[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
OneCD
Guru
Posts: 12038
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

I can only suggest you contact the Emsisoft people and see if they can help.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
lleong
New here
Posts: 8
Joined: Wed Feb 22, 2017 8:22 am

Re: [RANSOMWARE] Deadbolt

Post by lleong »

lleong wrote: Sat Aug 06, 2022 4:27 pm
OneCD wrote: Sat Aug 06, 2022 3:34 pm
lleong wrote: Sat Aug 06, 2022 3:30 pm ==================================
Starting...

File: G:\test\GOPR0951.MP4.deadbolt
Error: Wrong key

Finished!

=================================
That's the first time I've seen this occur. :'

Are you only dealing with a single NAS or do you have multiple infected NAS?
Just my luck :(

This is a single NAS. I had to copy the encrypted file over to my WIndows 11 PC Harddrive since Emsisoft won't work with networked drives.
Tried to decrypt using a Windows 10 laptop and getting the same results.
lleong
New here
Posts: 8
Joined: Wed Feb 22, 2017 8:22 am

Re: [RANSOMWARE] Deadbolt

Post by lleong »

Hi -

I've also noticed that all of pictures with a .jpg extension are now having an .jpg.encrypt extension.

Example: Xmas_Photo.jpg is now Xmas_Photo.jpg.encrypt

Is this part of the Deadbolt ransomware? Only my .jpgs have been renamed. All other files have .deadbolt extension.

Emsisoft decryptor won't recognize the .jpg.encrypt files. What can i use to decrypt these files?
lleong
New here
Posts: 8
Joined: Wed Feb 22, 2017 8:22 am

Re: [RANSOMWARE] Deadbolt

Post by lleong »

lleong wrote: Sat Aug 06, 2022 5:03 pm Hi -

I've also noticed that all of pictures with a .jpg extension are now having an .jpg.encrypt extension.

Example: Xmas_Photo.jpg is now Xmas_Photo.jpg.encrypt

Is this part of the Deadbolt ransomware? Only my .jpgs have been renamed. All other files have .deadbolt extension.

Emsisoft decryptor won't recognize the .jpg.encrypt files. What can i use to decrypt these files?
I think I just found my answer. I was also affected by the eCh0raix Ransomware. :(
lleong
New here
Posts: 8
Joined: Wed Feb 22, 2017 8:22 am

Re: [RANSOMWARE] Deadbolt

Post by lleong »

PaulAtreidis wrote: Sat Aug 06, 2022 5:44 pm
lleong wrote: Sat Aug 06, 2022 5:07 pm
lleong wrote: Sat Aug 06, 2022 5:03 pm Hi -

I've also noticed that all of pictures with a .jpg extension are now having an .jpg.encrypt extension.

Example: Xmas_Photo.jpg is now Xmas_Photo.jpg.encrypt

Is this part of the Deadbolt ransomware? Only my .jpgs have been renamed. All other files have .deadbolt extension.

Emsisoft decryptor won't recognize the .jpg.encrypt files. What can i use to decrypt these files?
I think I just found my answer. I was also affected by the eCh0raix Ransomware. :(
Is your NAS exposed to the internet?
It was. Not any more. Any suggestions on my situation? I'd hate to lose all my family photos. Wifey would be most upset.
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

lleong wrote: Sat Aug 06, 2022 11:39 pm I think I just found my answer. I was also affected by the eCh0raix Ransomware. :(
Off topic for this thread, but here is the QNAP advisory
https://www.qnap.com/en/how-to/faq/arti ... y-ech0raix
and other warnings
https://www.bleepingcomputer.com/news/s ... e-attacks/

(and for the QNAP haters out there, this one also hit Synology :roll: )
Last edited by dosborne on Sat Aug 06, 2022 11:44 pm, edited 1 time in total.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
amdil
New here
Posts: 2
Joined: Tue Aug 02, 2022 7:13 am

Re: [RANSOMWARE] Deadbolt

Post by amdil »

dosborne wrote: Sat Aug 06, 2022 3:13 pm
amdil wrote: Sat Aug 06, 2022 3:08 pm How to find decryption key? I paid to address: bc1q2mavpmjl82zf5ltl2pdeyd99qqw3hd3smxf8fx
Thank you in advance for help.
Directions: viewtopic.php?p=818604#p818604
Which I believe makes your key
0f17d222adea7fa015b4d74464afd1da
Thanks! I found the same key and it's correct.
MarkSn
First post
Posts: 1
Joined: Sun Aug 07, 2022 4:25 pm

Re: [RANSOMWARE] Deadbolt

Post by MarkSn »

My qnap, dropbox and onedrive got infected with the deadbolt ransomware on 29/7. Lesson; never backup your onedrive to the QNAP nas. Yesterday I decided to pay the 0,05BC and found the key. I used the emsisoft decrypted and the deadbolt decrypted. Both worked fine. Many thanks to all the people on this platform and especially to OneCD for the manual to find the OP_return code. It seems the hackers automated this process during their downtime since the code was available directly after transferring the bitcoins. Good luck to all of you still struggling.

Furthermore, I saw the emisoft tool was downloaded 17k times...17.000 x €1000 plus all the other tools used....I guess some people are looking for a new yacht now.

KR
Mark
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] Deadbolt

Post by P3R »

MarkSn wrote: Sun Aug 07, 2022 4:34 pm My qnap, dropbox and onedrive got infected with the deadbolt ransomware on 29/7. Lesson; never backup your onedrive to the QNAP nas.
No that can't be the lesson. If you backup from Onedrive to the Qnap, Onedrive should still have your original files untouched.

The idea with a backup copy is that either the source data or the backup destination could be lost/corrupted/whatever but the other one will always be okay.

The most important lesson to learn is to stop having the Qnap reachable from the internet. The second lesson is to get a robust backup strategy that protect the data from any threat, not only ransomware.
Furthermore, I saw the emisoft tool was downloaded 17k times...17.000 x €1000 plus all the other tools used....I guess some people are looking for a new yacht now.
Part of it is invested in intensifying the search for new vulnerabilities in internet exposed Qnaps and other NASes. Successful criminals are unlikely to quit but will of course come back for more. As long as people expose their NASes and pay the ransom, the ransomware threat will only get worse.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Barbreaker
New here
Posts: 3
Joined: Tue Aug 09, 2022 2:45 pm

Re: [RANSOMWARE] Deadbolt

Post by Barbreaker »

Hi everybody. I can't figure out my key. I paid to bc1q5pe2akjh4fvmrteqk2lz85stsezf0fwds5wzk9 and can't find the key. Could some kind soul help me, please!? Thanks!!!!!
User avatar
OneCD
Guru
Posts: 12038
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

Barbreaker wrote: Tue Aug 09, 2022 2:53 pmI paid to bc1q5pe2akjh4fvmrteqk2lz85stsezf0fwds5wzk9 and can't find the key.
Your decryption key is: 97695effc10fdc7e62e1a0322fc40ae9

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
Barbreaker
New here
Posts: 3
Joined: Tue Aug 09, 2022 2:45 pm

Re: [RANSOMWARE] Deadbolt

Post by Barbreaker »

OneCD wrote: Tue Aug 09, 2022 2:56 pm
Barbreaker wrote: Tue Aug 09, 2022 2:53 pmI paid to bc1q5pe2akjh4fvmrteqk2lz85stsezf0fwds5wzk9 and can't find the key.
Your decryption key is: 97695effc10fdc7e62e1a0322fc40ae9
Thank you very much!!! It said that the key is correct but when i hit "Decrypt Files" it looks like nothing happens? How can i tell if it's working or ist there anything else to do?
User avatar
OneCD
Guru
Posts: 12038
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

Barbreaker wrote: Tue Aug 09, 2022 3:34 pmIt said that the key is correct but when i hit "Decrypt Files" it looks like nothing happens? How can i tell if it's working or ist there anything else to do?
Hope this helps: https://www.qnap.com/en/how-to/faq/arti ... hould-i-do

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
Barbreaker
New here
Posts: 3
Joined: Tue Aug 09, 2022 2:45 pm

Re: [RANSOMWARE] Deadbolt

Post by Barbreaker »

Just started with the EMSISOFT Decrypter. It takes a while till it starts decrypting - but it's working fine. First files are recovered :-)
Thanks again for your help!
tomaii
New here
Posts: 7
Joined: Thu Jul 28, 2022 5:46 am

Re: [RANSOMWARE] Deadbolt

Post by tomaii »

Ransom of 0.05 BTC was paid at bc1q8jvrqkpkdf6ermhcjvywgtvqkkr25t5dyw80sm.

I didn’t expect it but the app took 0.0006BTC fee. I am BTC-dumb so had to created Wallet account and transfers, in the hurry, just for this event.

The amount received on the other end was 0,0494BTC.

No OP_Return yet, but since I just did the transfer I should wait 24-48h.

My question: will the fee be a problem? Or is this common among newbies and they will probably deliver the key?

Thank you so much, I imagine the forum is run by volunteers. I have a deep though for you all, answering over and over our questions! You sure got my respect! In this story, it is clear who gets the good and who gets the bad karma.
Post Reply

Return to “Users' Corner”