcnk3hnsm7j4gycqpup8ad6ljkcn9nxe ( Maybe a small private )
1CtUASFxYRaWKg3RH6aAn6YHtqfRALhzTH
3Lgdy2QWpWgmPETwgb8VKxMfaCpjwPfyz8
3HGGfNtkwKHFDjzhKRH4Mty2UUTvXt64hm
bc1q5ch73jv88czngker5s73wwmkljwpfupfw9cj96 ( here they copie everytime to another accounts)
But i think the money didn't come back
So much money
Or it is simply the accounts of the services with which they rotate the money.
- dolbyman
- Guru
- Posts: 35269
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
Probably laundered trough exchanges and larger wallets
-
- New here
- Posts: 8
- Joined: Sun Jul 17, 2022 3:40 pm
Re: [RANSOMWARE] Deadbolt
* Need to track down the elusive HTML page with the crypto details *
Another one here, who's only just discovered the bad news.
And just spent the last few hours reading all 69 pages on here, and making plenty of notes.
Thanks to lots of you for some really good info!
I'll have to pay the ransom sadly. 5TB of data, only backed up to an attached USB drive - with the files also encrypted.
Problem is, I've also lost the HTML page with the details for the crypto transfer.
Have submitted a ticket to QNAP, but doubt I'll hear until Monday.
Their link for how to get it back had been posted numerous times, but is now dead.
One person even very kindly posted a cached version - but that no longer works.
Does anyone happen to have the proper instructions from QNAP for recovering the index html page?
Many thanks all.
Another one here, who's only just discovered the bad news.
And just spent the last few hours reading all 69 pages on here, and making plenty of notes.
Thanks to lots of you for some really good info!
I'll have to pay the ransom sadly. 5TB of data, only backed up to an attached USB drive - with the files also encrypted.
Problem is, I've also lost the HTML page with the details for the crypto transfer.
Have submitted a ticket to QNAP, but doubt I'll hear until Monday.
Their link for how to get it back had been posted numerous times, but is now dead.
One person even very kindly posted a cached version - but that no longer works.
Does anyone happen to have the proper instructions from QNAP for recovering the index html page?
Many thanks all.
- OneCD
- Guru
- Posts: 12146
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
Hi and welcome to the forum.
Here's the current Google-cached copy (I'll paste it into this post so we don't lose it again, along with a few corrections):
Looks like QNAP have lost the FAQ page again.
Here's the current Google-cached copy (I'll paste it into this post so we don't lose it again, along with a few corrections):
How do I restore deadbolt page for decrypting the files if I have the correct password?
Applicable Products:
Important: After carrying out the steps below, but failing to access the deadbolt page, please contact QNAP customer service.
- Malware
- Security
Follow the steps to restore the original deadbolt page:
- Log in to QTS as an administrator,
- Open the App Center,
- Disable Malware Remover,
Note: Malware Remover must be disabled before running the following steps.
- SSH access the NAS,
- Use the command:
Code: Select all
wget https://download.qnap.com/Storage/tsd/utility/extract_deadbolt_v4.sh; sh extract_deadbolt_v4.sh; chmod +x /home/httpd/index.html
- Open Web Browser and access deadbolt page using the URL: http://YOUR_NAS_IP:8080/index.html
For example:
Qfinder locates your NAS at 10.32.72.48
- Deadbolt page can be accessed using the URL http://10.32.72.48:8080/index.html
- QTS Web interface (HTTP) can be accessed using the URL http://10.32.72.48:8080/cgi-bin/index.cgi
- QTS Web interface (HTTPS) can be accessed using the URL https://10.32.72.48/cgi-bin/index.cgi
- After the files are decrypted after inputting the password, enable Malware Remover to remove deadbolt related files.
- Log in to QTS as an administrator
- Open the App Center
- Enable Malware Remover