[RANSOMWARE] >>READ 1st Post<< Deadbolt

[Sprinkler_BLK]

Hi and thanks for all of you who have wrote your opinions here.

I do think still that I did not have an opportunity to copy the wrong BTC account since I returned the ransomnote index page using the notes in the first post.

However, I am angry at myself that I let the QNAP be on when I waited for the QNAP support in two occurences for a couple of days.
Then when I shutdown and a couple of days later had to pull the ransomnote account again I did notice that there was a different account number there.
That is why I suspected that I was hit twice. However, I do not know if the deadbolt would encrypt any files again that were already named with "deadbolt".

When I paid the 0.05 BTC from my wallet I paid a little bit more so that my provider had their costs.
I have seen examples here where the deadbolt account received just 0.05 BTC and then amounts that were a little bit more. Both received their OP_RETURN code.

What is your opinion what is the amount of cost that they needed to pay after I paid 0.05 BTC?
This is where are paid: bc1q4dfdt90pqh64ds2kxnkw5zsuxmm3mwvuwt82vd

Some say that you need to pay exactly 0.05 BTC (like the RABSOMNOTE itself) but then some have paid a little bit more? I will try to pay a little bit more to check this - What are your thoughs?

My transaction was not "exactly" 0.05 BTC, and still I got the correct OP_RETURN right away. It was 0,0500005 something like this

[RufRuf]

Hi and thanks for all of you who have wrote your opinions here.
...

What is your opinion what is the amount of cost that they needed to pay after I paid 0.05 BTC?
This is where are paid: bc1q4dfdt90pqh64ds2kxnkw5zsuxmm3mwvuwt82vd

Some say that you need to pay exactly 0.05 BTC (like the RABSOMNOTE itself) but then some have paid a little bit more? I will try to pay a little bit more to check this - What are your thoughs?

Were you hit with deadbolt in the September 2022 wave? In that case, have you tried the payment address retrieval tool (link in the 1st post)? Maybe you could test it on a couple of encrypted files to see what payment address it returns.
Regarding the payment address that you mention (bc1q4dfdt90pqh64ds2kxnkw5zsuxmm3mwvuwt82vd), should it not be empty and without transactions prior to the ransom payment? Did you copy-paste the address from the ransom note page?

[halibomb]

Hi and thanks for all of you who have wrote your opinions here.

I do think still that I did not have an opportunity to copy the wrong BTC account since I returned the ransomnote index page using the notes in the first post.

However, I am angry at myself that I let the QNAP be on when I waited for the QNAP support in two occurences for a couple of days.
Then when I shutdown and a couple of days later had to pull the ransomnote account again I did notice that there was a different account number there.
That is why I suspected that I was hit twice. However, I do not know if the deadbolt would encrypt any files again that were already named with "deadbolt".

When I paid the 0.05 BTC from my wallet I paid a little bit more so that my provider had their costs.
I have seen examples here where the deadbolt account received just 0.05 BTC and then amounts that were a little bit more. Both received their OP_RETURN code.

What is your opinion what is the amount of cost that they needed to pay after I paid 0.05 BTC?
This is where are paid: bc1q4dfdt90pqh64ds2kxnkw5zsuxmm3mwvuwt82vd

Some say that you need to pay exactly 0.05 BTC (like the RABSOMNOTE itself) but then some have paid a little bit more? I will try to pay a little bit more to check this - What are your thoughs?

Were you hit with deadbolt in the September 2022 wave? In that case, have you tried the payment address retrieval tool (link in the 1st post)? Maybe you could test it on a couple of encrypted files to see what payment address it returns.
Regarding the payment address that you mention (bc1q4dfdt90pqh64ds2kxnkw5zsuxmm3mwvuwt82vd), should it not be empty and without transactions prior to the ransom payment? Did you copy-paste the address from the ransom note page?

Thanks. If the tool is 100% working then you got this solved for me. I am the fool here. I paid to the wrong account. It was an expensive error that I must have made.
Thank you for all you guys for helping. Now I will make the decision if I will forget about this or if I will pay it once more

[dosborne]

You guys do realize you can remove some of the quoted non-relevant material when replying, right?

[Gabriel83]

Hello to everyboby.
Please can someone tell me how much are the commission costs for the bitcoin transfer?

[dosborne]

Please can someone tell me how much are the commission costs for the bitcoin transfer?

The fee or commission is different for every BTC brokerage or bank that you use. You need to contact the support for whichever one you are using. They usually, at least one that I looked at, publish the fee amounts in the FAQ or other notice area on their website.

[RufRuf]

I thought I would share my experiences with being hit by deadbolt now that I managed to resolve the situation. Unfortunately, it meant that I had to pay 0.05 BTC to the criminals to get some quite important files back.

I have a QNAP TSL-269L, which was about 80% full (4TB) when deadbolt started doing its thing on September 3rd. I was away for the weekend so by the time I realized something was wrong, all files had already been encrypted (looking at the time stamps, it took about 14 hours for deadbolt to finish encrypting my files). To make things worse, I updated the firmware with the Android app on September 4th so I newer saw the deadbolt page with the payment information. QNAP helpdesk could not restore the deadbolt page so for a while it seemed that all hope was lost with retrieving my files. What saved me was the fact that the payment information is stored in every encrypted file in the September wave of deadbolt and that there is a tool for retrieving this information (link in the 1st post of this thread). There has been some discussion about whether this tool works. Some concern has, for example, been raised because the tool also generates valid bitcoin addresses for unencrypted files (the bitcoin amount is, however, off). I can’t speak for others, but at least for me the tool worked. I tested it with about ten files that were encrypted during different times of the process, and they all gave the same payment information. Once I transferred 0.05 BTC (I transferred the exact amount) to the address, I received the decryption code in less than a minute. The whole payment procedure (from purchasing bitcoins to receiving the decryption code) took less than 15 minutes.

As I had updated the firmware of the NAS, I had no access to deadbolts decryption tool. Therefore, I decided to use the Emsisoft decryption tool. It worked perfectly and it was reasonably fast on my laptop (I transferred the encrypted files to the hard drive of my windows laptop). I have read that some have had have problems with the Emsisoft tool in that it does not properly decrypt all types of files (for example videos). I did not encounter such problems (pictures, videos, PDF files, Excel files, etc. work just fine).

I also had professionals look at my NAS before I paid the ransom. They could salvage some files that had been deleted post encryption but, in my case, it was of little help. Maybe they could have salvaged more files if the NAS would have been less full.

I hope this information helps someone. I would like to end by saying that I am extremely grateful to everybody who have contributed to this thread. This forum has been crucial in bringing back my files.

[Dogeknight01]

Hi all,
I paid the 0.05BTC as requested to recover my QNAP, triple checked the address and paid extra to cover the transaction fee back in July 13, 2022 but never got the decryption key.
I've been checking for a transaction once a week, just assuming that they're taking their time but now I'm worried that they aren't going to send me the key.
Is there anything that I can do? I checked the address again today and it's definitely correct, and the amount I sent was definitely 0.05BTC.
I've attached some screenshots of the transaction and address.
Thanks

[FSC830]

Hi all,
I paid the 0.05BTC as requested to recover my QNAP, triple checked the address and paid extra to cover the transaction fee back in July 13, 2022 but never got the decryption key.
...

No idea, where you have been looking!
Your OP_RETURN is b008627ffca4d0325c65b5397f1ce7ba

Regards

Edit: next time, when you hit by Deadbolt ( ) please post the BTC address in a text form so it can be copied.
I will never again typing such an address from a screenshot!

[RufRuf]

Hi all,
I paid the 0.05BTC as requested to recover my QNAP, triple checked the address and paid extra to cover the transaction fee back in July 13, 2022 but never got the decryption key.
I've been checking for a transaction once a week, just assuming that they're taking their time but now I'm worried that they aren't going to send me the key.
Is there anything that I can do? I checked the address again today and it's definitely correct, and the amount I sent was definitely 0.05BTC.
I've attached some screenshots of the transaction and address.
Thanks

That should be your decryption code -> b008627ffca4d0325c65b5397f1ce7ba
https://www.blockchain.com/btc/address/ ... t0xpu04ka7
If you click on Hash for the 0.00005460 BTC transaction and scroll all the way down you will see OP_RETURN with the decryption key.

[sp.boot]

Hello everyone,

I am supporting someone who is going to pay the ransomware, but theyre coinbase account asks for a recipient address... What do we fill in? Or do we have to say “sending to myself”?

[dolbyman]

Recipient address would be the ransom bitcoin address

[sp.boot]

Recipient address would be the ransom bitcoin address

Thank you for your quick awnser, but i ment a fysical address. (Street address, Purpose of transfer, recepient name)

[dolbyman]

I have sent bitcoin several times (to coinbase emails or blockchain adresses) never had to give any physical address... but your account (in whatever global jurisdiction you are) could be restricted, check with coinbase support

[sp.boot]

I have sent bitcoin several times (to coinbase emails or blockchain adresses) never had to give any physical address... but your account (in whatever global jurisdiction you are) could be restricted, check with coinbase support

Our customer states the same. Whats the risk of saying "Payment to myself"??

Coinbase support is down, but found the reason:
Its because our country wants to know
https://help.coinbase.com/en/coinbase/t ... -crypto-nl

Is there anyone in The Netherlands that came accross this?