[RANSOMWARE] >>READ 1st Post<< Deadbolt
-
- Starting out
- Posts: 20
- Joined: Sun Aug 16, 2020 4:19 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
CoinCorner
-
- Starting out
- Posts: 13
- Joined: Mon Jun 14, 2021 11:02 am
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
My "ears" pricked up when I read this since my loss was limited to a few jpg files. I tried simply renaming the file back to a jpg to no avail, but also keen to give qrescue a shot but want to try it on a few files only rather than the entire NAS given everything I have read suggests I need a single USB drive of greater capacity than my NAS which is not possible for me. Might this be possible ?You **may** be able to salvage some images, maybe with some degradation, using qrescue or photorec. There have been a few posts with very limited success. This applies only to image files (and possibly jpg file only too). Also very sparse reports that some jpgs may simply be renamed (perhaps that's why qrescue works?) and not actually fully encrypted. Worth a shot.
-
- Experience counts
- Posts: 1791
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Copy a few files at a time to test. No need to do it all at once.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
-
- New here
- Posts: 9
- Joined: Fri Sep 23, 2022 6:54 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Task: Automatically decrypt QNAP files after the 0day DeadBolt attack using SSH and the criminals' engine.
Required: Possession of the key after paying the ransom in bitcoin
Required: Making a security copy of the encrypted files to external devices (just in case)
The matter is quite simple if you have the file with which the disk was encrypted:
1. log into QNAP using SSH
2. find a numeric file without extension in the /mnt/HDA_ROOT/ directory - in my case 4046
3. execute the file with the parameter
(remember to replace 4046 with your executable file name, provide the correct key and the correct path to the folder with the encrypted data)
4. the files will be decrypted and the .deadbolt extensions will disappear
That was the easy part
PS. Using an external program like EMSISOFT Decryptor is effective but requires a lot of time in case of a significant amount of data.
However, in my case Qnap Malware Remover will remove not only the login page and in addition the file necessary for decryption ! However, as it turned out, the infected Deadbolt engine files were modified and retained in the directory:
in my case the necessary file was located inside:
2022_09_09_00_45_29.quar
and it is described by the file
2022_09_09_00_45_29.info -> which contained the entry ./mnt/HDA_ROOT/4046
Unfortunately, it could not be used due to Malware Remover changing this file.
And here comes the indispensable Notepad++ ( thanks again a lot ).
And so:
1. extract the .quar file ( in my case 2022_09_09_00_45_29.quar) using, for example, 7z
2. we open the result of the previous point in Notepad++
3. analysis of multiple files gives a good chance that in your case also from the file should be removed everything to Pos. 2049 and everything after the string "ăŮ0ń¤ş-' °. I$ Âô" followed by the characters "NULNULNULNULNULNULNUL" alone without any other character to EOF. 4. save it as our "engine" for decryption ( in my case 4046)
5. upload to QNAP via FTP to the location ./mnt/HDA_ROOT/
6. enter the directory: cd /mnt/HDA_ROOT/
7. change file permissions ( in my case file name 4046) to 755 ( must be executable)
8. run the command:
(remember to replace 4046 with your executable file name, provide the correct key and the correct path to the folder with the encrypted data)
Enjoy your automatically recovered data
Required: Possession of the key after paying the ransom in bitcoin
Required: Making a security copy of the encrypted files to external devices (just in case)
The matter is quite simple if you have the file with which the disk was encrypted:
1. log into QNAP using SSH
2. find a numeric file without extension in the /mnt/HDA_ROOT/ directory - in my case 4046
3. execute the file with the parameter
Code: Select all
./4046 -d (key_decryption) /share/CACHEDEV1_DATA/
4. the files will be decrypted and the .deadbolt extensions will disappear
That was the easy part
PS. Using an external program like EMSISOFT Decryptor is effective but requires a lot of time in case of a significant amount of data.
However, in my case Qnap Malware Remover will remove not only the login page and in addition the file necessary for decryption ! However, as it turned out, the infected Deadbolt engine files were modified and retained in the directory:
Code: Select all
/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/.quarantine
2022_09_09_00_45_29.quar
and it is described by the file
2022_09_09_00_45_29.info -> which contained the entry ./mnt/HDA_ROOT/4046
Unfortunately, it could not be used due to Malware Remover changing this file.
And here comes the indispensable Notepad++ ( thanks again a lot ).
And so:
1. extract the .quar file ( in my case 2022_09_09_00_45_29.quar) using, for example, 7z
2. we open the result of the previous point in Notepad++
3. analysis of multiple files gives a good chance that in your case also from the file should be removed everything to Pos. 2049 and everything after the string "ăŮ0ń¤ş-' °. I$ Âô" followed by the characters "NULNULNULNULNULNULNUL" alone without any other character to EOF. 4. save it as our "engine" for decryption ( in my case 4046)
5. upload to QNAP via FTP to the location ./mnt/HDA_ROOT/
6. enter the directory: cd /mnt/HDA_ROOT/
7. change file permissions ( in my case file name 4046) to 755 ( must be executable)
8. run the command:
Code: Select all
./4046 -d (decryption key) /share/CACHEDEV1_DATA
Enjoy your automatically recovered data
You do not have the required permissions to view the files attached to this post.
-
- New here
- Posts: 2
- Joined: Thu Sep 29, 2022 12:43 am
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
Thank you
Thank you
-
- New here
- Posts: 9
- Joined: Fri Sep 23, 2022 6:54 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
You need to restore it ... try to read 1st postdavide1984 wrote: ↑Thu Sep 29, 2022 6:51 pm Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
Thank you
1. turn off malware remover
2. log in via ssh
3. backup /home/httpd
4. find ./mnt/HDA_ROOT/update_pkg/SDDPd.bin
5. if its not there extract from: /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/.quarantine
6. run it:
Code: Select all
sh SDDPd.bin
-
- Experience counts
- Posts: 1791
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Well covered in this post: viewtopic.php?f=45&t=164797&start=1380#p825512davide1984 wrote: ↑Thu Sep 29, 2022 6:51 pm Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
-
- New here
- Posts: 5
- Joined: Mon Mar 08, 2021 11:12 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Hello, have some paid the ransome in the last days? Have you got the key?
-
- New here
- Posts: 9
- Joined: Fri Sep 23, 2022 6:54 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Yes, I have! Sad, but true. The OP_RETURN string, which is the key, is generated without the DeadBolt team. When you pay "your bill" the blockchain provider generates it for you. So it is quite "simple and secure", if you know what I mean. The most important is as follow. First: the correct address for the transaction. Second: the correct amount. If you do it right the key will be generated correctly. I have not found any entry on the web that something went wrong.
Last edited by dolbyman on Fri Sep 30, 2022 3:10 am, edited 1 time in total.
-
- New here
- Posts: 9
- Joined: Fri Sep 23, 2022 6:54 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Everyone can have a different amount ! The only effective option is to check it on your qnap. You should have it on the web login page - the exact address of the transaction and the amount to be deposited. If you don't see it then it's a sign that malware remover removed it like in my case and then it's a bigger problem but passable.
Last edited by dolbyman on Fri Sep 30, 2022 3:10 am, edited 1 time in total.
- dolbyman
- Guru
- Posts: 35021
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
@Sprinkler_BLK
You went from help seeker
viewtopic.php?f=45&t=164797&p=827969#p827969
to help offerer (posting social media links and company emails) real fast..I will remove your social media and emails for now as I find it suspicious
You went from help seeker
viewtopic.php?f=45&t=164797&p=827969#p827969
to help offerer (posting social media links and company emails) real fast..I will remove your social media and emails for now as I find it suspicious
-
- New here
- Posts: 9
- Joined: Fri Sep 23, 2022 6:54 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Sounds great ! unfortunately it was QNAP that forced me to learn it so fast. Their Total lack of support knocks me out. What I learned I do not keep to myself. This is how I am now recovering another company affected by the attack.dolbyman wrote: ↑Fri Sep 30, 2022 3:09 am @Sprinkler_BLK
You went from help seeker
viewtopic.php?f=45&t=164797&p=827969#p827969
to help offerer (posting social media links and company emails) real fast..I will remove your social media and emails for now as I find it suspicious
Ps. you can delete whatever you want .... the accounts I gave are real and you can check my history if you feel like it.
Greetings from Eastern Europe - probably full of criminals, arms dealers etc ROTFL
- dolbyman
- Guru
- Posts: 35021
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
when it comes to crypto, there is lots of shady figures around (see any reddit topic revolving about crypto) ... so, as said, new accounts raise suspicion here..
greetings to Poland...the stolen car capitals of Europe *wink*
greetings to Poland...the stolen car capitals of Europe *wink*
-
- Guru
- Posts: 13190
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
It doesn't have to be a scam to be spam...
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- Starting out
- Posts: 13
- Joined: Mon Jun 14, 2021 11:02 am
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
I will need to figure how to do this.
Does the malware encrypt the file to its own format then delete the original (hence the need for Photorec) or does it encrypt and rename though some other means ?
Last edited by Hunty36 on Tue Oct 04, 2022 8:53 am, edited 1 time in total.