[RANSOMWARE] >>READ 1st Post<< Deadbolt

[OneCD]

Zostałem zaatakowany deadboltem
Chciałbym odblokować pliki poprzez zapłatę haraczu ale nie dostałem żadnej wiadomości powitalnej takiej jak piszą użytkownicy.
co mam zrobić aby wywołać ekran powitalny z opcja płatności.

Hello, this is an English-language-only forum. Please post only in English. Thank you.

[winpeak]

Hello, this is an English-language-only forum. Please post only in English. Thank you.

Good grief, it only took me 30s to pop the Polish into Google Translate and post it above.

[OneCD]

Good grief, it only took me 30s to pop the Polish into Google Translate and post it above.

So, it would have taken the poster the same amount of time, right?

What's easier? One person translating to English, or everyone else translating to English?

Should everyone else translate their responses back into Polish too?

This is an English-language-only forum. If you don't speak/read/write/understand English, then try to find a regional version of the forum (here's one for Polish folks).

If you post on this forum, then be prepared to adapt to its conventions - such as using English-language-only - by translating your posts into English via Google Translate, for the convenience of others.

[winpeak]

You can now post helpfully in English and I’m sure the OP will manage. He’s probably in a spin. I was.

[dolbyman]

No arguments..posting is done in English ,if you disagree or want to lament about it..feel free to go somewhere else

[namevistula]

I was also attacked by deadbolt
I would like to recover the files and pay for the decoding key but unfortunately I have no information (nothing on the screen after logging in to Qnap)
How to call up the payment information screen. The above method from Sensey007 - I don't have such files.
Help

I am sorry for the fact that I wrote in Polish.

[gmcl2k]

i am the same, it just happened in the last week when i realised i could no play music then could no see the pictures of our children. i quickly updated firmware, malware removal tool etc. but now i cannot get the screen to see about payment etc.
i believe some have contacted qnap support who can maybe find the decruption key embedded on the qnap.

i am lost and we have lost 10+ years of our childrens pictures as they grew up.

[dosborne]

i am the same, it just happened in the last week when i realised i could no play music then could no see the pictures of our children. i quickly updated firmware, malware removal tool etc. but now i cannot get the screen to see about payment etc.

As the TITLE OF THE THREAD says, read the very first post in this thread.

THEN, read the link in the signature under my post for a summary and details on how to get the ransom information. Here is another copy of the link viewtopic.php?f=45&t=164797&start=1380#p825512

Malware REMOVER, only stops the malware AFTER it has been running (you will already have encrypted files) and only stops malware that it knows about. It also runs on a schedule, it is OCMPLETELY different from an anti-virus that runs 24/7 to protect you live.

A proper backup plan is the only protection for malware, virus, theft, fire, data deletion, etc....

[P3R]

It also runs on a schedule, it is OCMPLETELY different from an anti-virus that runs 24/7 to protect you live.

Yes that would normally be the case with antivirus software on client systems.

The AV-software available on the Qnap doesn't do that any more than Malware Remover though. It also only scan files.

[jaysona]

...

Pretty stupid but at the same time, who could have known hackers used a vulnerability i qnap OS to just go straight in and encrypt files just like that.

First time in my life i am infected and also 25 years in IT-Sec makes this quite embarrasing to be honest.

This has been an on-going general security deficiency issue with QNAP for more than seven years now. PhotoStation has had numerous vulnerability over the past few years, this is nothing new when it comes to QNAP and their lack of any sort of basic security.

[gmcl2k]

i have created the .html file and run it and copied one of the deadbolt files to my local pc, selected this within the webpage and it has given me a code so i assume this is were i pay my bitcoin to and wait. if i get a response on the bitcoin site i then use this code on a windows based application and let it run on all the folders i copy onto a spare drive?

[gmcl2k]

also the random 4 number file in mnt/hda_root will not delete or be renamed so it must be still live or running. i checked using shell and got no response on it running but why wont it delete then.

ill have to pay these cnuts the ransom

[dosborne]

You want to stop it asap. Reboot the nas.
If you have the actual random page, you start run the decrypt from there. Easier.

[FSC830]

also the random 4 number file in mnt/hda_root will not delete or be renamed so it must be still live or running. i checked using shell and got no response on it running but why wont it delete then.

ill have to pay these cnuts the ransom

Not sure, if the file will be deleted or not, but a

Code: Select all

ps -ef | grep <####>

should show, if the process is still running (replace #### with the 4 digit number).
Is it really a 4 digit number file? As far as I remember a 5 digit number file was reported by several users.
Anyhow, no matrer if 4 or 5 digits, stop this either by rebooting the NAS or killing the process.

Regards

[OneCD]

Is it really a 4 digit number file? As far as I remember a 5 digit number file was reported by several users.

When it gets to 6, the universe implodes.