[RANSOMWARE] >>READ 1st Post<< Deadbolt

[dosborne]

This cost is simply hard coded into a config file that is left with the virus, along with the client ID and BTC address. The landing page reads these values and presents them.

Do you have a location for this config file? What is it named?

It is actually embedded in the deadbolt replacement html file rather than a config file from what I've read

[OneCD]

It is actually embedded in the deadbolt replacement html file rather than a config file from what I've read

I’m testing what I suspect is @lambdapi’s assumption.

[sharkssl]

back to the fake BTC transaction... couldn't QNAP simulate a 50BTC fake transaction so to obtain the master password???

[dolbyman]

Wasn't it already established that there is no master password?..Saw something posted a while ago that the encryption scheme used simply does not allow for one

Even if so..pretty sure the 50BTC master password would have more scrutiny than individual victim pay/release workflows.

[sharkssl]

In any case, if someone is sooooo kind to generate a fake BTC transaction to this address, so to obtain my private key, then I would really be grateful and willing to pay some beers.
You can make a payment of (exactly) 0.050000 bitcoin to the following address:
bc1qj7989cl9c86qawvjkwlcw6s0xz8ma4w7f9l07t

/Gianluca

[sharkssl]

In the encrypted files there is a user id and a master password hash, so some sort of scheme to convert the master password and the user id into the individual password should exist.

[qsurenot]

.Same for reminding us that criminals are behind this, and our money will just feed them… We all know it, and it hurts, but if we do it, it’s because we are out of options.

The lesson about backups cannot be repeated enough. If everybody already new how important a backup is for ANY reason, not just ransomware, them you and the many others would not be posting here now.

By supporting the criminal activity (paying) you are not just taking a hot financially, you (collectively) are putting everyone at risk as hundreds of thousands of dollars can then be used to find new ways that could target us all.

You *DID* have an option, in fact, 2 options. Pay, or not pay. If your NAS had been stolen (or burnt up in a fire) you would have no options other than complete data loss.

I'm sorry if you feel embarrassed, but by talking about the problem and repeatedly educating people about the importance of backups against many different threats, others may learn *before* they get hit or run into other issues. The day people stop posting that they were hit by ransomware and had no backup is the day I will stop reminding people to have a backup against as many threats as possible. This is only ONE of MANY possible threats.

Lesson 1 - have a backup strategy that fits with your data
Lesson 2 - spend an hour reading about *ALL* the devices on your network and learn the basic steps to secure them. (At least sign up for security notices about vulnerabilities)

These lessons may not help you *today* (as there really is no help to be given since you either take the data loss, or restore from backup, or pay the ransom) but they are critical for the day you get your system running again either from a complete reset or from decryption. If you don't learn these lessons, you are still vulnerable. Whatever you did to allow the attack should be resolved now, before anything else or there is no point.

We are trying to help you, so that you aren't back in the same situation in 3 months.

Yes we ALL understand the importance of backups but this is neither the time nor place for this great advice for several reasons:

1. By definition a NAS is often THE BACKUP device for many users. So even people who are diligent about backups could find themselves tangled in this mess. And if you're talking about a 3.2.1 backup strategy or more advanced strategies it'd be too advanced for the majority of people who just wanted a safe place for their photos and files.

2. A NAS is also often used as an Archive device (example, for old laptops) so it's not data you'd normally keep multiple copies or backups of. Again, this is THE backup device that got attacked.

3. More importantly, a "you should just have backups" mentality shifts the blame to the victims rather than putting the focus on vendors like QNAP who are entirely, completely, absolutely 100% responsible for this mess! People are just as likely to not be back here in 3 months not because they took your "just have backups" advice but because they used a decent vendor that takes the security of their devices seriously.

4. And similarly to #3, it's not the ransom paid by the victims that's putting us collectively in danger, it's vendors like QNAP with horrific security controls and QA for their products that are putting us all in danger.

5. This wasn't something that was exploited due to weak passwords or a system mis-configuration. This is a vulnerability affecting systems that were setup and operating exactly as designed and recommended by the vendor. So picking this vendor was the ONLY thing the majority of these users "did to allow the attack" as you worded it.

And to everyone in the middle of this mess, please don't feel ashamed or that you did anything wrong. You were let down by a terrible vendor and that should be the #1 lesson you take out of this.

[FSC830]

Unfortunately this is the great mistake most of the users did: a NAS is NOT a backup! If NAS is a backup, then data is still existing in the original place!
But in the mind of most people "backup" is still a central place to store a single copy of their data.
And I agree you cant say enough: a NAS is not a backup!
And where else should you put this message if not in such a thread!? This is the thread which affected users (victims) will (hopefully) read and learned the painful lesson.
I still hope that every users gets its data back, but I also insist to point to backup, backup and backup!!!
And even if QNAP is a bad vendor referring to security, its up to the user to secure his LAN! This is of course the task of the user. This is nothing you cant blame QNAP.
If you leave your home unlocked, you cant blame the vendor of your door, even he says in an advertisement "our door is safe"!
Its still up to you, to lock the door. Same is when using a LAN, you are the responsible person for your security!

Regards

[ssingh44]

A warning that multiple versions of Deadbolt could have ran on your system and that a single decryption key may not solve your problems.

Background - I only discovered last weekend that Deadbolt had ransacked my NAS. After looking through my files I noticed that some had been updated on July 11th while a few others including one of the Deadbolt executables had run as recently as August 8th.

For whatever reason, I was never presented with the infamous deadbolt ransom page but after some digging I was able to discover SDDPd.bin in my update_pkj folder which allowed me to reconstruct the ransom page. After paying the ransom and getting the key only those few files that had been encrypted on the 8th were decrypted. The majority that were encrypted in July remained encrypted with the key not working for these.

While my hope was that the keys were somehow generated based on the device id this isn't the case. Unfortunately in my case, all I have left for now is to store the encrypted files and hope sometime in the future possibly a master key is uncovered (unlikely but eh). But a careful warning for those still being infected hoping to decrypt their systems that if your drives were hit by multiple instances of deadbolt a single key may not solve your problems.

[dosborne]

Background - I only discovered last weekend that Deadbolt had ransacked my NAS. After looking through my files I noticed that some had been updated on July 11th while a few others including one of the Deadbolt executables had run as recently as August 8th.

You are not the only one, although you are the first I've seen that got hit by multiple waves of the same ransomware, other have reported multiple attacks from different ransomware "products".

Bottom line, the longer your device is exposed, the less likely you are to be able to recover any data.

Unfortunately, even the criminals have "bugs" in their code. The ransomware was not intended to destroy user data, but was designed to encrypt it. When they step on top of each other they only reduce the likelihood of getting paid as it makes successful decryption less and less likely

Perhaps a not outlining multiple attacks should be added to post #1?

[dosborne]

Lesson 1 - have a backup strategy that fits with your data
Lesson 2 - spend an hour reading about *ALL* the devices on your network and learn the basic steps to secure them. (At least sign up for security notices about vulnerabilities)

These lessons may not help you *today* (as there really is no help to be given since you either take the data loss, or restore from backup, or pay the ransom) but they are critical for the day you get your system running again either from a complete reset or from decryption. If you don't learn these lessons, you are still vulnerable. Whatever you did to allow the attack should be resolved now, before anything else or there is no point.

We are trying to help you, so that you aren't back in the same situation in 3 months.

Yes we ALL understand the importance of backups but this is neither the time nor place for this great advice for several reasons:

This is not criminal hacker tech support, this is QNAP community support. As there is no "fix" for this ransomware, the only solution that can be offered is to help people with data recovery and planning to prevent the next attack. It cannot be said enough, therefore this *IS* the place. Many users come here specifically to read about Deadbolt and need the information on creating a backup plan for the future.

Read the posts about people being hit with multiple waves of ransomware that even paying for the key does not help recover all files.

1. By definition a NAS is often THE BACKUP device for many users. for the majority of people who just wanted a safe place for their photos and files.

Great. Then their original data is safe and unaffected. Secure the network, remove the malware, make a new backup. No data loss.

2. A NAS is also often used as an Archive device (example, for old laptops) so it's not data you'd normally keep multiple copies or backups of. Again, this is THE backup device that got attacked.

No, if this is the only source, it is not a backup, it is the original as should be backed up if it is important to the user.

3. More importantly, a "you should just have backups" mentality shifts the blame to the victims rather than putting the focus on vendors like QNAP who are entirely, completely, absolutely 100% responsible for this mess! People are just as likely to not be back here in 3 months not because they took your "just have backups" advice but because they used a decent vendor that takes the security of their devices seriously.

5. This wasn't something that was exploited due to weak passwords or a system mis-configuration. This is a vulnerability affecting systems that were setup and operating exactly as designed and recommended by the vendor. So picking this vendor was the ONLY thing the majority of these users "did to allow the attack" as you worded it.

Again, QNAP is not the only vendor affected by this or many other malware attacks. Also, backups protect against a thousand things other than malware.

4. And similarly to #3, it's not the ransom paid by the victims that's putting us collectively in danger, it's vendors like QNAP with horrific security controls and QA for their products that are putting us all in danger.

"Contributing" - perhaps, but ultimately the security of YOUR network is YOUR responsibility. If your router locked down UPnP for instance, which many as finally disabling by default, then the ransomware would not have affected so many NAS users. Shouldn't you be "blaming" your router manufacturer instead (or as well) then?

[lambdapi]

A warning that multiple versions of Deadbolt could have ran on your system and that a single decryption key may not solve your problems.

Background - I only discovered last weekend that Deadbolt had ransacked my NAS. After looking through my files I noticed that some had been updated on July 11th while a few others including one of the Deadbolt executables had run as recently as August 8th.

For whatever reason, I was never presented with the infamous deadbolt ransom page but after some digging I was able to discover SDDPd.bin in my update_pkj folder which allowed me to reconstruct the ransom page. After paying the ransom and getting the key only those few files that had been encrypted on the 8th were decrypted. The majority that were encrypted in July remained encrypted with the key not working for these.

While my hope was that the keys were somehow generated based on the device id this isn't the case. Unfortunately in my case, all I have left for now is to store the encrypted files and hope sometime in the future possibly a master key is uncovered (unlikely but eh). But a careful warning for those still being infected hoping to decrypt their systems that if your drives were hit by multiple instances of deadbolt a single key may not solve your problems.

Mine was also hit on July 10. I didn't notice for about a week as our QNAP is mostly just used as an archive. When I noticed it had been hit and did some research, I shut down the NAS and started pondering whether to pay. We decided there was some things there that we couldn't part with so after 10 days waiting for the BTC to be transferable, we got our key. I powered back up the QNAS - after purposefully having not tampered with it--so that i could just use the landing page to do a full decryption in place, and the page was gone.

This actually ** me off. I don't know what backdoor they used, but i was not communicated in any way that I have found. There were no updates installed according to the logs (and it was powered off). QNAP did something to my NAS without any permission from me. They did this to you as well. What I am guessing here is that the rouge changes they made to your device caused the device to no longer present like it had already been infected and it was discovered in a second scan by the attackers and compromised again. Its QNAPS fault and this is why I will never purchase another QNAP product again. Not only do they have terrible security practice, but they are making unauthorized changes to MY devices.

[lambdapi]

by the way also:
Just a show of hands from people who recovered their NAS and managed to get the malware scanner installed and working.

How many people either "A" were unable to perform updates or install Malware remover and just nuked the NAS, or "B" were able to install the malware remover and found that their NAS had also been infected with "QSnatch" malware.

Apparently QSnatch is a passwords stealer that has been around for a couple years now. I'm pretty sure this is from the same guys and it was simply a 1-2 punch. According to the logs, they just basically logged in (must have been some spoof to enable SSH/webservice as SSH was disabled on mine), created a new admin account, reset all the permission and then executed the deadbolt app.

Most likely they are just scanning the NASes and when they find one they try the list of stolen passwords against the web service. There was a two day delay between the successful creation of the new user account and the deadbolt malware being executed. This tells me that they essentially spawned a bunch of processes, waiting a couple days and then thumbed manually through open terminal windows looking for machines that they were able to log into.

Monitor your user lists carefully. Run the malware remover. If you found Qsnatch on your device (Ever) change all passwords including admin.

[dosborne]

This actually ** me off. I don't know what backdoor they used, but i was not communicated in any way that I have found. There were no updates installed according to the logs (and it was powered off). QNAP did something to my NAS without any permission from me. They did this to you as well. What I am guessing here is that the rouge changes they made to your device caused the device to no longer present like it had already been infected and it was discovered in a second scan by the attackers and compromised again. Its QNAPS fault and this is why I will never purchase another QNAP product again. Not only do they have terrible security practice, but they are making unauthorized changes to MY devices.

I can guarantee QNAP did nothing without your permission. Particularly if your unit was powered off.

The most likely case is that the malware removal app ran and removed the malware (to quarantine). Contact support as per the notices and they can recover the ransomware page.

[dosborne]

Monitor your user lists carefully. Run the malware remover. If you found Qsnatch on your device (Ever) change all passwords including admin.

More importantly, get your NAS off of an internet facing interface! Then there is no way **ANY** of the exploits can be used.

And for the sake of repeating:

-Disable UPnP on your router
-Disable any forwarded ports on your router to your NAS
-Disable UPnP on your NAS
-Have a verified backup plan that matches the level of importance of your data