[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

wait a couple of days and see...only the criminals would know if they have have a threshold (unknown if processing of the rasnom keys is automated or manual)
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

tomaii wrote: Thu Aug 11, 2022 7:44 am I didn’t expect it but the app took 0.0006BTC fee. I am BTC-dumb so had to created Wallet account and transfers, in the hurry, just for this event.
The amount received on the other end was 0,0494BTC.
I'm pretty sure that (fee) was previously covered in this thread. As the process is (or could be) automated, and based on the posts of others, I wouldn't be surprised if you will end up having to pay the difference in order to get a decryption key. Nobody knows for sure, but that seems to be the trend. You are dealing with criminals after all and have no way to communicate with them. However, as I recall, some of the reports were due to the original ransom amount of 0.03 vs the newer ransom of 0.05 so you may get "lucky". Good luck, hope you will consider a backup in the future.

It makes me very sad to read about people paying to support criminal activity when a backup would be cheaper and not funding the next wave of attacks. A backup also protects you against a whole range of other situations.....
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
mashlalani
First post
Posts: 1
Joined: Thu Aug 11, 2022 6:17 pm

Re: [RANSOMWARE] Deadbolt

Post by mashlalani »

Hello all, We are having a trouble, we have a QNAP server which has been attacked by some hackers and showing an error of Deadbolt. The hackers are asking for big money, is their any other solution to resolve the issue.
If anyone could help would be very helpful.
george14
New here
Posts: 3
Joined: Tue Dec 17, 2013 12:10 am

Re: [RANSOMWARE] Deadbolt

Post by george14 »

I have been trying to use photorec and qrescue.sh.
QNAP support are telling me the qrescue.sh is not compatible with DEADBOLT because "Deadbolt does not delete the files".

Has any one successfully recovered any Deadbolt files using the photorec/qrescue.sh approach?
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

mashlalani wrote: Thu Aug 11, 2022 6:46 pm Hello all, We are having a trouble, we have a QNAP server which has been attacked by some hackers and showing an error of Deadbolt. The hackers are asking for big money, is their any other solution to resolve the issue.
If anyone could help would be very helpful.
Please read the very first post in this thread. Your backup or the ransom are your options at this time.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

george14 wrote: Thu Aug 11, 2022 7:48 pm Has any one successfully recovered any Deadbolt files using the photorec/qrescue.sh approach?
Already cover in this thread if you read it (starting with post #1).

Photorec is for QLocker and has had zero reported success with Deadbolt. Recovery from your backup or paying the ransom are your options at this time.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
tomaii
New here
Posts: 7
Joined: Thu Jul 28, 2022 5:46 am

Re: [RANSOMWARE] Deadbolt

Post by tomaii »

dosborne wrote: Thu Aug 11, 2022 9:00 am It makes me very sad to read about people paying to support criminal activity when a backup would be cheaper and not funding the next wave of attacks. A backup also protects you against a whole range of other situations.....
Ok, I hope the hardest steps to be over. I finally got the key! (I had to add the missing fee amount, and the Opreturn appeared in a minute)

About the back up advice, we all got it, at this point.

Depending of the files that got stolen, the amount of feelings can be very overwhelming; Anger, shame, guilt, regret, etc.

Even if in the end those who give the advice are right, it can be very hard to take when you are in the middle of dealing with all this sh*t.

Same for reminding us that criminals are behind this, and our money will just feed them… We all know it, and it hurts, but if we do it, it’s because we are out of options.

Repeating how dumb we are, for not to have made back-ups is not helping anyone. In that situation, we look for the solutions.

For myself, I am far from being the network administrator for a big company…It is not my profession. I am a freelancer in arts, working very hard to keep my business rolling. I can’t be perfect and know everything about every computer device I use.

So please, when someone is caught in the middle of this, try not to shame or guilt that person.

And I do think QNAP’s response is weak and disappointing, for the least.

In all cases, thank you so much for your time!
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

tomaii wrote: Fri Aug 12, 2022 10:12 am .Same for reminding us that criminals are behind this, and our money will just feed them… We all know it, and it hurts, but if we do it, it’s because we are out of options.
The lesson about backups cannot be repeated enough. If everybody already new how important a backup is for ANY reason, not just ransomware, them you and the many others would not be posting here now.

By supporting the criminal activity (paying) you are not just taking a hot financially, you (collectively) are putting everyone at risk as hundreds of thousands of dollars can then be used to find new ways that could target us all.

You *DID* have an option, in fact, 2 options. Pay, or not pay. If your NAS had been stolen (or burnt up in a fire) you would have no options other than complete data loss.

I'm sorry if you feel embarrassed, but by talking about the problem and repeatedly educating people about the importance of backups against many different threats, others may learn *before* they get hit or run into other issues. The day people stop posting that they were hit by ransomware and had no backup is the day I will stop reminding people to have a backup against as many threats as possible. This is only ONE of MANY possible threats.

Lesson 1 - have a backup strategy that fits with your data
Lesson 2 - spend an hour reading about *ALL* the devices on your network and learn the basic steps to secure them. (At least sign up for security notices about vulnerabilities)

These lessons may not help you *today* (as there really is no help to be given since you either take the data loss, or restore from backup, or pay the ransom) but they are critical for the day you get your system running again either from a complete reset or from decryption. If you don't learn these lessons, you are still vulnerable. Whatever you did to allow the attack should be resolved now, before anything else or there is no point.

We are trying to help you, so that you aren't back in the same situation in 3 months.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
lama01
Starting out
Posts: 15
Joined: Sat Jul 30, 2011 3:41 am

Re: [RANSOMWARE] Deadbolt

Post by lama01 »

Stu-Q wrote: Wed Jul 27, 2022 7:24 pm Hi all,
Bad news for those following my case. QNAP tech support tried to recover the Deadbolt html page, as per my support ticket.
They came back and said the script they ran uncovered nothing.
I politely pushed back and asked if someone else could have a more in-depth look. To their credit they did (or said they did) but still found nothing - and apologised saying there was nothing else they could do.
So that's all my data gone sadly, and not sure what else I can do.
If the makers of the drive can't recover the Deadbolt html page, then I very much doubt a third party can.
I'll keep my eye on this thread in case anyone else comes up with a miracle solution, but think I have to admit defeat in ever seeing 15+ years worth of media files again.
Good luck to the rest of you.
Hi Stu-Q
It's been a while since your last post. Did you find the miracle solution to recover the ransom note page in the meantime?
In my (identical) case QNAP support also asked me for remote access which I opened almost 2 weeks ago. But it's radio silence since then. I did not notice any remote access and my friendly questions about the progress are not answered at all. This probably isn't a good sign.
I find QNAP behavior really disappointing. However, after all one can read in the forum it's not really surprising. At least they should confess that their advice to update firmware / run malware tool was not a good idea since this destroyed the only way to get the data back.
ColHut
Know my way around
Posts: 248
Joined: Sat Oct 14, 2017 12:13 am

Re: [RANSOMWARE] Deadbolt

Post by ColHut »

P3R wrote: Fri Aug 05, 2022 11:40 pm
dosborne wrote: Fri Aug 05, 2022 10:55 pm No, if I understand it correctly, the OP wanted to use the QVPN client to connect to their router-base OpenVPN server.
I thought the same and I guessed the usage was for the Qnap to reach an off-site backup server.
Therefore I was suggesting using the more secure OpenVPN client in their setup.
Running on what hardware?
Yes - the offending NAS cannot use a router based vpn as it is a ‘guest’ at that location and I cannot control the router. I can connect to my network and router using the QVPN client however. My router runs open vpn. This seems as good as can be done in the circumstance, and I have a proper backup strategy as well for all my separately located NASes just in case.

Regards
lambdapi
Starting out
Posts: 22
Joined: Thu Aug 06, 2015 7:01 am

Re: [RANSOMWARE] Deadbolt

Post by lambdapi »

tomaii wrote: Thu Aug 11, 2022 7:44 am Ransom of 0.05 BTC was paid at bc1q8jvrqkpkdf6ermhcjvywgtvqkkr25t5dyw80sm.

I didn’t expect it but the app took 0.0006BTC fee. I am BTC-dumb so had to created Wallet account and transfers, in the hurry, just for this event.

The amount received on the other end was 0,0494BTC.

No OP_Return yet, but since I just did the transfer I should wait 24-48h.

My question: will the fee be a problem? Or is this common among newbies and they will probably deliver the key?

Thank you so much, I imagine the forum is run by volunteers. I have a deep though for you all, answering over and over our questions! You sure got my respect! In this story, it is clear who gets the good and who gets the bad karma.
its not going to work. You need to pay the exact amount as far as I can tell. it is definitely just automated. I started watching the address the second I sent the BTC and in that same refresh cycle that showed the BTC had arrived, the return transaction with the key was returned at the exact same time. There is no0 way this could've happened if it wasn't automatic. Send exactly the amount to make it .05 and make sure the fee does not come out of there. If you go over, i hear you are also screwed and there is nothing you can do. there is no one watching these wallets. .05 appears and some script somewhere returns money. The only manual thing they seem to do is top of the main wallet with a few sats for sending returns occasionally.
lambdapi
Starting out
Posts: 22
Joined: Thu Aug 06, 2015 7:01 am

Re: [RANSOMWARE] Deadbolt

Post by lambdapi »

SO I'm pretty frustrated. when I found this had happened, I took screenshots of all the changes and system logs (including the deadbolt page) and shut down the NAS. My intention was to not touch anything until we had the key and use the integrated tool to restore the files, and then perform the updates and get all my data backed up and off this thing.

After being shutdown for a week or so, I booted it back up and the page is nowhere to be found. I have tried manually accessing it and I keep getting redirected. How is this even possible that while the QNAP was powered off, the deadbolt page disappeared. Checked the logs, and there has been no system updates. I feel like there is a lot to this thing that QNAP is not telling us here. If anyone remembers how to find the orginal page please let me know. I see QNAp has instructions for a couple methods of manual decryption, but I was most comfortable just doing it in place.
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

if you took screenshots of the deadbolt page..you have the payment address..so whats the issue?
lambdapi
Starting out
Posts: 22
Joined: Thu Aug 06, 2015 7:01 am

Re: [RANSOMWARE] Deadbolt

Post by lambdapi »

I wanted to use the GUI to decrypt in place. Last time I checked I would have to use a 3rd party tool to decrypt but qnaps new ssh/cli instructions did the trick.
lambdapi
Starting out
Posts: 22
Joined: Thu Aug 06, 2015 7:01 am

Re: [RANSOMWARE] Deadbolt

Post by lambdapi »

Guys, I noticed something and I think I have found a way to defeat the hackers--at least temporarily until they fix their own security botch.

When I sent the BTC, I immediately started refreshing the address page watching for the BTC to arrive. The very second it arrived, the return transaction was made with the key.

The thing I noticed is: The transaction was UNCONFIRMED and their system had already sent an OP_Return. I'm not a big enough BTC expert to do it without research, but it theory, you could use a local hacked BTC node to drop a fake transaction for .05 BTC into the wallet and get a OP key response back before the BTC network denied the transaction. In basic terms, you send a fake transaction to the wallet and the response it stamped there before the transaction fails.

Take that hackers. You are sloppy with your security too.
Post Reply

Return to “Users' Corner”