[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

lambdapi wrote: Sat Aug 13, 2022 10:18 amIn basic terms, you send a fake transaction to the wallet and the response it stamped there before the transaction fails.
I considered this too. But I suspect once the hackers figured-out the scheme, they would modify their OP_RETURN system to wait for the victim payment to be confirmed. So, it would only benefit a small number of people before (further) negatively impacting everyone else who followed.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
lambdapi
Starting out
Posts: 22
Joined: Thu Aug 06, 2015 7:01 am

Re: [RANSOMWARE] Deadbolt

Post by lambdapi »

But what if it was done in one big dump?? I know that QNAP and various sites have been tracking these deadbolt landing pages as a measure for infection. So they should be able to come up with a master list of all the wallet public addresses being used.

They could send bad transactions to all the wallets in one big dump. The only issue with this is that there won't be enough BTC in the wallet that sends the OP_returns to send them all. There is an easy fix for this however as well. Just simply send $100 or so to this wallet first, then immediately process all the bad transactions.

There's your master key and it actually costs about $100 (if that).
rkleung
New here
Posts: 6
Joined: Sun Nov 27, 2016 8:20 am

Re: [RANSOMWARE] Deadbolt

Post by rkleung »

Hi,

My QNAP was hit by Deadbolt back in Jan. Orginally, I was going to not pay, but recently decided to pay to get my files decrypted.

I have a couple questions:
- I never saw the ransomware page so I wasn’t able to screenshot the payment address. The instructions from QNAP to restore the randomware page isn’t there anymore. Where can I find the instructions to restore the ransomware page?

- I read some of the most recent pages on this thread and it looks like the ransomware amount is now up to 0.05 BTC from 0.03 BTC. Is this change for everyone or just the one’s that were infected later?

Thanks!
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

rkleung wrote: Sat Aug 13, 2022 11:11 pm - I never saw the ransomware page so I wasn’t able to screenshot the payment address. The instructions from QNAP to restore the randomware page isn’t there anymore. Where can I find the instructions to restore the ransomware page?
QNAP Security Advisories
DeadBolt Ransomware
DeadBolt Ransomware
Release date: June 17, 2022
Security ID: QSA-22-19
Severity: Critical
Affected products: QNAP NAS running QTS 4.3.x, 4.4.x, and outdated applications
Not affected products: QNAP NAS running QTS 4.2.x, 4.5.x, 5.x, and QuTS hero h4.5.x, h5.x
Status: Information
Summary
QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running outdated versions of QTS 4.3.x and 4.4.x, and outdated applications.

QTS 4.2.x, 4.5.x, and 5.0.x, and QuTS hero h4.5.x and h5.x, are not affected.

Recommendation
To secure your NAS, we strongly recommend updating QTS or QuTS hero and all applications in App Center to the latest version immediately.

If you are using QTS 4.3.x, we recommend one of the following builds to ensure your device is safe from the ransomware:
QTS 4.3.6.2050 build 20220526 and later
QTS 4.3.4.1976 build 20220303 and later
QTS 4.3.3.2057 build 20220623 and later

If you are using QTS 4.4.x, we recommend upgrading to one of the following versions:
QTS 4.5.x
QTS 5.x

Regardless of which QNAP operating system version you are using, please update all applications on your NAS to the latest versions.

What if my NAS has already been compromised?

If your NAS has already been compromised, take a screenshot of the ransom note to keep the bitcoin address, and then upgrade to the latest firmware version. The built-in Malware Remover application will automatically quarantine the ransom note that hijacks the login page.

If you want to input a received decryption key and are unable to locate the ransom note after upgrading the firmware, please contact QNAP Support for assistance.

Updating QTS or QuTS hero

Log on to QTS or QuTS hero as an administrator using one of the following URLs in a web browser:
http://nas_ip:8080/cgi-bin/index.cgi
https://nas_ip/cgi-bin/index.cgi
Note: Replace "nas_ip" with your NAS IP address.
Go to Control Panel > System > Firmware Update.
Under Live Update, click Check for Update.
QTS or QuTS hero downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Updating All NAS Applications

Log on to QTS or QuTS hero as administrator.
Open App Center.
Locate Install Updates on the upper right corner of the screen.
Click All.
A confirmation message appears.
Click OK.
QTS or QuTS hero updates all installed applications.
rkleung wrote: Sat Aug 13, 2022 11:11 pm - I read some of the most recent pages on this thread and it looks like the ransomware amount is now up to 0.05 BTC from 0.03 BTC. Is this change for everyone or just the one’s that were infected later?
Nobody here can give you a definitive answer, but as already mentioned in this thread, you may want to try and see if you can get away with paying the 0.03BTC and if you don't get your OP_RETURN after a day or so, pay the additional amount.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
lambdapi
Starting out
Posts: 22
Joined: Thu Aug 06, 2015 7:01 am

Re: [RANSOMWARE] Deadbolt

Post by lambdapi »

I can give you a definitive answer. The new campaign which started in July is .05. Most likely due to the decline in BTC prices as .03 in Jan was about $1100 and .05 now is ~1100.

This cost is simply hard coded into a config file that is left with the virus, along with the client ID and BTC address. The landing page reads these values and presents them.

Whatever your client asked for is what you pay. Whether it will work or not going as far back as Jan, I can't say. As long as they still have the process running on the initial campaign, it should work, but if not you are SOL.

Also, if you do not have the send address (these are unique for every client) you are also SOL. Without the correct address to make your payment to, there is no currently known way to recover the files.
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

lambdapi wrote: Sun Aug 14, 2022 12:29 am I can give you a definitive answer.
lambdapi wrote: Sun Aug 14, 2022 12:29 am Whether it will work or not going as far back as Jan, I can't say.
Not really "definitive" then :) :)
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

lambdapi wrote: Sun Aug 14, 2022 12:29 am This cost is simply hard coded into a config file that is left with the virus, along with the client ID and BTC address. The landing page reads these values and presents them.
Do you have a location for this config file? What is it named? :'

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

OneCD wrote: Sun Aug 14, 2022 2:37 am
lambdapi wrote: Sun Aug 14, 2022 12:29 am This cost is simply hard coded into a config file that is left with the virus, along with the client ID and BTC address. The landing page reads these values and presents them.
Do you have a location for this config file? What is it named? :'
It is actually embedded in the deadbolt replacement html file rather than a config file from what I've read :)
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

dosborne wrote: Sun Aug 14, 2022 10:10 am It is actually embedded in the deadbolt replacement html file rather than a config file from what I've read :)
I’m testing what I suspect is @lambdapi’s assumption. ;)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
sharkssl
New here
Posts: 4
Joined: Wed Jul 13, 2016 5:33 pm

Re: [RANSOMWARE] Deadbolt

Post by sharkssl »

back to the fake BTC transaction... couldn't QNAP simulate a 50BTC fake transaction so to obtain the master password???
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

Wasn't it already established that there is no master password?..Saw something posted a while ago that the encryption scheme used simply does not allow for one

Even if so..pretty sure the 50BTC master password would have more scrutiny than individual victim pay/release workflows.
sharkssl
New here
Posts: 4
Joined: Wed Jul 13, 2016 5:33 pm

Re: [RANSOMWARE] Deadbolt

Post by sharkssl »

In any case, if someone is sooooo kind to generate a fake BTC transaction to this address, so to obtain my private key, then I would really be grateful and willing to pay some beers.
You can make a payment of (exactly) 0.050000 bitcoin to the following address:
bc1qj7989cl9c86qawvjkwlcw6s0xz8ma4w7f9l07t

/Gianluca
sharkssl
New here
Posts: 4
Joined: Wed Jul 13, 2016 5:33 pm

Re: [RANSOMWARE] Deadbolt

Post by sharkssl »

In the encrypted files there is a user id and a master password hash, so some sort of scheme to convert the master password and the user id into the individual password should exist.
qsurenot
New here
Posts: 2
Joined: Mon Aug 15, 2022 4:56 pm

Re: [RANSOMWARE] Deadbolt

Post by qsurenot »

dosborne wrote: Fri Aug 12, 2022 10:29 am
tomaii wrote: Fri Aug 12, 2022 10:12 am .Same for reminding us that criminals are behind this, and our money will just feed them… We all know it, and it hurts, but if we do it, it’s because we are out of options.
The lesson about backups cannot be repeated enough. If everybody already new how important a backup is for ANY reason, not just ransomware, them you and the many others would not be posting here now.

By supporting the criminal activity (paying) you are not just taking a hot financially, you (collectively) are putting everyone at risk as hundreds of thousands of dollars can then be used to find new ways that could target us all.

You *DID* have an option, in fact, 2 options. Pay, or not pay. If your NAS had been stolen (or burnt up in a fire) you would have no options other than complete data loss.

I'm sorry if you feel embarrassed, but by talking about the problem and repeatedly educating people about the importance of backups against many different threats, others may learn *before* they get hit or run into other issues. The day people stop posting that they were hit by ransomware and had no backup is the day I will stop reminding people to have a backup against as many threats as possible. This is only ONE of MANY possible threats.

Lesson 1 - have a backup strategy that fits with your data
Lesson 2 - spend an hour reading about *ALL* the devices on your network and learn the basic steps to secure them. (At least sign up for security notices about vulnerabilities)

These lessons may not help you *today* (as there really is no help to be given since you either take the data loss, or restore from backup, or pay the ransom) but they are critical for the day you get your system running again either from a complete reset or from decryption. If you don't learn these lessons, you are still vulnerable. Whatever you did to allow the attack should be resolved now, before anything else or there is no point.

We are trying to help you, so that you aren't back in the same situation in 3 months.
Yes we ALL understand the importance of backups but this is neither the time nor place for this great advice for several reasons:

1. By definition a NAS is often THE BACKUP device for many users. So even people who are diligent about backups could find themselves tangled in this mess. And if you're talking about a 3.2.1 backup strategy or more advanced strategies it'd be too advanced for the majority of people who just wanted a safe place for their photos and files.

2. A NAS is also often used as an Archive device (example, for old laptops) so it's not data you'd normally keep multiple copies or backups of. Again, this is THE backup device that got attacked.

3. More importantly, a "you should just have backups" mentality shifts the blame to the victims rather than putting the focus on vendors like QNAP who are entirely, completely, absolutely 100% responsible for this mess! People are just as likely to not be back here in 3 months not because they took your "just have backups" advice but because they used a decent vendor that takes the security of their devices seriously.

4. And similarly to #3, it's not the ransom paid by the victims that's putting us collectively in danger, it's vendors like QNAP with horrific security controls and QA for their products that are putting us all in danger.

5. This wasn't something that was exploited due to weak passwords or a system mis-configuration. This is a vulnerability affecting systems that were setup and operating exactly as designed and recommended by the vendor. So picking this vendor was the ONLY thing the majority of these users "did to allow the attack" as you worded it.

And to everyone in the middle of this mess, please don't feel ashamed or that you did anything wrong. You were let down by a terrible vendor and that should be the #1 lesson you take out of this.
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [RANSOMWARE] Deadbolt

Post by FSC830 »

Unfortunately this is the great mistake most of the users did: a NAS is NOT a backup! If NAS is a backup, then data is still existing in the original place!
But in the mind of most people "backup" is still a central place to store a single copy of their data.
And I agree you cant say enough: a NAS is not a backup!
And where else should you put this message if not in such a thread!? This is the thread which affected users (victims) will (hopefully) read and learned the painful lesson.
I still hope that every users gets its data back, but I also insist to point to backup, backup and backup!!!
And even if QNAP is a bad vendor referring to security, its up to the user to secure his LAN! This is of course the task of the user. This is nothing you cant blame QNAP.
If you leave your home unlocked, you cant blame the vendor of your door, even he says in an advertisement "our door is safe"!
Its still up to you, to lock the door. Same is when using a LAN, you are the responsible person for your security!

Regards
Post Reply

Return to “Users' Corner”