[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by P3R »

dosborne wrote: Mon Sep 26, 2022 9:18 pm It also runs on a schedule, it is OCMPLETELY different from an anti-virus that runs 24/7 to protect you live.
Yes that would normally be the case with antivirus software on client systems.

The AV-software available on the Qnap doesn't do that any more than Malware Remover though. It also only scan files.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by jaysona »

Lagunmannen wrote: Sat Sep 24, 2022 12:49 am ...

Pretty stupid but at the same time, who could have known hackers used a vulnerability i qnap OS to just go straight in and encrypt files just like that.

First time in my life i am infected and also 25 years in IT-Sec makes this quite embarrasing to be honest.
This has been an on-going general security deficiency issue with QNAP for more than seven years now. PhotoStation has had numerous vulnerability over the past few years, this is nothing new when it comes to QNAP and their lack of any sort of basic security.
Last edited by jaysona on Tue Nov 01, 2022 2:49 am, edited 1 time in total.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
gmcl2k
Starting out
Posts: 15
Joined: Mon Sep 26, 2022 7:47 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by gmcl2k »

i have created the .html file and run it and copied one of the deadbolt files to my local pc, selected this within the webpage and it has given me a code so i assume this is were i pay my bitcoin to and wait. if i get a response on the bitcoin site i then use this code on a windows based application and let it run on all the folders i copy onto a spare drive?
gmcl2k
Starting out
Posts: 15
Joined: Mon Sep 26, 2022 7:47 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by gmcl2k »

also the random 4 number file in mnt/hda_root will not delete or be renamed so it must be still live or running. i checked using shell and got no response on it running but why wont it delete then.

ill have to pay these cnuts the ransom
dosborne
Experience counts
Posts: 1764
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by dosborne »

You want to stop it asap. Reboot the nas.
If you have the actual random page, you start run the decrypt from there. Easier.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by FSC830 »

gmcl2k wrote: Tue Sep 27, 2022 2:56 am also the random 4 number file in mnt/hda_root will not delete or be renamed so it must be still live or running. i checked using shell and got no response on it running but why wont it delete then.

ill have to pay these cnuts the ransom

Not sure, if the file will be deleted or not, but a

Code: Select all

ps -ef | grep <####>
should show, if the process is still running (replace #### with the 4 digit number).
Is it really a 4 digit number file? As far as I remember a 5 digit number file was reported by several users.
Anyhow, no matrer if 4 or 5 digits, stop this either by rebooting the NAS or killing the process.

Regards
User avatar
OneCD
Guru
Posts: 12010
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by OneCD »

FSC830 wrote: Tue Sep 27, 2022 2:34 pm Is it really a 4 digit number file? As far as I remember a 5 digit number file was reported by several users.
When it gets to 6, the universe implodes. :DD

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by FSC830 »

No, I expect this when it gets 0 (countdown) :twisted:
:DD :DD
halibomb
New here
Posts: 3
Joined: Wed Jun 11, 2008 3:07 am

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by halibomb »

I was hit and like some other morons I had let my USB backup drive attached to my Qnap NAS. Lost so much...so I had to pay. I managed to get my wallet working and paid the 0.05 BTC on Friday 23. September. I have not received the OP_RETURN code yet and I am pretty annoyed if I do not get it. However, I read from somewhere here that somebody got the OP_RETURN after 4 days.
I can see that the amount went through and it was 0.05 but some people have paid a little bit more. I wonder if I have to pay a small amount covering the fee that they pay after my 0.05 BTC payment???

This is where are paid: bc1q4dfdt90pqh64ds2kxnkw5zsuxmm3mwvuwt82vd

What gave me the real creeps is that when I had turned my Qnap NAS off for a couple of times I return the deadbolt index page a couple of times as the NAS started the malware remover apparently. I had the NAS running for a while as there was nothing that had not been encrypted already - nothing to lose anymore. But when I returned the ransomware index page it showed a different wallet account number this time - Yikes! I am not sure if the return code ever comes - Will it work if somehow the deadbolt came twice to my NAS?

I feel very stupid at the moment and I am dependent on the OP_return. I wonder if they have received so many ransom payments if they check those out manually or if they have automation?
Do you more clever guys know if the OP_RETURN is something that they create manually or automatically (iff there is a person responding with the code or if it is part of the blockchain process normally?? Read something that that was very technical and could not understand!

Oh yeah. Qnap has helped me before but I guess that they are tied up with the situation. No response to my support request using their channel through the NAS app.
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by FSC830 »

Seems that there is no OP_RETURN yet.
Hopefully the hackers did not discontinue delivering the decryption key.
Nothing else to do than waiting... :S

Regards
flocke487
New here
Posts: 5
Joined: Mon Mar 08, 2021 11:12 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by flocke487 »

Hello, I also got hit and now I decided to pay, some important files have been locked also because the backup HDD was connected via USB.
How much more BTC did you send? Is 0,52 BTC sufficient or to much or less?
PiCzerki
New here
Posts: 4
Joined: Mon Dec 14, 2020 4:49 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by PiCzerki »

flocke487 wrote: Thu Sep 29, 2022 12:58 am Hello, I also got hit and now I decided to pay, some important files have been locked also because the backup HDD was connected via USB.
How much more BTC did you send? Is 0,52 BTC sufficient or to much or less?
You have to check fee charged by Exchange. For example Binance takes about 0.0002 BTC so you have to send ie 0.0502
flocke487
New here
Posts: 5
Joined: Mon Mar 08, 2021 11:12 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by flocke487 »

Hello, this is the first time I use bitcoin

https://bitvavo.com/en/fees

so the withdrawl fees on this site would be the fees I have to add for the payment?
winpeak
Starting out
Posts: 20
Joined: Sun Aug 16, 2020 4:19 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by winpeak »

It was my first time too and on the site I used it was very clear how much the fee was. I just had to send the total required to give 0.05 nett. which was 0.050250
flocke487
New here
Posts: 5
Joined: Mon Mar 08, 2021 11:12 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by flocke487 »

winpeak wrote: Thu Sep 29, 2022 1:57 am It was my first time too and on the site I used it was very clear how much the fee was. I just had to send the total required to give 0.05 nett. which was 0.050250
which site did you use?
Post Reply

Return to “Users' Corner”