Very highly doubt that all these compromised machines were "manually stumbled" through. It's an automated attack based on exploits, plain and simple.
Get the flippin NAS out ouf the flippin web
Very highly doubt that all these compromised machines were "manually stumbled" through. It's an automated attack based on exploits, plain and simple.
I don't even understand why you are commenting with your elitists BS. You can talk the talk all you want but the bottom line is that by default UPnP is enabled and why? BECAUSE THE QNAP THROUGH AND THROUGH WAS MARKETED TO US AS A INTERNET FACING DEVICE. Websever, email p2p sharing. I don't care care that they have backtracked on that now. I don't care that I don't log in a read the QNAP forums on a daily basis. If this was for work, it would've been treated very differently. Not to mention in a business environment I have equipment in place that can do sophisticated malware protection.dosborne wrote: ↑Mon Aug 15, 2022 8:55 pmThis is not criminal hacker tech support, this is QNAP community support. As there is no "fix" for this ransomware, the only solution that can be offered is to help people with data recovery and planning to prevent the next attack. It cannot be said enough, therefore this *IS* the place. Many users come here specifically to read about Deadbolt and need the information on creating a backup plan for the future.qsurenot wrote: ↑Mon Aug 15, 2022 5:20 pmYes we ALL understand the importance of backups but this is neither the time nor place for this great advice for several reasons:dosborne wrote: ↑Fri Aug 12, 2022 10:29 am Lesson 1 - have a backup strategy that fits with your data
Lesson 2 - spend an hour reading about *ALL* the devices on your network and learn the basic steps to secure them. (At least sign up for security notices about vulnerabilities)
These lessons may not help you *today* (as there really is no help to be given since you either take the data loss, or restore from backup, or pay the ransom) but they are critical for the day you get your system running again either from a complete reset or from decryption. If you don't learn these lessons, you are still vulnerable. Whatever you did to allow the attack should be resolved now, before anything else or there is no point.
We are trying to help you, so that you aren't back in the same situation in 3 months.
Read the posts about people being hit with multiple waves of ransomware that even paying for the key does not help recover all files.
Great. Then their original data is safe and unaffected. Secure the network, remove the malware, make a new backup. No data loss.1. By definition a NAS is often THE BACKUP device for many users. for the majority of people who just wanted a safe place for their photos and files.No, if this is the only source, it is not a backup, it is the original as should be backed up if it is important to the user.2. A NAS is also often used as an Archive device (example, for old laptops) so it's not data you'd normally keep multiple copies or backups of. Again, this is THE backup device that got attacked.Again, QNAP is not the only vendor affected by this or many other malware attacks. Also, backups protect against a thousand things other than malware.3. More importantly, a "you should just have backups" mentality shifts the blame to the victims rather than putting the focus on vendors like QNAP who are entirely, completely, absolutely 100% responsible for this mess! People are just as likely to not be back here in 3 months not because they took your "just have backups" advice but because they used a decent vendor that takes the security of their devices seriously.
5. This wasn't something that was exploited due to weak passwords or a system mis-configuration. This is a vulnerability affecting systems that were setup and operating exactly as designed and recommended by the vendor. So picking this vendor was the ONLY thing the majority of these users "did to allow the attack" as you worded it.
"Contributing" - perhaps, but ultimately the security of YOUR network is YOUR responsibility. If your router locked down UPnP for instance, which many as finally disabling by default, then the ransomware would not have affected so many NAS users. Shouldn't you be "blaming" your router manufacturer instead (or as well) then?4. And similarly to #3, it's not the ransom paid by the victims that's putting us collectively in danger, it's vendors like QNAP with horrific security controls and QA for their products that are putting us all in danger.
They absolutely did. There was a two day delay in the logs between when the new user "test2" was created and when they started making changes. For two days there was a blinking command prompt sitting there connected to my NAS until they got to it. Then they enabled DFS folder aggregation and turned off advanced permissions. You can see the 10-20 second delays in the logs while they figured out what they needed to do. Then they had to wait another day (ended up being 3 days) for permissions to rebuild, and then they finally logged in again and launched deadbolt. The timings of this do not coincide with the completion of each tasks which says to me with 99% confidence that someone is sitting behind a terminal working through these manually, and then generating a new key from their BTC script, dropping it on the machine, encrypting it and closing the connection.
Keep it up with the AUSTOR dribble too. I'm loving how people keep pointing out that AUSTOR was also targeted. I didn't buy a no name AUSTOR. I bought a QNAP. Guess who wasn't infected?dolbyman wrote: ↑Tue Aug 16, 2022 12:05 am We (at least I am) repeat this whole mantra of not exposing your NAS devices (no matter what QNAP promises in their shiny websites) for YEARS, over and over and over again.
Sorry, an enterprise IT engineer of 20 years that exposes consumer NAS devices to the open web just because the manufacturer says it's all fine and dandy (and has apparently NOT heard or read of all these attacks in the security publication of your choice), HAD to learn that lesson. Be glad it was not in any sort of 3rd party liability situation.
If you want to switch brands .. be our guest .. how about ASUSTOR
You're just wrong. I am also an expert with the experience and education to say so to. Web services should not be vulnerable to admin escalation attacks. There are no ifs ands or buts. this is poor design and I am paying the cost because of it. This wasn't a custom app I was running. I mean seriously? By your ape logic, we wouldn't have an internet.dolbyman wrote: ↑Tue Aug 16, 2022 12:05 am We (at least I am) repeat this whole mantra of not exposing your NAS devices (no matter what QNAP promises in their shiny websites) for YEARS, over and over and over again.
Sorry, an enterprise IT engineer of 20 years that exposes consumer NAS devices to the open web just because the manufacturer says it's all fine and dandy (and has apparently NOT heard or read of all these attacks in the security publication of your choice), HAD to learn that lesson. Be glad it was not in any sort of 3rd party liability situation.
If you want to switch brands .. be our guest .. how about ASUSTOR
I see you are running out of excuses and resort to name calling .. Have an Account Warning on the house.
Because I am here to help people and educate them on how to protect their systems (maybe they aren't all "professionals" such as yourself) and will continue to do so. Feel free to move along and ignore or bypass posts that you do not feel are important to you. I know **I** will be ignoring your rants moving forward. Thanks for playing. Sorry you seem to be missing the point.
They find (or buy) exploits and do the work once, and then the exploit runs automatic, I agree that these are probably "businesses", but unless we are talking about high level corporate espionage/malware attacks or spearphishing, these are not done manually.lambdapi wrote: ↑Tue Aug 16, 2022 12:34 am and yes they are. They are running a automated script to test whether they can gain administrator access. Then an engineer logs in analyzes the configuration and makes the required changes so that the deadbolt executable can run and then it is encrypted.
For such a knowledge fountain here, you sure do seem to be pretty disconnected from how malware campaigns like this one work? You think its just a few nerdy teens with TOR?
Contact QNAP support to see if they can restore it for you.
There is no way to contact the deadbolt ransomware hackers. Honestly, they obviously don't care about you, they just want the easy money.