[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
lambdapi
Starting out
Posts: 22
Joined: Thu Aug 06, 2015 7:01 am

Re: [RANSOMWARE] Deadbolt

Post by lambdapi »

I don't even understand what point you are trying to make? AUSTOR didn't even exist when I bought my first QNAP. The features are not the same. AUSTOR doesn't run on QTS.

Also there are not 100k infected QNAPS, the numbers per campaign are in the thousands.

and yes they are. They are running a automated script to test whether they can gain administrator access. Then an engineer logs in analyzes the configuration and makes the required changes so that the deadbolt executable can run and then it is encrypted.

For such a knowledge fountain here, you sure do seem to be pretty disconnected from how malware campaigns like this one work? You think its just a few nerdy teens with TOR?

These are businesses with employees. Probably an office.

And just another observation about them. They like 3D printing. I cant for the life of me figure out why almost every graphics format was compromised, including ones I've never used, but .STL which is the bread and butter of the 3d printing world was not encrypted.
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

lambdapi wrote: Tue Aug 16, 2022 12:34 am and yes they are. They are running a automated script to test whether they can gain administrator access. Then an engineer logs in analyzes the configuration and makes the required changes so that the deadbolt executable can run and then it is encrypted.

For such a knowledge fountain here, you sure do seem to be pretty disconnected from how malware campaigns like this one work? You think its just a few nerdy teens with TOR?
They find (or buy) exploits and do the work once, and then the exploit runs automatic, I agree that these are probably "businesses", but unless we are talking about high level corporate espionage/malware attacks or spearphishing, these are not done manually.

But let's end this discussion here as it is turning in circles, you exposed your NAS, you got infected. End of the story
Geraud W
New here
Posts: 5
Joined: Tue Aug 16, 2022 2:28 am

Re: [RANSOMWARE] Deadbolt

Post by Geraud W »

Hi,

with my TS-231, I was affected with Deadbolt and I updated directly my firmware where I lost the deadbolt page. How can I restore it, please ? or how can I find the address to pay it, please ?
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

Geraud W wrote: Tue Aug 16, 2022 2:32 am with my TS-231, I was affected with Deadbolt and I updated directly my firmware where I lost the deadbolt page. How can I restore it, please ? or how can I find the address to pay it, please ?
Contact QNAP support to see if they can restore it for you.

Hopefully, the malware remover put it in "quarantine" but be prepared for it being lost due to the FW update.

You can also look in /mnt/HDA_ROOT/update_pkg folder to see if the SSDPd.bin file is there and "reinfect" yourself (very risky).
https://www.bleepingcomputer.com/forums ... on/page-38

If the above options (quarantine and SSDPd.bin) fail, then there is little or no hope (at least for now) for recovery. If that is the case, I'd suggest taking a backup of your encrypted files just in case there is a solution at some point in the future. Then clean your system completely and start all over.

But, step #1 - ****IMMEDIATELY*** get your NAS off the internet so that you are not further infected reducing your chances of ever recovering even more. (see post #1 in this thread and follow the directions)
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
Geraud W
New here
Posts: 5
Joined: Tue Aug 16, 2022 2:28 am

Re: [RANSOMWARE] Deadbolt

Post by Geraud W »

Unfortunately, I don't have this bin file in this folder. I already contacted Qnap support where they are not able to recover my page to get the address.
I found the file where the filename contains digits which has been moved or removed with Malware Remover, where its location was in /mnt/HDA_ROOT.

how can I contact the hacker or how could I have this address from my computer ( cache files in windows, or any files ) ?
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

Geraud W wrote: Tue Aug 16, 2022 4:03 am how can I contact the hacker or how could I have this address from my computer ( cache files in windows, or any files ) ?
There is no way to contact the deadbolt ransomware hackers. Honestly, they obviously don't care about you, they just want the easy money.

This is what *I* would do in your situation:

- immediately secure your network properly to ensure you don't suffer another attack adding infinitely more complexity to your situation.

- immediately take a backup of your NAS. This preserves the files a) in the event you can pay the ransom (if you get the required BTC address), b) gives you a backup for the future in case there is a master key or other "fix", c) protects you against further damage in case something in attempting to recover goes wrong.

Without the BTC address or the SSDPd.bin to recreate the ransomware notice, I don't think there is anything that can be done at the moment (never heard of the "numbered file" that gets created by SSDPd.bin is useful in any way, but I don't think it is, ... I think it's just the (en/de)cryption engine and the key gets passed to it as a parameter by SSDPd.bin). Getting this file from someone else won't help your situation either apparently as the key is embedded in it as a unique value or randomly generated when run, so that scenario could make things worse (unless you take the above mentioned backup of you CURRENT files) by encrypting yet again with a different (second) key.

Give the entire post in the link I posted previously a read, there may be more options there, I just browsed it, didn't read every post in detail.

Go through your files. There has been some (minimal) examples where files were renamed only and not actually encrypted. Maybe there are folders that were not hit. Look in the recycle bins, snapshots, etc

Sorry to say if think you are in a bad position with low success rate for recovery.

Although it doesn't help your situation, QNAP needs to either rework the malware removal app so that it does a better preservation of the ransom page or ensure that a firmware update doesn't overwrite it (or both, but I think the nail in the coffin in your case was the admin html file being overwritten by the FW update)
-
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
sharkssl
New here
Posts: 4
Joined: Wed Jul 13, 2016 5:33 pm

Re: [RANSOMWARE] Deadbolt

Post by sharkssl »

Hello, would someone be so kind to generate a fake BTC transaction to this address, so to obtain my private key, then I would really be grateful and willing to donate to his cause.
You can make a payment of (exactly) 0.050000 bitcoin to the following address:
bc1qj7989cl9c86qawvjkwlcw6s0xz8ma4w7f9l07t
qsurenot
New here
Posts: 2
Joined: Mon Aug 15, 2022 4:56 pm

Re: [RANSOMWARE] Deadbolt

Post by qsurenot »

dosborne wrote: Mon Aug 15, 2022 8:55 pm
qsurenot wrote: Mon Aug 15, 2022 5:20 pm
dosborne wrote: Fri Aug 12, 2022 10:29 am Lesson 1 - have a backup strategy that fits with your data
Lesson 2 - spend an hour reading about *ALL* the devices on your network and learn the basic steps to secure them. (At least sign up for security notices about vulnerabilities)

These lessons may not help you *today* (as there really is no help to be given since you either take the data loss, or restore from backup, or pay the ransom) but they are critical for the day you get your system running again either from a complete reset or from decryption. If you don't learn these lessons, you are still vulnerable. Whatever you did to allow the attack should be resolved now, before anything else or there is no point.

We are trying to help you, so that you aren't back in the same situation in 3 months.
Yes we ALL understand the importance of backups but this is neither the time nor place for this great advice for several reasons:
This is not criminal hacker tech support, this is QNAP community support. As there is no "fix" for this ransomware, the only solution that can be offered is to help people with data recovery and planning to prevent the next attack. It cannot be said enough, therefore this *IS* the place. Many users come here specifically to read about Deadbolt and need the information on creating a backup plan for the future.

Read the posts about people being hit with multiple waves of ransomware that even paying for the key does not help recover all files.
Looking for information on how to deal with this deadbolt mess? Absolutely. Looking for a "well you should've had a backup somewhere" preach? I highly doubt that...

1. By definition a NAS is often THE BACKUP device for many users. for the majority of people who just wanted a safe place for their photos and files.
Great. Then their original data is safe and unaffected. Secure the network, remove the malware, make a new backup. No data loss.
True and spend possibly hours doing all of that again AT NO FAULT of yours other than using a terrible vendor with a joke of a process for securing their products.
4. And similarly to #3, it's not the ransom paid by the victims that's putting us collectively in danger, it's vendors like QNAP with horrific security controls and QA for their products that are putting us all in danger.
"Contributing" - perhaps, but ultimately the security of YOUR network is YOUR responsibility. If your router locked down UPnP for instance, which many as finally disabling by default, then the ransomware would not have affected so many NAS users. Shouldn't you be "blaming" your router manufacturer instead (or as well) then?
Agreed and one of the most important things you can do to secure your network is do your research and try to pick decent/reputable brands who take security seriously. THEN perhaps we can talk about backup plans. As for UPnP, great point: why did QNAP have it on by default? (and have it buried in configuration settings with a non-standard name to boot?) I could see a router vendor doing it because that's a use case for routers but what use case is it for a NAS device especially coming from a vendor with shoddy security practices? Was it the "get to your files from ANYWHERE using myQnapCloud" advertised all over the place? So now they're disabling it after this fiasco, why wasn't it disabled to begin with?

TL;DR: It's not my router or my network security or my backup plans or what I had for dinner that resulted in this mess. It is a poorly designed NAS device made by QNAP with a zero day vulnerability. Simple as that.
Geraud W
New here
Posts: 5
Joined: Tue Aug 16, 2022 2:28 am

Re: [RANSOMWARE] Deadbolt

Post by Geraud W »

If someone could give me a good BTC address then I could be in contact with the guy to ask him the correct btc address or to get my decryption key.
As I can put a message for any BTC transaction, my main solution should be to have a contact with this guy.

What do you think ? Do you have a valid BTC address, please ?
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

There is no contacting them via Bitcoin

The only way to get your key, is the unique ransom BTC address, without that even the hackers do not know your decryption key
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

Geraud W wrote: Tue Aug 16, 2022 7:25 pm What do you think ? Do you have a valid BTC address, please ?
There have been literally dozens of them posted already in this thread. But, as pointed out, there is no way to contact them. They only look for the BTC transaction and send back a key when the ransom is paid via the blockchain.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
Geraud W
New here
Posts: 5
Joined: Tue Aug 16, 2022 2:28 am

Re: [RANSOMWARE] Deadbolt

Post by Geraud W »

If I found the SSDPd.bin file, how can I get the ransom BTC address ?
I'll try to use a data recovery tool because the FW update has removed it.

I hope it'll work.
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

description on what could be done with the SSDPd.bin was already posted further up

https://www.bleepingcomputer.com/forums ... on/page-38
User avatar
Gaudi
Easy as a breeze
Posts: 406
Joined: Thu Mar 04, 2010 10:47 pm

Re: [RANSOMWARE] Deadbolt

Post by Gaudi »

Hi, I have been closely following the thread to secure my unit. So far I have followed all the recommended steps.
There are a couple of things that are still unclear to me, and perhaps you could help me to clarify:
  • Is the access through myQNAPCloud secure (selecting Open Desktop from my myQNAPCloud dashboard, which points to https://c11a.myqnapcloud.com/cgi-bin/)?
  • Are other services aside from Web Administration or Web Server suceptible to attack (FTP server, for example)?
I have recently

Thank you!
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

Anything that forwards ports to your NAS is a direct attack vector, so using the QNAP DDNS service with port forwards will expose your NAS (even without the DDNS your NAS is exposed)

Only the QNAP relay service (Cloudlink) or VPN access (does not cost anything) does not directly expose your NAS.. there is mitigation techniques like reverse proxies or application control firewalls, but we leave them out
Post Reply

Return to “Users' Corner”