[RANSOMWARE] >>READ 1st Post<< Deadbolt

[OneCD]

@OneCD
I just want to make sure I am using the correct key...my payment was made to: bc1qf3844gkm0sqphhf3qyqf3qg0ky034gckca82tu
I used the steps on the blockchain website. Can you double check for me please. What is my key?

Your decryption key is: 69b0a606e8b8bdcaad9d5717d35e9e51

[dolbyman]

No that is the payment wallet address, they key is in an OP_Return on that wallet address (as I posted)

[dolbyman]

Your decryption key is: 69b0a606e8b8bdcaad9d5717d35e9e5

Weird .. wonder what Op_Return I was looking at then

[jaysona]

Now I am confused.I thought my key was :
bc1qh6pku7gg2d6pw87z3t4f6d4rk6c48ajvsmfjjl

Yes, you are.

The unique OP_RETURN value is what is used as the unique decryption key for each NAS that has been compromised.

[atlantis2000]

@OneCD
I just want to make sure I am using the correct key...my payment was made to: bc1qf3844gkm0sqphhf3qyqf3qg0ky034gckca82tu
I used the steps on the blockchain website. Can you double check for me please. What is my key?

Your decryption key is: 69b0a606e8b8bdcaad9d5717d35e9e5

@OneCD
When I looked through the webpage: https://www.blockchain.com/btc/tx/ee695 ... e2a401acbb

And scroll to the bottom, after OP_RETURN
69b0a606e8b8bdcaad9d5717d35e9e51

NOTE: there is a "1" at the end; is that correct? because initially you wrote: 69b0a606e8b8bdcaad9d5717d35e9e5

Which one is correct?
Thank you!!

[OneCD]

NOTE: there is a "1" at the end; is that correct? because initially you wrote: 69b0a606e8b8bdcaad9d5717d35e9e5

Which one is correct?
Thank you!!

Oops, copypaste error.

Yes, it ends in a 1.

So, the correct key is: 69b0a606e8b8bdcaad9d5717d35e9e51

[a05151988]

Is there a way to find out my bitcoin address ,
I only backup my encrypted files and format my nas...QQ

[dosborne]

Is there a way to find out my bitcoin address ,
I only backup my encrypted files and format my nas...QQ

Unlikely.

You need one of the following

- The "deadbolt" ransomware page (or a screen capture of it) to get the address
- /mnt/HDA_ROOT/update_pkg/SSDPd.bin which is the original deadbold attack file that will recreate the html page.

It also depends on how you erased your NAS.
If the quarantine area still exists (no further FW updates) then *maybe* you can recover the files from there. Contact QNAP support to see if there is anything you can do.

Save the backup of the encrypted files in case there is a miracle at some future date. Otherwise, unless you can get the address (and unfortunately pay the ransom) then you as SOL.

[atlantis2000]

NOTE: there is a "1" at the end; is that correct? because initially you wrote: 69b0a606e8b8bdcaad9d5717d35e9e5

Which one is correct?
Thank you!!

Oops, copypaste error.

Yes, it ends in a 1.

So, the correct key is: 69b0a606e8b8bdcaad9d5717d35e9e51

No Problem...thanks for your prompt responses..really appreciate it. Will let you know how I make out.
Thank you

[jas0n79]

I am way late to the party here... I found out last night that my NAS has been fully deadbolted, and it was my only backup for some family photos and other important documents.

I have skimmed a portion of posts and am not seeing options other than pay the ransom. Has anyone found another way to decrypt files without paying the ransom?

I am not an IT expert, so please be nice.

[dolbyman]

That's because there is no other way .. if the NAS was a backup , then you still have another version of the files.

If not, then the NAS was NOT a backup and you either pay or will probably lose these files forever

[dosborne]

Still a good idea to take an actual backup just in case there is an option at some future date to recover them.

[jas0n79]

I will be making a backup going forward. Has anyone here had any contact with QNAP on this issue? I am feeling like they should own up to this to some degree.

Looking back through emails, I noticed QNAP sent me an email on July 8 to strongly suggest I update the firmware. My files were deadlocked 3 days later. I don't think I even noticed the email from QNAP.

[jaysona]

.... Has anyone here had any contact with QNAP on this issue? I am feeling like they should own up to this to some degree.
....

QNAP has pretty much absolved themselves of having any sort of responsibility or culpability when it comes to the repeatedly successful malware attacks.

QNAP says they have a PSIRT (Product Security Incident Response Team) which seems to be more of a PR/marketing arm than anything else and they send their security emails, so ya, they now have "secuity" covered.

The fact that QNAP actively and (arguable) aggressively marketed their products as private cloud that every non-technical non tech-savvy user should be accessible from the Internet seems to be met with QNAP's deaf ears and a muted response.

QNAP *could* be forgiven for their first couple of successful zero-authentication malware attacks that started with qsnatch back in 2014, there is no excuse for these same attack vectors to still be repeatedly exploited successfully eight years later.

I think a class action lawsuit is about the only avenue anyone affected has at getting some sort of restitution from QNAP.

[dosborne]

Looking back through emails, I noticed QNAP sent me an email on July 8 to strongly suggest I update the firmware. My files were deadlocked 3 days later. I don't think I even noticed the email from QNAP.

Never a bad idea to check the advisories every couple weeks
https://www.qnap.com/en/security-advisories

Signup for critical notifications and create a rule, policy, whatever in your email system to mark it important, or put in an urgent folder etc. I have mine set to text me alerts for critical issues, power outages, failures etc. If I get a text, I know something urgently needs to be looked at.