[RANSOMWARE] >>READ 1st Post<< Deadbolt

[FSC830]

No, I expect this when it gets 0 (countdown)

[halibomb]

I was hit and like some other morons I had let my USB backup drive attached to my Qnap NAS. Lost so much...so I had to pay. I managed to get my wallet working and paid the 0.05 BTC on Friday 23. September. I have not received the OP_RETURN code yet and I am pretty annoyed if I do not get it. However, I read from somewhere here that somebody got the OP_RETURN after 4 days.
I can see that the amount went through and it was 0.05 but some people have paid a little bit more. I wonder if I have to pay a small amount covering the fee that they pay after my 0.05 BTC payment???

This is where are paid: bc1q4dfdt90pqh64ds2kxnkw5zsuxmm3mwvuwt82vd

What gave me the real creeps is that when I had turned my Qnap NAS off for a couple of times I return the deadbolt index page a couple of times as the NAS started the malware remover apparently. I had the NAS running for a while as there was nothing that had not been encrypted already - nothing to lose anymore. But when I returned the ransomware index page it showed a different wallet account number this time - Yikes! I am not sure if the return code ever comes - Will it work if somehow the deadbolt came twice to my NAS?

I feel very stupid at the moment and I am dependent on the OP_return. I wonder if they have received so many ransom payments if they check those out manually or if they have automation?
Do you more clever guys know if the OP_RETURN is something that they create manually or automatically (iff there is a person responding with the code or if it is part of the blockchain process normally?? Read something that that was very technical and could not understand!

Oh yeah. Qnap has helped me before but I guess that they are tied up with the situation. No response to my support request using their channel through the NAS app.

[FSC830]

Seems that there is no OP_RETURN yet.
Hopefully the hackers did not discontinue delivering the decryption key.
Nothing else to do than waiting...

Regards

[flocke487]

Hello, I also got hit and now I decided to pay, some important files have been locked also because the backup HDD was connected via USB.
How much more BTC did you send? Is 0,52 BTC sufficient or to much or less?

[PiCzerki]

Hello, I also got hit and now I decided to pay, some important files have been locked also because the backup HDD was connected via USB.
How much more BTC did you send? Is 0,52 BTC sufficient or to much or less?

You have to check fee charged by Exchange. For example Binance takes about 0.0002 BTC so you have to send ie 0.0502

[flocke487]

Hello, this is the first time I use bitcoin

https://bitvavo.com/en/fees

so the withdrawl fees on this site would be the fees I have to add for the payment?

[winpeak]

It was my first time too and on the site I used it was very clear how much the fee was. I just had to send the total required to give 0.05 nett. which was 0.050250

[flocke487]

It was my first time too and on the site I used it was very clear how much the fee was. I just had to send the total required to give 0.05 nett. which was 0.050250

which site did you use?

[winpeak]

CoinCorner

[Hunty36]

You **may** be able to salvage some images, maybe with some degradation, using qrescue or photorec. There have been a few posts with very limited success. This applies only to image files (and possibly jpg file only too). Also very sparse reports that some jpgs may simply be renamed (perhaps that's why qrescue works?) and not actually fully encrypted. Worth a shot.

My "ears" pricked up when I read this since my loss was limited to a few jpg files. I tried simply renaming the file back to a jpg to no avail, but also keen to give qrescue a shot but want to try it on a few files only rather than the entire NAS given everything I have read suggests I need a single USB drive of greater capacity than my NAS which is not possible for me. Might this be possible ?

[dosborne]

Copy a few files at a time to test. No need to do it all at once.

[Sprinkler_BLK]

Task: Automatically decrypt QNAP files after the 0day DeadBolt attack using SSH and the criminals' engine.

Required: Possession of the key after paying the ransom in bitcoin
Required: Making a security copy of the encrypted files to external devices (just in case)

The matter is quite simple if you have the file with which the disk was encrypted:
1. log into QNAP using SSH
2. find a numeric file without extension in the /mnt/HDA_ROOT/ directory - in my case 4046
3. execute the file with the parameter

Code: Select all

./4046 -d (key_decryption) /share/CACHEDEV1_DATA/

(remember to replace 4046 with your executable file name, provide the correct key and the correct path to the folder with the encrypted data)
4. the files will be decrypted and the .deadbolt extensions will disappear

That was the easy part
PS. Using an external program like EMSISOFT Decryptor is effective but requires a lot of time in case of a significant amount of data.

However, in my case Qnap Malware Remover will remove not only the login page and in addition the file necessary for decryption ! However, as it turned out, the infected Deadbolt engine files were modified and retained in the directory:

Code: Select all

/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/.quarantine

in my case the necessary file was located inside:

2022_09_09_00_45_29.quar

and it is described by the file

2022_09_09_00_45_29.info -> which contained the entry ./mnt/HDA_ROOT/4046

Unfortunately, it could not be used due to Malware Remover changing this file.
And here comes the indispensable Notepad++ ( thanks again a lot ).

And so:
1. extract the .quar file ( in my case 2022_09_09_00_45_29.quar) using, for example, 7z
2. we open the result of the previous point in Notepad++
3. analysis of multiple files gives a good chance that in your case also from the file should be removed everything to Pos. 2049 and everything after the string "ăŮ0ń¤ş-' °. I$ Âô" followed by the characters "NULNULNULNULNULNULNUL" alone without any other character to EOF.

cut111.png

cut11.png

4. save it as our "engine" for decryption ( in my case 4046)
5. upload to QNAP via FTP to the location ./mnt/HDA_ROOT/
6. enter the directory: cd /mnt/HDA_ROOT/
7. change file permissions ( in my case file name 4046) to 755 ( must be executable)
8. run the command:

Code: Select all

./4046 -d (decryption key) /share/CACHEDEV1_DATA

(remember to replace 4046 with your executable file name, provide the correct key and the correct path to the folder with the encrypted data)

Enjoy your automatically recovered data

[davide1984]

Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
Thank you

[Sprinkler_BLK]

Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
Thank you

You need to restore it ... try to read 1st post

1. turn off malware remover
2. log in via ssh
3. backup /home/httpd
4. find ./mnt/HDA_ROOT/update_pkg/SDDPd.bin
5. if its not there extract from: /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/.quarantine
6. run it:

Code: Select all

sh SDDPd.bin

[dosborne]

Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?

Well covered in this post: viewtopic.php?f=45&t=164797&start=1380#p825512