[RANSOMWARE] >>READ 1st Post<< Deadbolt

[dosborne]

.Same for reminding us that criminals are behind this, and our money will just feed them… We all know it, and it hurts, but if we do it, it’s because we are out of options.

The lesson about backups cannot be repeated enough. If everybody already new how important a backup is for ANY reason, not just ransomware, them you and the many others would not be posting here now.

By supporting the criminal activity (paying) you are not just taking a hot financially, you (collectively) are putting everyone at risk as hundreds of thousands of dollars can then be used to find new ways that could target us all.

You *DID* have an option, in fact, 2 options. Pay, or not pay. If your NAS had been stolen (or burnt up in a fire) you would have no options other than complete data loss.

I'm sorry if you feel embarrassed, but by talking about the problem and repeatedly educating people about the importance of backups against many different threats, others may learn *before* they get hit or run into other issues. The day people stop posting that they were hit by ransomware and had no backup is the day I will stop reminding people to have a backup against as many threats as possible. This is only ONE of MANY possible threats.

Lesson 1 - have a backup strategy that fits with your data
Lesson 2 - spend an hour reading about *ALL* the devices on your network and learn the basic steps to secure them. (At least sign up for security notices about vulnerabilities)

These lessons may not help you *today* (as there really is no help to be given since you either take the data loss, or restore from backup, or pay the ransom) but they are critical for the day you get your system running again either from a complete reset or from decryption. If you don't learn these lessons, you are still vulnerable. Whatever you did to allow the attack should be resolved now, before anything else or there is no point.

We are trying to help you, so that you aren't back in the same situation in 3 months.

[lama01]

Hi all,
Bad news for those following my case. QNAP tech support tried to recover the Deadbolt html page, as per my support ticket.
They came back and said the script they ran uncovered nothing.
I politely pushed back and asked if someone else could have a more in-depth look. To their credit they did (or said they did) but still found nothing - and apologised saying there was nothing else they could do.
So that's all my data gone sadly, and not sure what else I can do.
If the makers of the drive can't recover the Deadbolt html page, then I very much doubt a third party can.
I'll keep my eye on this thread in case anyone else comes up with a miracle solution, but think I have to admit defeat in ever seeing 15+ years worth of media files again.
Good luck to the rest of you.

Hi Stu-Q
It's been a while since your last post. Did you find the miracle solution to recover the ransom note page in the meantime?
In my (identical) case QNAP support also asked me for remote access which I opened almost 2 weeks ago. But it's radio silence since then. I did not notice any remote access and my friendly questions about the progress are not answered at all. This probably isn't a good sign.
I find QNAP behavior really disappointing. However, after all one can read in the forum it's not really surprising. At least they should confess that their advice to update firmware / run malware tool was not a good idea since this destroyed the only way to get the data back.

[ColHut]

No, if I understand it correctly, the OP wanted to use the QVPN client to connect to their router-base OpenVPN server.

I thought the same and I guessed the usage was for the Qnap to reach an off-site backup server.

Therefore I was suggesting using the more secure OpenVPN client in their setup.

Running on what hardware?

Yes - the offending NAS cannot use a router based vpn as it is a ‘guest’ at that location and I cannot control the router. I can connect to my network and router using the QVPN client however. My router runs open vpn. This seems as good as can be done in the circumstance, and I have a proper backup strategy as well for all my separately located NASes just in case.

Regards

[lambdapi]

Ransom of 0.05 BTC was paid at bc1q8jvrqkpkdf6ermhcjvywgtvqkkr25t5dyw80sm.

I didn’t expect it but the app took 0.0006BTC fee. I am BTC-dumb so had to created Wallet account and transfers, in the hurry, just for this event.

The amount received on the other end was 0,0494BTC.

No OP_Return yet, but since I just did the transfer I should wait 24-48h.

My question: will the fee be a problem? Or is this common among newbies and they will probably deliver the key?

Thank you so much, I imagine the forum is run by volunteers. I have a deep though for you all, answering over and over our questions! You sure got my respect! In this story, it is clear who gets the good and who gets the bad karma.

its not going to work. You need to pay the exact amount as far as I can tell. it is definitely just automated. I started watching the address the second I sent the BTC and in that same refresh cycle that showed the BTC had arrived, the return transaction with the key was returned at the exact same time. There is no0 way this could've happened if it wasn't automatic. Send exactly the amount to make it .05 and make sure the fee does not come out of there. If you go over, i hear you are also screwed and there is nothing you can do. there is no one watching these wallets. .05 appears and some script somewhere returns money. The only manual thing they seem to do is top of the main wallet with a few sats for sending returns occasionally.

[lambdapi]

SO I'm pretty frustrated. when I found this had happened, I took screenshots of all the changes and system logs (including the deadbolt page) and shut down the NAS. My intention was to not touch anything until we had the key and use the integrated tool to restore the files, and then perform the updates and get all my data backed up and off this thing.

After being shutdown for a week or so, I booted it back up and the page is nowhere to be found. I have tried manually accessing it and I keep getting redirected. How is this even possible that while the QNAP was powered off, the deadbolt page disappeared. Checked the logs, and there has been no system updates. I feel like there is a lot to this thing that QNAP is not telling us here. If anyone remembers how to find the orginal page please let me know. I see QNAp has instructions for a couple methods of manual decryption, but I was most comfortable just doing it in place.

[dolbyman]

if you took screenshots of the deadbolt page..you have the payment address..so whats the issue?

[lambdapi]

I wanted to use the GUI to decrypt in place. Last time I checked I would have to use a 3rd party tool to decrypt but qnaps new ssh/cli instructions did the trick.

[lambdapi]

Guys, I noticed something and I think I have found a way to defeat the hackers--at least temporarily until they fix their own security botch.

When I sent the BTC, I immediately started refreshing the address page watching for the BTC to arrive. The very second it arrived, the return transaction was made with the key.

The thing I noticed is: The transaction was UNCONFIRMED and their system had already sent an OP_Return. I'm not a big enough BTC expert to do it without research, but it theory, you could use a local hacked BTC node to drop a fake transaction for .05 BTC into the wallet and get a OP key response back before the BTC network denied the transaction. In basic terms, you send a fake transaction to the wallet and the response it stamped there before the transaction fails.

Take that hackers. You are sloppy with your security too.

[OneCD]

In basic terms, you send a fake transaction to the wallet and the response it stamped there before the transaction fails.

I considered this too. But I suspect once the hackers figured-out the scheme, they would modify their OP_RETURN system to wait for the victim payment to be confirmed. So, it would only benefit a small number of people before (further) negatively impacting everyone else who followed.

[lambdapi]

But what if it was done in one big dump?? I know that QNAP and various sites have been tracking these deadbolt landing pages as a measure for infection. So they should be able to come up with a master list of all the wallet public addresses being used.

They could send bad transactions to all the wallets in one big dump. The only issue with this is that there won't be enough BTC in the wallet that sends the OP_returns to send them all. There is an easy fix for this however as well. Just simply send $100 or so to this wallet first, then immediately process all the bad transactions.

There's your master key and it actually costs about $100 (if that).

[rkleung]

Hi,

My QNAP was hit by Deadbolt back in Jan. Orginally, I was going to not pay, but recently decided to pay to get my files decrypted.

I have a couple questions:
- I never saw the ransomware page so I wasn’t able to screenshot the payment address. The instructions from QNAP to restore the randomware page isn’t there anymore. Where can I find the instructions to restore the ransomware page?

- I read some of the most recent pages on this thread and it looks like the ransomware amount is now up to 0.05 BTC from 0.03 BTC. Is this change for everyone or just the one’s that were infected later?

Thanks!

[dosborne]

- I never saw the ransomware page so I wasn’t able to screenshot the payment address. The instructions from QNAP to restore the randomware page isn’t there anymore. Where can I find the instructions to restore the ransomware page?

QNAP Security Advisories
DeadBolt Ransomware

DeadBolt Ransomware
Release date: June 17, 2022
Security ID: QSA-22-19
Severity: Critical
Affected products: QNAP NAS running QTS 4.3.x, 4.4.x, and outdated applications
Not affected products: QNAP NAS running QTS 4.2.x, 4.5.x, 5.x, and QuTS hero h4.5.x, h5.x
Status: Information
Summary
QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running outdated versions of QTS 4.3.x and 4.4.x, and outdated applications.

QTS 4.2.x, 4.5.x, and 5.0.x, and QuTS hero h4.5.x and h5.x, are not affected.

Recommendation
To secure your NAS, we strongly recommend updating QTS or QuTS hero and all applications in App Center to the latest version immediately.

If you are using QTS 4.3.x, we recommend one of the following builds to ensure your device is safe from the ransomware:
QTS 4.3.6.2050 build 20220526 and later
QTS 4.3.4.1976 build 20220303 and later
QTS 4.3.3.2057 build 20220623 and later

If you are using QTS 4.4.x, we recommend upgrading to one of the following versions:
QTS 4.5.x
QTS 5.x

Regardless of which QNAP operating system version you are using, please update all applications on your NAS to the latest versions.

What if my NAS has already been compromised?

If your NAS has already been compromised, take a screenshot of the ransom note to keep the bitcoin address, and then upgrade to the latest firmware version. The built-in Malware Remover application will automatically quarantine the ransom note that hijacks the login page.

If you want to input a received decryption key and are unable to locate the ransom note after upgrading the firmware, please contact QNAP Support for assistance.

Updating QTS or QuTS hero

Log on to QTS or QuTS hero as an administrator using one of the following URLs in a web browser:
http://nas_ip:8080/cgi-bin/index.cgi
https://nas_ip/cgi-bin/index.cgi
Note: Replace "nas_ip" with your NAS IP address.
Go to Control Panel > System > Firmware Update.
Under Live Update, click Check for Update.
QTS or QuTS hero downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Updating All NAS Applications

Log on to QTS or QuTS hero as administrator.
Open App Center.
Locate Install Updates on the upper right corner of the screen.
Click All.
A confirmation message appears.
Click OK.
QTS or QuTS hero updates all installed applications.

- I read some of the most recent pages on this thread and it looks like the ransomware amount is now up to 0.05 BTC from 0.03 BTC. Is this change for everyone or just the one’s that were infected later?

Nobody here can give you a definitive answer, but as already mentioned in this thread, you may want to try and see if you can get away with paying the 0.03BTC and if you don't get your OP_RETURN after a day or so, pay the additional amount.

[lambdapi]

I can give you a definitive answer. The new campaign which started in July is .05. Most likely due to the decline in BTC prices as .03 in Jan was about $1100 and .05 now is ~1100.

This cost is simply hard coded into a config file that is left with the virus, along with the client ID and BTC address. The landing page reads these values and presents them.

Whatever your client asked for is what you pay. Whether it will work or not going as far back as Jan, I can't say. As long as they still have the process running on the initial campaign, it should work, but if not you are SOL.

Also, if you do not have the send address (these are unique for every client) you are also SOL. Without the correct address to make your payment to, there is no currently known way to recover the files.

[dosborne]

I can give you a definitive answer.

Whether it will work or not going as far back as Jan, I can't say.

Not really "definitive" then

[OneCD]

This cost is simply hard coded into a config file that is left with the virus, along with the client ID and BTC address. The landing page reads these values and presents them.

Do you have a location for this config file? What is it named?