[RANSOMWARE] >>READ 1st Post<< Deadbolt

[fullzeit]

Hi all, I'm new to this board and looking for some very specific advice regarding the DEADBOLT attack. Very much appreciate any guidance you can give me.

- I am a casual home user, using my TS-451 mainly for media storage.
- Got attacked by DEADBOLT a couple weeks ago, NAS has been shut down since I noticed it.
- A few weeks before the attack, I upgraded my 4 hard drives to larger ones (replaced them 1 by 1 in the RAID5 array).
- I think there's a very good chance the older drives, which I still have on hand, are unimpacted by the ransomware.
- I have no problem wiping the new drives, and reverting to the data on my older drives. Data loss would be minimal.

If possible at all, how would I go about doing that? Is it as simple as removing & wiping the new drives on a PC, upgrading the QNAP firmware with no media attached, and then plugging the old drives? Then I would go through the 1-by-1 drive upgrade again? I've been reading the steps on viewtopic.php?f=45&t=164887 and there's no mention of removing the actual malware - is that because it physically resides on the infected hard drives only?

Any advice is much welcome - I'm very concerned about plugging my old drives in a still-infected device and losing my only "clean" copy of the data, so I want to make sure I do my homework before trying anything.

Thanks in advance for your help!

[dolbyman]

if you changed the drives one by one, they will be desynced amongst each other (with many hours or days in between) and a consistent state is very unlikely

So the old drives do (probably) not contain a "clean version" of your data

[P3R]

I've been reading the steps on viewtopic.php?f=45&t=164887 and there's no mention of removing the actual malware - is that because it physically resides on the infected hard drives only?

Maybe the malware only existed in RAM and was gone when the system was shut down. With a ransomware, continuos reinfections aren't really necessary when the data have been encrypted so there's a good chance that it's gone now. But the huge problem is that only the bad guys can know that for sure so reinitializing all removable media that can be used for permanent data storage is the easy thing to do.

Any advice is much welcome - I'm very concerned about plugging my old drives in a still-infected device and losing my only "clean" copy of the data, so I want to make sure I do my homework before trying anything.

Don't forget that the extremely important lesson to be learned from this is that your data is constantly at risk if it isn't backed up on at least one other system. Ransomware is just one of the many threats that could have caused your data loss so even if you do the right thing now and stop exposing the NAS on internet, all the other threats are still there.

[qscott]

At long last, the Emsisoft decryptor is chugging through some 150 thousand files that got deadbolted mid-June. I had been skeptical but am finally recovering the files successfully. I'd never dealt in cryptocurrency, so learning about bitcoin, verifying an account, waiting for my balance to come available for transfer, fretting whether I got the thieves' address correct (were those 1s or ls in the address??), gritting my teeth to pay the ransom, then waiting for the return transaction with the decryption key, made for a long, painful process. Thank you to all the helpful contributors on this forum for guiding us through this ordeal and advising how to avoid such nightmares next time.

I want to alert folks to a problem I caused via Qsync through ignorance and confusion about its Space-Saving Mode options. I had been using the QNAP to backup files saved on local hard drive and to access them remotely. [Now I know better to make extra backups and turn off port-forwarding.] Soon after I detected deadbolt on the NAS, I hastily, stupidly changed some folder pair setting in Qsync, thinking I could restore the backup from the local files. I can't remember for sure which mode I enabled (locally available or always available), but when it got through syncing, it had done exactly the reverse of what I'd hoped, and now those local files were overwritten with encrypted deadbolt versions! Be careful with paired folders and Space-Saving modes.

[Buckyball60]

Did this failing company ever sent an apology to its users?

[dolbyman]

Just more security bulletins and hopefully less prominent "private cloud" buzzwords.. nothing otherwise.

What exactly do you expect them to do .. or are you just here to 'stir the pot'?

What did other manufacturers do about deadbolt?
https://www.asustor.com/knowledge/detail/?group_id=630

[problem2022]

Hello,

we have a similar problem deadbolt caught us.

I have the key for which we made the payment - unfortunately it was a bit higher 0.05080000 BTC.

Can someone help, has the deactivation key been provided to us?

Deadbolt - bc1q0ms068nwy8977s3ynehcay0dpkrsj6e4dug3r4



Thank you in advance for your help.


Adam

[OneCD]

I have the key for which we made the payment - unfortunately it was a bit higher 0.05080000 BTC.

I think this is Deadbolt v2. The previous version requests 0.03 BTC, and the screens look different.

How long has it been since you paid? It can take a few hours for the decryption key to be published.

[problem2022]

We paid yesterday morning - this sh*t happens yesterday morning about 5 a.m. - we paid 9 a.m., before was 0.03 BTC, right now increase as you can see - up to 0.05 BTC

[dosborne]

We paid yesterday morning - this sh*t happens yesterday morning about 5 a.m. - we paid 9 a.m., before was 0.03 BTC, right now increase as you can see - up to 0.05 BTC

I presume the ransom has gone up as the value of Bitcoin has gone down.

It has received a total of 0.05080000 BTC ($1,001.31)

[OneCD]

I have the key for which we made the payment - unfortunately it was a bit higher 0.05080000 BTC.

Can someone help, has the deactivation key been provided to us?

Deadbolt - bc1q0ms068nwy8977s3ynehcay0dpkrsj6e4dug3r4

I've just rechecked and there's now the expected transaction for +0.00005460 BTC shown.

Your decryption key is: 67a045b357f5d700fec426d6402964cb

[Rockerking]

Hello, everyone.
Maybe someone cares where all the money ends up or can we do something?
A friend of mine got it, too. and I ve just looked from boredom where the money now goes.
It wanders long:D

37Tqm71HdSpGCqXUBzbAzhLuDGhpnUntL5 ( one of the Account )
38JyV1kPHPcGo3W2YXiZ5fT8WPhaQFmtiE ( A Big Main Account )
32yWE85WtzSeuEtCZgHKTBC1zsuhnF2Jar ( A second )
bc1q2frckgjcnk3hnsm7j4gycqpup8ad6ljkcn9nxe ( Maybe a small private )
1CtUASFxYRaWKg3RH6aAn6YHtqfRALhzTH
3Lgdy2QWpWgmPETwgb8VKxMfaCpjwPfyz8
3HGGfNtkwKHFDjzhKRH4Mty2UUTvXt64hm
bc1q5ch73jv88czngker5s73wwmkljwpfupfw9cj96 ( here they copie everytime to another accounts)

But i think the money didn't come back
So much money
Or it is simply the accounts of the services with which they rotate the money.

[dolbyman]

Probably laundered trough exchanges and larger wallets

[Stu-Q]

* Need to track down the elusive HTML page with the crypto details *

Another one here, who's only just discovered the bad news.
And just spent the last few hours reading all 69 pages on here, and making plenty of notes.
Thanks to lots of you for some really good info!

I'll have to pay the ransom sadly. 5TB of data, only backed up to an attached USB drive - with the files also encrypted.

Problem is, I've also lost the HTML page with the details for the crypto transfer.
Have submitted a ticket to QNAP, but doubt I'll hear until Monday.
Their link for how to get it back had been posted numerous times, but is now dead.
One person even very kindly posted a cached version - but that no longer works.

Does anyone happen to have the proper instructions from QNAP for recovering the index html page?
Many thanks all.

[OneCD]

Hi and welcome to the forum.

Does anyone happen to have the proper instructions from QNAP for recovering the index html page?

Looks like QNAP have lost the FAQ page again.

Here's the current Google-cached copy (I'll paste it into this post so we don't lose it again, along with a few corrections):

How do I restore deadbolt page for decrypting the files if I have the correct password?

Applicable Products:

• Malware
• Security

Important: After carrying out the steps below, but failing to access the deadbolt page, please contact QNAP customer service.

Follow the steps to restore the original deadbolt page:

1. Log in to QTS as an administrator,
   
   ‎‎‎
2. Open the App Center,
   
   ‎‎‎
3. Disable Malware Remover,
   
   Note: Malware Remover must be disabled before running the following steps.
   
   ‎‎‎
4. SSH access the NAS,
   
   ‎‎‎
5. Use the command:

   Code: Select all

   wget https://download.qnap.com/Storage/tsd/utility/extract_deadbolt_v4.sh; sh extract_deadbolt_v4.sh; chmod +x /home/httpd/index.html

6. Open Web Browser and access deadbolt page using the URL: http://YOUR_NAS_IP:8080/index.html
   
   For example:
   
   Qfinder locates your NAS at 10.32.72.48
   
   • Deadbolt page can be accessed using the URL http://10.32.72.48:8080/index.html
   • QTS Web interface (HTTP) can be accessed using the URL http://10.32.72.48:8080/cgi-bin/index.cgi
   • QTS Web interface (HTTPS) can be accessed using the URL https://10.32.72.48/cgi-bin/index.cgi
7. After the files are decrypted after inputting the password, enable Malware Remover to remove deadbolt related files.
   1. Log in to QTS as an administrator
   2. Open the App Center
   3. Enable Malware Remover