I considered this too. But I suspect once the hackers figured-out the scheme, they would modify their OP_RETURN system to wait for the victim payment to be confirmed. So, it would only benefit a small number of people before (further) negatively impacting everyone else who followed.
[RANSOMWARE] >>READ 1st Post<< Deadbolt
- OneCD
- Guru
- Posts: 12037
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
-
- Starting out
- Posts: 22
- Joined: Thu Aug 06, 2015 7:01 am
Re: [RANSOMWARE] Deadbolt
But what if it was done in one big dump?? I know that QNAP and various sites have been tracking these deadbolt landing pages as a measure for infection. So they should be able to come up with a master list of all the wallet public addresses being used.
They could send bad transactions to all the wallets in one big dump. The only issue with this is that there won't be enough BTC in the wallet that sends the OP_returns to send them all. There is an easy fix for this however as well. Just simply send $100 or so to this wallet first, then immediately process all the bad transactions.
There's your master key and it actually costs about $100 (if that).
They could send bad transactions to all the wallets in one big dump. The only issue with this is that there won't be enough BTC in the wallet that sends the OP_returns to send them all. There is an easy fix for this however as well. Just simply send $100 or so to this wallet first, then immediately process all the bad transactions.
There's your master key and it actually costs about $100 (if that).
-
- New here
- Posts: 6
- Joined: Sun Nov 27, 2016 8:20 am
Re: [RANSOMWARE] Deadbolt
Hi,
My QNAP was hit by Deadbolt back in Jan. Orginally, I was going to not pay, but recently decided to pay to get my files decrypted.
I have a couple questions:
- I never saw the ransomware page so I wasn’t able to screenshot the payment address. The instructions from QNAP to restore the randomware page isn’t there anymore. Where can I find the instructions to restore the ransomware page?
- I read some of the most recent pages on this thread and it looks like the ransomware amount is now up to 0.05 BTC from 0.03 BTC. Is this change for everyone or just the one’s that were infected later?
Thanks!
My QNAP was hit by Deadbolt back in Jan. Orginally, I was going to not pay, but recently decided to pay to get my files decrypted.
I have a couple questions:
- I never saw the ransomware page so I wasn’t able to screenshot the payment address. The instructions from QNAP to restore the randomware page isn’t there anymore. Where can I find the instructions to restore the ransomware page?
- I read some of the most recent pages on this thread and it looks like the ransomware amount is now up to 0.05 BTC from 0.03 BTC. Is this change for everyone or just the one’s that were infected later?
Thanks!
-
- Experience counts
- Posts: 1791
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: [RANSOMWARE] Deadbolt
QNAP Security Advisories
DeadBolt Ransomware
DeadBolt Ransomware
Release date: June 17, 2022
Security ID: QSA-22-19
Severity: Critical
Affected products: QNAP NAS running QTS 4.3.x, 4.4.x, and outdated applications
Not affected products: QNAP NAS running QTS 4.2.x, 4.5.x, 5.x, and QuTS hero h4.5.x, h5.x
Status: Information
Summary
QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running outdated versions of QTS 4.3.x and 4.4.x, and outdated applications.
QTS 4.2.x, 4.5.x, and 5.0.x, and QuTS hero h4.5.x and h5.x, are not affected.
Recommendation
To secure your NAS, we strongly recommend updating QTS or QuTS hero and all applications in App Center to the latest version immediately.
If you are using QTS 4.3.x, we recommend one of the following builds to ensure your device is safe from the ransomware:
QTS 4.3.6.2050 build 20220526 and later
QTS 4.3.4.1976 build 20220303 and later
QTS 4.3.3.2057 build 20220623 and later
If you are using QTS 4.4.x, we recommend upgrading to one of the following versions:
QTS 4.5.x
QTS 5.x
Regardless of which QNAP operating system version you are using, please update all applications on your NAS to the latest versions.
What if my NAS has already been compromised?
If your NAS has already been compromised, take a screenshot of the ransom note to keep the bitcoin address, and then upgrade to the latest firmware version. The built-in Malware Remover application will automatically quarantine the ransom note that hijacks the login page.
If you want to input a received decryption key and are unable to locate the ransom note after upgrading the firmware, please contact QNAP Support for assistance.
Updating QTS or QuTS hero
Log on to QTS or QuTS hero as an administrator using one of the following URLs in a web browser:
http://nas_ip:8080/cgi-bin/index.cgi
https://nas_ip/cgi-bin/index.cgi
Note: Replace "nas_ip" with your NAS IP address.
Go to Control Panel > System > Firmware Update.
Under Live Update, click Check for Update.
QTS or QuTS hero downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Updating All NAS Applications
Log on to QTS or QuTS hero as administrator.
Open App Center.
Locate Install Updates on the upper right corner of the screen.
Click All.
A confirmation message appears.
Click OK.
QTS or QuTS hero updates all installed applications.
Nobody here can give you a definitive answer, but as already mentioned in this thread, you may want to try and see if you can get away with paying the 0.03BTC and if you don't get your OP_RETURN after a day or so, pay the additional amount.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
-
- Starting out
- Posts: 22
- Joined: Thu Aug 06, 2015 7:01 am
Re: [RANSOMWARE] Deadbolt
I can give you a definitive answer. The new campaign which started in July is .05. Most likely due to the decline in BTC prices as .03 in Jan was about $1100 and .05 now is ~1100.
This cost is simply hard coded into a config file that is left with the virus, along with the client ID and BTC address. The landing page reads these values and presents them.
Whatever your client asked for is what you pay. Whether it will work or not going as far back as Jan, I can't say. As long as they still have the process running on the initial campaign, it should work, but if not you are SOL.
Also, if you do not have the send address (these are unique for every client) you are also SOL. Without the correct address to make your payment to, there is no currently known way to recover the files.
This cost is simply hard coded into a config file that is left with the virus, along with the client ID and BTC address. The landing page reads these values and presents them.
Whatever your client asked for is what you pay. Whether it will work or not going as far back as Jan, I can't say. As long as they still have the process running on the initial campaign, it should work, but if not you are SOL.
Also, if you do not have the send address (these are unique for every client) you are also SOL. Without the correct address to make your payment to, there is no currently known way to recover the files.
-
- Experience counts
- Posts: 1791
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: [RANSOMWARE] Deadbolt
Not really "definitive" then
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
- OneCD
- Guru
- Posts: 12037
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
Do you have a location for this config file? What is it named?
-
- Experience counts
- Posts: 1791
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: [RANSOMWARE] Deadbolt
It is actually embedded in the deadbolt replacement html file rather than a config file from what I've read
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
- OneCD
- Guru
- Posts: 12037
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
I’m testing what I suspect is @lambdapi’s assumption.
-
- New here
- Posts: 4
- Joined: Wed Jul 13, 2016 5:33 pm
Re: [RANSOMWARE] Deadbolt
back to the fake BTC transaction... couldn't QNAP simulate a 50BTC fake transaction so to obtain the master password???
- dolbyman
- Guru
- Posts: 35005
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
Wasn't it already established that there is no master password?..Saw something posted a while ago that the encryption scheme used simply does not allow for one
Even if so..pretty sure the 50BTC master password would have more scrutiny than individual victim pay/release workflows.
Even if so..pretty sure the 50BTC master password would have more scrutiny than individual victim pay/release workflows.
-
- New here
- Posts: 4
- Joined: Wed Jul 13, 2016 5:33 pm
Re: [RANSOMWARE] Deadbolt
In any case, if someone is sooooo kind to generate a fake BTC transaction to this address, so to obtain my private key, then I would really be grateful and willing to pay some beers.
You can make a payment of (exactly) 0.050000 bitcoin to the following address:
bc1qj7989cl9c86qawvjkwlcw6s0xz8ma4w7f9l07t
/Gianluca
You can make a payment of (exactly) 0.050000 bitcoin to the following address:
bc1qj7989cl9c86qawvjkwlcw6s0xz8ma4w7f9l07t
/Gianluca
-
- New here
- Posts: 4
- Joined: Wed Jul 13, 2016 5:33 pm
Re: [RANSOMWARE] Deadbolt
In the encrypted files there is a user id and a master password hash, so some sort of scheme to convert the master password and the user id into the individual password should exist.
-
- New here
- Posts: 2
- Joined: Mon Aug 15, 2022 4:56 pm
Re: [RANSOMWARE] Deadbolt
Yes we ALL understand the importance of backups but this is neither the time nor place for this great advice for several reasons:dosborne wrote: ↑Fri Aug 12, 2022 10:29 amThe lesson about backups cannot be repeated enough. If everybody already new how important a backup is for ANY reason, not just ransomware, them you and the many others would not be posting here now.
By supporting the criminal activity (paying) you are not just taking a hot financially, you (collectively) are putting everyone at risk as hundreds of thousands of dollars can then be used to find new ways that could target us all.
You *DID* have an option, in fact, 2 options. Pay, or not pay. If your NAS had been stolen (or burnt up in a fire) you would have no options other than complete data loss.
I'm sorry if you feel embarrassed, but by talking about the problem and repeatedly educating people about the importance of backups against many different threats, others may learn *before* they get hit or run into other issues. The day people stop posting that they were hit by ransomware and had no backup is the day I will stop reminding people to have a backup against as many threats as possible. This is only ONE of MANY possible threats.
Lesson 1 - have a backup strategy that fits with your data
Lesson 2 - spend an hour reading about *ALL* the devices on your network and learn the basic steps to secure them. (At least sign up for security notices about vulnerabilities)
These lessons may not help you *today* (as there really is no help to be given since you either take the data loss, or restore from backup, or pay the ransom) but they are critical for the day you get your system running again either from a complete reset or from decryption. If you don't learn these lessons, you are still vulnerable. Whatever you did to allow the attack should be resolved now, before anything else or there is no point.
We are trying to help you, so that you aren't back in the same situation in 3 months.
1. By definition a NAS is often THE BACKUP device for many users. So even people who are diligent about backups could find themselves tangled in this mess. And if you're talking about a 3.2.1 backup strategy or more advanced strategies it'd be too advanced for the majority of people who just wanted a safe place for their photos and files.
2. A NAS is also often used as an Archive device (example, for old laptops) so it's not data you'd normally keep multiple copies or backups of. Again, this is THE backup device that got attacked.
3. More importantly, a "you should just have backups" mentality shifts the blame to the victims rather than putting the focus on vendors like QNAP who are entirely, completely, absolutely 100% responsible for this mess! People are just as likely to not be back here in 3 months not because they took your "just have backups" advice but because they used a decent vendor that takes the security of their devices seriously.
4. And similarly to #3, it's not the ransom paid by the victims that's putting us collectively in danger, it's vendors like QNAP with horrific security controls and QA for their products that are putting us all in danger.
5. This wasn't something that was exploited due to weak passwords or a system mis-configuration. This is a vulnerability affecting systems that were setup and operating exactly as designed and recommended by the vendor. So picking this vendor was the ONLY thing the majority of these users "did to allow the attack" as you worded it.
And to everyone in the middle of this mess, please don't feel ashamed or that you did anything wrong. You were let down by a terrible vendor and that should be the #1 lesson you take out of this.
-
- Experience counts
- Posts: 2043
- Joined: Thu Mar 03, 2016 1:11 am
Re: [RANSOMWARE] Deadbolt
Unfortunately this is the great mistake most of the users did: a NAS is NOT a backup! If NAS is a backup, then data is still existing in the original place!
But in the mind of most people "backup" is still a central place to store a single copy of their data.
And I agree you cant say enough: a NAS is not a backup!
And where else should you put this message if not in such a thread!? This is the thread which affected users (victims) will (hopefully) read and learned the painful lesson.
I still hope that every users gets its data back, but I also insist to point to backup, backup and backup!!!
And even if QNAP is a bad vendor referring to security, its up to the user to secure his LAN! This is of course the task of the user. This is nothing you cant blame QNAP.
If you leave your home unlocked, you cant blame the vendor of your door, even he says in an advertisement "our door is safe"!
Its still up to you, to lock the door. Same is when using a LAN, you are the responsible person for your security!
Regards
But in the mind of most people "backup" is still a central place to store a single copy of their data.
And I agree you cant say enough: a NAS is not a backup!
And where else should you put this message if not in such a thread!? This is the thread which affected users (victims) will (hopefully) read and learned the painful lesson.
I still hope that every users gets its data back, but I also insist to point to backup, backup and backup!!!
And even if QNAP is a bad vendor referring to security, its up to the user to secure his LAN! This is of course the task of the user. This is nothing you cant blame QNAP.
If you leave your home unlocked, you cant blame the vendor of your door, even he says in an advertisement "our door is safe"!
Its still up to you, to lock the door. Same is when using a LAN, you are the responsible person for your security!
Regards
A raid is never a substitute for backup! Never!
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com