[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
winpeak
Starting out
Posts: 20
Joined: Sun Aug 16, 2020 4:19 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by winpeak »

CoinCorner
Hunty36
Starting out
Posts: 13
Joined: Mon Jun 14, 2021 11:02 am

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by Hunty36 »

You **may** be able to salvage some images, maybe with some degradation, using qrescue or photorec. There have been a few posts with very limited success. This applies only to image files (and possibly jpg file only too). Also very sparse reports that some jpgs may simply be renamed (perhaps that's why qrescue works?) and not actually fully encrypted. Worth a shot.
My "ears" pricked up when I read this since my loss was limited to a few jpg files. I tried simply renaming the file back to a jpg to no avail, but also keen to give qrescue a shot but want to try it on a few files only rather than the entire NAS given everything I have read suggests I need a single USB drive of greater capacity than my NAS which is not possible for me. Might this be possible ?
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by dosborne »

Copy a few files at a time to test. No need to do it all at once.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
Sprinkler_BLK
New here
Posts: 9
Joined: Fri Sep 23, 2022 6:54 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by Sprinkler_BLK »

Task: Automatically decrypt QNAP files after the 0day DeadBolt attack using SSH and the criminals' engine.

Required: Possession of the key after paying the ransom in bitcoin
Required: Making a security copy of the encrypted files to external devices (just in case)

The matter is quite simple if you have the file with which the disk was encrypted:
1. log into QNAP using SSH
2. find a numeric file without extension in the /mnt/HDA_ROOT/ directory - in my case 4046
3. execute the file with the parameter

Code: Select all

./4046 -d (key_decryption) /share/CACHEDEV1_DATA/
(remember to replace 4046 with your executable file name, provide the correct key and the correct path to the folder with the encrypted data)
4. the files will be decrypted and the .deadbolt extensions will disappear

That was the easy part :D
PS. Using an external program like EMSISOFT Decryptor is effective but requires a lot of time in case of a significant amount of data.

However, in my case Qnap Malware Remover will remove not only the login page and in addition the file necessary for decryption ! However, as it turned out, the infected Deadbolt engine files were modified and retained in the directory:

Code: Select all

/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/.quarantine
in my case the necessary file was located inside:

2022_09_09_00_45_29.quar

and it is described by the file

2022_09_09_00_45_29.info -> which contained the entry ./mnt/HDA_ROOT/4046

Unfortunately, it could not be used due to Malware Remover changing this file.
And here comes the indispensable Notepad++ ( thanks again a lot ).

And so:
1. extract the .quar file ( in my case 2022_09_09_00_45_29.quar) using, for example, 7z
2. we open the result of the previous point in Notepad++
3. analysis of multiple files gives a good chance that in your case also from the file should be removed everything to Pos. 2049 and everything after the string "ăŮ0ń¤ş-' °. I$ Âô" followed by the characters "NULNULNULNULNULNULNUL" alone without any other character to EOF.
cut111.png
cut11.png
4. save it as our "engine" for decryption ( in my case 4046)
5. upload to QNAP via FTP to the location ./mnt/HDA_ROOT/
6. enter the directory: cd /mnt/HDA_ROOT/
7. change file permissions ( in my case file name 4046) to 755 ( must be executable)
8. run the command:

Code: Select all

./4046 -d (decryption key) /share/CACHEDEV1_DATA
(remember to replace 4046 with your executable file name, provide the correct key and the correct path to the folder with the encrypted data)

Enjoy your automatically recovered data :D :geek:
You do not have the required permissions to view the files attached to this post.
davide1984
New here
Posts: 2
Joined: Thu Sep 29, 2022 12:43 am

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by davide1984 »

Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
Thank you
Sprinkler_BLK
New here
Posts: 9
Joined: Fri Sep 23, 2022 6:54 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by Sprinkler_BLK »

davide1984 wrote: Thu Sep 29, 2022 6:51 pm Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
Thank you
You need to restore it ... try to read 1st post

1. turn off malware remover
2. log in via ssh
3. backup /home/httpd
4. find ./mnt/HDA_ROOT/update_pkg/SDDPd.bin
5. if its not there extract from: /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/.quarantine
6. run it:

Code: Select all

sh SDDPd.bin
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by dosborne »

davide1984 wrote: Thu Sep 29, 2022 6:51 pm Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
Well covered in this post: viewtopic.php?f=45&t=164797&start=1380#p825512
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
flocke487
New here
Posts: 5
Joined: Mon Mar 08, 2021 11:12 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by flocke487 »

Hello, have some paid the ransome in the last days? Have you got the key?
Sprinkler_BLK
New here
Posts: 9
Joined: Fri Sep 23, 2022 6:54 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by Sprinkler_BLK »

flocke487 wrote: Thu Sep 29, 2022 11:59 pm Hello, have some paid the ransome in the last days? Have you got the key?
Yes, I have! Sad, but true. The OP_RETURN string, which is the key, is generated without the DeadBolt team. When you pay "your bill" the blockchain provider generates it for you. So it is quite "simple and secure", if you know what I mean. The most important is as follow. First: the correct address for the transaction. Second: the correct amount. If you do it right the key will be generated correctly. I have not found any entry on the web that something went wrong.
Last edited by dolbyman on Fri Sep 30, 2022 3:10 am, edited 1 time in total.
Sprinkler_BLK
New here
Posts: 9
Joined: Fri Sep 23, 2022 6:54 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by Sprinkler_BLK »

flocke487 wrote: Thu Sep 29, 2022 12:58 am Hello, I also got hit and now I decided to pay, some important files have been locked also because the backup HDD was connected via USB.
How much more BTC did you send? Is 0,52 BTC sufficient or to much or less?
Everyone can have a different amount ! The only effective option is to check it on your qnap. You should have it on the web login page - the exact address of the transaction and the amount to be deposited. If you don't see it then it's a sign that malware remover removed it like in my case and then it's a bigger problem but passable.
Last edited by dolbyman on Fri Sep 30, 2022 3:10 am, edited 1 time in total.
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by dolbyman »

@Sprinkler_BLK

You went from help seeker
viewtopic.php?f=45&t=164797&p=827969#p827969
to help offerer (posting social media links and company emails) real fast..I will remove your social media and emails for now as I find it suspicious
Sprinkler_BLK
New here
Posts: 9
Joined: Fri Sep 23, 2022 6:54 pm

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by Sprinkler_BLK »

dolbyman wrote: Fri Sep 30, 2022 3:09 am @Sprinkler_BLK

You went from help seeker
viewtopic.php?f=45&t=164797&p=827969#p827969
to help offerer (posting social media links and company emails) real fast..I will remove your social media and emails for now as I find it suspicious
Sounds great ! unfortunately it was QNAP that forced me to learn it so fast. Their Total lack of support knocks me out. What I learned I do not keep to myself. This is how I am now recovering another company affected by the attack.

Ps. you can delete whatever you want .... the accounts I gave are real and you can check my history if you feel like it.

Greetings from Eastern Europe - probably full of criminals, arms dealers etc ROTFL
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by dolbyman »

when it comes to crypto, there is lots of shady figures around (see any reddit topic revolving about crypto) ... so, as said, new accounts raise suspicion here..

greetings to Poland...the stolen car capitals of Europe *wink*
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by P3R »

It doesn't have to be a scam to be spam...
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Hunty36
Starting out
Posts: 13
Joined: Mon Jun 14, 2021 11:02 am

Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by Hunty36 »

dosborne wrote: Thu Sep 29, 2022 1:35 pm Copy a few files at a time to test. No need to do it all at once.
I will need to figure how to do this.

Does the malware encrypt the file to its own format then delete the original (hence the need for Photorec) or does it encrypt and rename though some other means ?
Last edited by Hunty36 on Tue Oct 04, 2022 8:53 am, edited 1 time in total.
Post Reply

Return to “Users' Corner”