[RANSOMWARE] >>READ 1st Post<< Deadbolt
-
- Experience counts
- Posts: 2043
- Joined: Thu Mar 03, 2016 1:11 am
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
No, I expect this when it gets 0 (countdown)
A raid is never a substitute for backup! Never!
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
-
- New here
- Posts: 3
- Joined: Wed Jun 11, 2008 3:07 am
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
I was hit and like some other morons I had let my USB backup drive attached to my Qnap NAS. Lost so much...so I had to pay. I managed to get my wallet working and paid the 0.05 BTC on Friday 23. September. I have not received the OP_RETURN code yet and I am pretty annoyed if I do not get it. However, I read from somewhere here that somebody got the OP_RETURN after 4 days.
I can see that the amount went through and it was 0.05 but some people have paid a little bit more. I wonder if I have to pay a small amount covering the fee that they pay after my 0.05 BTC payment???
This is where are paid: bc1q4dfdt90pqh64ds2kxnkw5zsuxmm3mwvuwt82vd
What gave me the real creeps is that when I had turned my Qnap NAS off for a couple of times I return the deadbolt index page a couple of times as the NAS started the malware remover apparently. I had the NAS running for a while as there was nothing that had not been encrypted already - nothing to lose anymore. But when I returned the ransomware index page it showed a different wallet account number this time - Yikes! I am not sure if the return code ever comes - Will it work if somehow the deadbolt came twice to my NAS?
I feel very stupid at the moment and I am dependent on the OP_return. I wonder if they have received so many ransom payments if they check those out manually or if they have automation?
Do you more clever guys know if the OP_RETURN is something that they create manually or automatically (iff there is a person responding with the code or if it is part of the blockchain process normally?? Read something that that was very technical and could not understand!
Oh yeah. Qnap has helped me before but I guess that they are tied up with the situation. No response to my support request using their channel through the NAS app.
I can see that the amount went through and it was 0.05 but some people have paid a little bit more. I wonder if I have to pay a small amount covering the fee that they pay after my 0.05 BTC payment???
This is where are paid: bc1q4dfdt90pqh64ds2kxnkw5zsuxmm3mwvuwt82vd
What gave me the real creeps is that when I had turned my Qnap NAS off for a couple of times I return the deadbolt index page a couple of times as the NAS started the malware remover apparently. I had the NAS running for a while as there was nothing that had not been encrypted already - nothing to lose anymore. But when I returned the ransomware index page it showed a different wallet account number this time - Yikes! I am not sure if the return code ever comes - Will it work if somehow the deadbolt came twice to my NAS?
I feel very stupid at the moment and I am dependent on the OP_return. I wonder if they have received so many ransom payments if they check those out manually or if they have automation?
Do you more clever guys know if the OP_RETURN is something that they create manually or automatically (iff there is a person responding with the code or if it is part of the blockchain process normally?? Read something that that was very technical and could not understand!
Oh yeah. Qnap has helped me before but I guess that they are tied up with the situation. No response to my support request using their channel through the NAS app.
-
- Experience counts
- Posts: 2043
- Joined: Thu Mar 03, 2016 1:11 am
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Seems that there is no OP_RETURN yet.
Hopefully the hackers did not discontinue delivering the decryption key.
Nothing else to do than waiting...
Regards
Hopefully the hackers did not discontinue delivering the decryption key.
Nothing else to do than waiting...
Regards
A raid is never a substitute for backup! Never!
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
-
- New here
- Posts: 5
- Joined: Mon Mar 08, 2021 11:12 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Hello, I also got hit and now I decided to pay, some important files have been locked also because the backup HDD was connected via USB.
How much more BTC did you send? Is 0,52 BTC sufficient or to much or less?
How much more BTC did you send? Is 0,52 BTC sufficient or to much or less?
-
- New here
- Posts: 4
- Joined: Mon Dec 14, 2020 4:49 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
You have to check fee charged by Exchange. For example Binance takes about 0.0002 BTC so you have to send ie 0.0502
-
- New here
- Posts: 5
- Joined: Mon Mar 08, 2021 11:12 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Hello, this is the first time I use bitcoin
https://bitvavo.com/en/fees
so the withdrawl fees on this site would be the fees I have to add for the payment?
https://bitvavo.com/en/fees
so the withdrawl fees on this site would be the fees I have to add for the payment?
-
- Starting out
- Posts: 20
- Joined: Sun Aug 16, 2020 4:19 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
It was my first time too and on the site I used it was very clear how much the fee was. I just had to send the total required to give 0.05 nett. which was 0.050250
-
- New here
- Posts: 5
- Joined: Mon Mar 08, 2021 11:12 pm
-
- Starting out
- Posts: 20
- Joined: Sun Aug 16, 2020 4:19 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
CoinCorner
-
- Starting out
- Posts: 13
- Joined: Mon Jun 14, 2021 11:02 am
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
My "ears" pricked up when I read this since my loss was limited to a few jpg files. I tried simply renaming the file back to a jpg to no avail, but also keen to give qrescue a shot but want to try it on a few files only rather than the entire NAS given everything I have read suggests I need a single USB drive of greater capacity than my NAS which is not possible for me. Might this be possible ?You **may** be able to salvage some images, maybe with some degradation, using qrescue or photorec. There have been a few posts with very limited success. This applies only to image files (and possibly jpg file only too). Also very sparse reports that some jpgs may simply be renamed (perhaps that's why qrescue works?) and not actually fully encrypted. Worth a shot.
-
- Experience counts
- Posts: 1822
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Copy a few files at a time to test. No need to do it all at once.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
-
- New here
- Posts: 9
- Joined: Fri Sep 23, 2022 6:54 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Task: Automatically decrypt QNAP files after the 0day DeadBolt attack using SSH and the criminals' engine.
Required: Possession of the key after paying the ransom in bitcoin
Required: Making a security copy of the encrypted files to external devices (just in case)
The matter is quite simple if you have the file with which the disk was encrypted:
1. log into QNAP using SSH
2. find a numeric file without extension in the /mnt/HDA_ROOT/ directory - in my case 4046
3. execute the file with the parameter
(remember to replace 4046 with your executable file name, provide the correct key and the correct path to the folder with the encrypted data)
4. the files will be decrypted and the .deadbolt extensions will disappear
That was the easy part
PS. Using an external program like EMSISOFT Decryptor is effective but requires a lot of time in case of a significant amount of data.
However, in my case Qnap Malware Remover will remove not only the login page and in addition the file necessary for decryption ! However, as it turned out, the infected Deadbolt engine files were modified and retained in the directory:
in my case the necessary file was located inside:
2022_09_09_00_45_29.quar
and it is described by the file
2022_09_09_00_45_29.info -> which contained the entry ./mnt/HDA_ROOT/4046
Unfortunately, it could not be used due to Malware Remover changing this file.
And here comes the indispensable Notepad++ ( thanks again a lot ).
And so:
1. extract the .quar file ( in my case 2022_09_09_00_45_29.quar) using, for example, 7z
2. we open the result of the previous point in Notepad++
3. analysis of multiple files gives a good chance that in your case also from the file should be removed everything to Pos. 2049 and everything after the string "ăŮ0ń¤ş-' °. I$ Âô" followed by the characters "NULNULNULNULNULNULNUL" alone without any other character to EOF. 4. save it as our "engine" for decryption ( in my case 4046)
5. upload to QNAP via FTP to the location ./mnt/HDA_ROOT/
6. enter the directory: cd /mnt/HDA_ROOT/
7. change file permissions ( in my case file name 4046) to 755 ( must be executable)
8. run the command:
(remember to replace 4046 with your executable file name, provide the correct key and the correct path to the folder with the encrypted data)
Enjoy your automatically recovered data
Required: Possession of the key after paying the ransom in bitcoin
Required: Making a security copy of the encrypted files to external devices (just in case)
The matter is quite simple if you have the file with which the disk was encrypted:
1. log into QNAP using SSH
2. find a numeric file without extension in the /mnt/HDA_ROOT/ directory - in my case 4046
3. execute the file with the parameter
Code: Select all
./4046 -d (key_decryption) /share/CACHEDEV1_DATA/
4. the files will be decrypted and the .deadbolt extensions will disappear
That was the easy part
PS. Using an external program like EMSISOFT Decryptor is effective but requires a lot of time in case of a significant amount of data.
However, in my case Qnap Malware Remover will remove not only the login page and in addition the file necessary for decryption ! However, as it turned out, the infected Deadbolt engine files were modified and retained in the directory:
Code: Select all
/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/.quarantine
2022_09_09_00_45_29.quar
and it is described by the file
2022_09_09_00_45_29.info -> which contained the entry ./mnt/HDA_ROOT/4046
Unfortunately, it could not be used due to Malware Remover changing this file.
And here comes the indispensable Notepad++ ( thanks again a lot ).
And so:
1. extract the .quar file ( in my case 2022_09_09_00_45_29.quar) using, for example, 7z
2. we open the result of the previous point in Notepad++
3. analysis of multiple files gives a good chance that in your case also from the file should be removed everything to Pos. 2049 and everything after the string "ăŮ0ń¤ş-' °. I$ Âô" followed by the characters "NULNULNULNULNULNULNUL" alone without any other character to EOF. 4. save it as our "engine" for decryption ( in my case 4046)
5. upload to QNAP via FTP to the location ./mnt/HDA_ROOT/
6. enter the directory: cd /mnt/HDA_ROOT/
7. change file permissions ( in my case file name 4046) to 755 ( must be executable)
8. run the command:
Code: Select all
./4046 -d (decryption key) /share/CACHEDEV1_DATA
Enjoy your automatically recovered data
You do not have the required permissions to view the files attached to this post.
-
- New here
- Posts: 2
- Joined: Thu Sep 29, 2022 12:43 am
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
Thank you
Thank you
-
- New here
- Posts: 9
- Joined: Fri Sep 23, 2022 6:54 pm
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
You need to restore it ... try to read 1st postdavide1984 wrote: ↑Thu Sep 29, 2022 6:51 pm Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
Thank you
1. turn off malware remover
2. log in via ssh
3. backup /home/httpd
4. find ./mnt/HDA_ROOT/update_pkg/SDDPd.bin
5. if its not there extract from: /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/.quarantine
6. run it:
Code: Select all
sh SDDPd.bin
-
- Experience counts
- Posts: 1822
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: [RANSOMWARE] >>READ 1st Post<< Deadbolt
Well covered in this post: viewtopic.php?f=45&t=164797&start=1380#p825512davide1984 wrote: ↑Thu Sep 29, 2022 6:51 pm Hello,I decided to pay deadbolt, but I don't find in home page Nas the page where to pay is disappeared, how can I do?
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]