[RANSOMWARE] >>READ 1st Post<< Deadbolt

[dolbyman]

[...] and then thumbed manually through open terminal windows looking for machines that they were able to log into.

Very highly doubt that all these compromised machines were "manually stumbled" through. It's an automated attack based on exploits, plain and simple.

Get the flippin NAS out ouf the flippin web

[lambdapi]

Lesson 1 - have a backup strategy that fits with your data
Lesson 2 - spend an hour reading about *ALL* the devices on your network and learn the basic steps to secure them. (At least sign up for security notices about vulnerabilities)

These lessons may not help you *today* (as there really is no help to be given since you either take the data loss, or restore from backup, or pay the ransom) but they are critical for the day you get your system running again either from a complete reset or from decryption. If you don't learn these lessons, you are still vulnerable. Whatever you did to allow the attack should be resolved now, before anything else or there is no point.

We are trying to help you, so that you aren't back in the same situation in 3 months.

Yes we ALL understand the importance of backups but this is neither the time nor place for this great advice for several reasons:

This is not criminal hacker tech support, this is QNAP community support. As there is no "fix" for this ransomware, the only solution that can be offered is to help people with data recovery and planning to prevent the next attack. It cannot be said enough, therefore this *IS* the place. Many users come here specifically to read about Deadbolt and need the information on creating a backup plan for the future.

Read the posts about people being hit with multiple waves of ransomware that even paying for the key does not help recover all files.

1. By definition a NAS is often THE BACKUP device for many users. for the majority of people who just wanted a safe place for their photos and files.

Great. Then their original data is safe and unaffected. Secure the network, remove the malware, make a new backup. No data loss.

2. A NAS is also often used as an Archive device (example, for old laptops) so it's not data you'd normally keep multiple copies or backups of. Again, this is THE backup device that got attacked.

No, if this is the only source, it is not a backup, it is the original as should be backed up if it is important to the user.

3. More importantly, a "you should just have backups" mentality shifts the blame to the victims rather than putting the focus on vendors like QNAP who are entirely, completely, absolutely 100% responsible for this mess! People are just as likely to not be back here in 3 months not because they took your "just have backups" advice but because they used a decent vendor that takes the security of their devices seriously.

5. This wasn't something that was exploited due to weak passwords or a system mis-configuration. This is a vulnerability affecting systems that were setup and operating exactly as designed and recommended by the vendor. So picking this vendor was the ONLY thing the majority of these users "did to allow the attack" as you worded it.

Again, QNAP is not the only vendor affected by this or many other malware attacks. Also, backups protect against a thousand things other than malware.

4. And similarly to #3, it's not the ransom paid by the victims that's putting us collectively in danger, it's vendors like QNAP with horrific security controls and QA for their products that are putting us all in danger.

"Contributing" - perhaps, but ultimately the security of YOUR network is YOUR responsibility. If your router locked down UPnP for instance, which many as finally disabling by default, then the ransomware would not have affected so many NAS users. Shouldn't you be "blaming" your router manufacturer instead (or as well) then?

I don't even understand why you are commenting with your elitists BS. You can talk the talk all you want but the bottom line is that by default UPnP is enabled and why? BECAUSE THE QNAP THROUGH AND THROUGH WAS MARKETED TO US AS A INTERNET FACING DEVICE. Websever, email p2p sharing. I don't care care that they have backtracked on that now. I don't care that I don't log in a read the QNAP forums on a daily basis. If this was for work, it would've been treated very differently. Not to mention in a business environment I have equipment in place that can do sophisticated malware protection.

Your sitting here jabbering about how its everyone else fault because they don't know what Upnp is. Well I'm a 20 year enterprise IT engineer. UpnP is disabled in my router. I NATed my QNAP:443 to the WAN year's ago. WHY? BECAUSE IT WAS SOLD AS AN INTERNET FACING DEVICE. You can argue that point if you want but its all just static drivel. I know what I bought and I see how that has changed. Unfortunately I wasn't watching that. I've been through scores of Pentests , external audits, breaches, post-mortems, disaster recovery drills, and audit remediation cycles. We don't all take that kind of security home with us and we shouldn't have to. Especially not when I bought an internet facing private file hosting device.

[dolbyman]

We (at least I am) repeat this whole mantra of not exposing your NAS devices (no matter what QNAP promises in their shiny websites) for YEARS, over and over and over again.

Sorry, an enterprise IT engineer of 20 years that exposes consumer NAS devices to the open web just because the manufacturer says it's all fine and dandy (and has apparently NOT heard or read of all these attacks in the security publication of your choice), HAD to learn that lesson. Be glad it was not in any sort of 3rd party liability situation.

If you want to switch brands .. be our guest .. how about ASUSTOR

[lambdapi]

[...] and then thumbed manually through open terminal windows looking for machines that they were able to log into.

Very highly doubt that all these compromised machines were "manually stumbled" through. It's an automated attack based on exploits, plain and simple.

Get the flippin NAS out ouf the flippin web

They absolutely did. There was a two day delay in the logs between when the new user "test2" was created and when they started making changes. For two days there was a blinking command prompt sitting there connected to my NAS until they got to it. Then they enabled DFS folder aggregation and turned off advanced permissions. You can see the 10-20 second delays in the logs while they figured out what they needed to do. Then they had to wait another day (ended up being 3 days) for permissions to rebuild, and then they finally logged in again and launched deadbolt. The timings of this do not coincide with the completion of each tasks which says to me with 99% confidence that someone is sitting behind a terminal working through these manually, and then generating a new key from their BTC script, dropping it on the machine, encrypting it and closing the connection.

[lambdapi]

We (at least I am) repeat this whole mantra of not exposing your NAS devices (no matter what QNAP promises in their shiny websites) for YEARS, over and over and over again.

Sorry, an enterprise IT engineer of 20 years that exposes consumer NAS devices to the open web just because the manufacturer says it's all fine and dandy (and has apparently NOT heard or read of all these attacks in the security publication of your choice), HAD to learn that lesson. Be glad it was not in any sort of 3rd party liability situation.

If you want to switch brands .. be our guest .. how about ASUSTOR

Keep it up with the AUSTOR dribble too. I'm loving how people keep pointing out that AUSTOR was also targeted. I didn't buy a no name AUSTOR. I bought a QNAP. Guess who wasn't infected?

Synology. and the DS720+ it looking to be every bit of device that the 251 is.

[lambdapi]

We (at least I am) repeat this whole mantra of not exposing your NAS devices (no matter what QNAP promises in their shiny websites) for YEARS, over and over and over again.

Sorry, an enterprise IT engineer of 20 years that exposes consumer NAS devices to the open web just because the manufacturer says it's all fine and dandy (and has apparently NOT heard or read of all these attacks in the security publication of your choice), HAD to learn that lesson. Be glad it was not in any sort of 3rd party liability situation.

If you want to switch brands .. be our guest .. how about ASUSTOR

You're just wrong. I am also an expert with the experience and education to say so to. Web services should not be vulnerable to admin escalation attacks. There are no ifs ands or buts. this is poor design and I am paying the cost because of it. This wasn't a custom app I was running. I mean seriously? By your ape logic, we wouldn't have an internet.
My NAS is also not a "home Consumer NAS" it was sold as an SMB segment storage and collaboration solution.

[dolbyman]

Why would QNAP be better than an Asustor? I fail to see any "premium advantage' between any of the consumer NAS brands.

So you are telling me they manually rummaged through 100k+ infected QNAP units ? If so they have such a large workforce, then this justifies the high ransom payments for sure, all these mouths need feeding, even if they are in low wage countries.

I do not know the market share between all the consumer NAS vendors (a simple check on Shodan etc would be enough) but the more people buy and expose a device, the more lucrative of a target these devices become. The next SynoLocker WILL come

I mean seriously? By your ape logic, we wouldn't have an internet.

I see you are running out of excuses and resort to name calling .. Have an Account Warning on the house.

[dosborne]

I don't even understand why you are commenting with your elitists BS.

Because I am here to help people and educate them on how to protect their systems (maybe they aren't all "professionals" such as yourself) and will continue to do so. Feel free to move along and ignore or bypass posts that you do not feel are important to you. I know **I** will be ignoring your rants moving forward. Thanks for playing. Sorry you seem to be missing the point.

[lambdapi]

I don't even understand what point you are trying to make? AUSTOR didn't even exist when I bought my first QNAP. The features are not the same. AUSTOR doesn't run on QTS.

Also there are not 100k infected QNAPS, the numbers per campaign are in the thousands.

and yes they are. They are running a automated script to test whether they can gain administrator access. Then an engineer logs in analyzes the configuration and makes the required changes so that the deadbolt executable can run and then it is encrypted.

For such a knowledge fountain here, you sure do seem to be pretty disconnected from how malware campaigns like this one work? You think its just a few nerdy teens with TOR?

These are businesses with employees. Probably an office.

And just another observation about them. They like 3D printing. I cant for the life of me figure out why almost every graphics format was compromised, including ones I've never used, but .STL which is the bread and butter of the 3d printing world was not encrypted.

[dolbyman]

and yes they are. They are running a automated script to test whether they can gain administrator access. Then an engineer logs in analyzes the configuration and makes the required changes so that the deadbolt executable can run and then it is encrypted.

For such a knowledge fountain here, you sure do seem to be pretty disconnected from how malware campaigns like this one work? You think its just a few nerdy teens with TOR?

They find (or buy) exploits and do the work once, and then the exploit runs automatic, I agree that these are probably "businesses", but unless we are talking about high level corporate espionage/malware attacks or spearphishing, these are not done manually.

But let's end this discussion here as it is turning in circles, you exposed your NAS, you got infected. End of the story

[Geraud W]

Hi,

with my TS-231, I was affected with Deadbolt and I updated directly my firmware where I lost the deadbolt page. How can I restore it, please ? or how can I find the address to pay it, please ?

[dosborne]

with my TS-231, I was affected with Deadbolt and I updated directly my firmware where I lost the deadbolt page. How can I restore it, please ? or how can I find the address to pay it, please ?

Contact QNAP support to see if they can restore it for you.

Hopefully, the malware remover put it in "quarantine" but be prepared for it being lost due to the FW update.

You can also look in /mnt/HDA_ROOT/update_pkg folder to see if the SSDPd.bin file is there and "reinfect" yourself (very risky).
https://www.bleepingcomputer.com/forums ... on/page-38

If the above options (quarantine and SSDPd.bin) fail, then there is little or no hope (at least for now) for recovery. If that is the case, I'd suggest taking a backup of your encrypted files just in case there is a solution at some point in the future. Then clean your system completely and start all over.

But, step #1 - ****IMMEDIATELY*** get your NAS off the internet so that you are not further infected reducing your chances of ever recovering even more. (see post #1 in this thread and follow the directions)

[Geraud W]

Unfortunately, I don't have this bin file in this folder. I already contacted Qnap support where they are not able to recover my page to get the address.
I found the file where the filename contains digits which has been moved or removed with Malware Remover, where its location was in /mnt/HDA_ROOT.

how can I contact the hacker or how could I have this address from my computer ( cache files in windows, or any files ) ?

[dosborne]

how can I contact the hacker or how could I have this address from my computer ( cache files in windows, or any files ) ?

There is no way to contact the deadbolt ransomware hackers. Honestly, they obviously don't care about you, they just want the easy money.

This is what *I* would do in your situation:

- immediately secure your network properly to ensure you don't suffer another attack adding infinitely more complexity to your situation.

- immediately take a backup of your NAS. This preserves the files a) in the event you can pay the ransom (if you get the required BTC address), b) gives you a backup for the future in case there is a master key or other "fix", c) protects you against further damage in case something in attempting to recover goes wrong.

Without the BTC address or the SSDPd.bin to recreate the ransomware notice, I don't think there is anything that can be done at the moment (never heard of the "numbered file" that gets created by SSDPd.bin is useful in any way, but I don't think it is, ... I think it's just the (en/de)cryption engine and the key gets passed to it as a parameter by SSDPd.bin). Getting this file from someone else won't help your situation either apparently as the key is embedded in it as a unique value or randomly generated when run, so that scenario could make things worse (unless you take the above mentioned backup of you CURRENT files) by encrypting yet again with a different (second) key.

Give the entire post in the link I posted previously a read, there may be more options there, I just browsed it, didn't read every post in detail.

Go through your files. There has been some (minimal) examples where files were renamed only and not actually encrypted. Maybe there are folders that were not hit. Look in the recycle bins, snapshots, etc

Sorry to say if think you are in a bad position with low success rate for recovery.

Although it doesn't help your situation, QNAP needs to either rework the malware removal app so that it does a better preservation of the ransom page or ensure that a firmware update doesn't overwrite it (or both, but I think the nail in the coffin in your case was the admin html file being overwritten by the FW update)
-

[sharkssl]

Hello, would someone be so kind to generate a fake BTC transaction to this address, so to obtain my private key, then I would really be grateful and willing to donate to his cause.
You can make a payment of (exactly) 0.050000 bitcoin to the following address:
bc1qj7989cl9c86qawvjkwlcw6s0xz8ma4w7f9l07t