[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
sc1207
New here
Posts: 3
Joined: Tue Jan 26, 2021 11:58 am

[RANSOMWARE] >>READ 1st Post<< Deadbolt

Post by sc1207 »

========================
Deadbolt FAQ:


How Do I know I have Been Affected?

If your QNAP shares have a bunch of files with the extension .deadbolt and/or if you navigate to the main QTS page for your NAS and are greeted with
Image

Image
Your NAS has been infected with deadbolt.

Here is more details of what the program actually does

>>Here is a good summary on actions to take<<


Preventative Measures
- Disable or remove any port forward settings in your router that redirect to your NAS
- Disable uPnP on your router
- Update your NAS to the latest available Firmware (Current patched firmware versions are 4.3.3.1864, 4.5.4.1892 and 5.0.0.1932)

Recovery
- If you have full external intact backups, reset your NAS and restore from backups
- If you have no backups and don't intend to pay, try Qrescue (it has been reported many times now, that this method does NOT work on deadbolt)
- If you want to pay, here is a 'user' story' (Make sure that all auto-updates are disabled during the decryption, so the process is not interrupted)
  • Current status: decryption keys ARE NOT being issued. There are NO assurances you'll receive a decryption key if you pay the ransom.
- As many websites are trying to decrypt plain-text OP_RETURN data now (making them unusable) here is a website that offers the plain OP_RETURN: https://explorer.viawallet.com
- If you are missing the ransom note and bitcoin address (removed by a QNAP firmware update or Malware remover) check here
- If you are hit in with the malware wave around September 2022 you can try this payment address retrieval tool (use at your own risk)
========================
Edited to include FAQ (with thanks to @dolbyman for writing this). Original post is below.

Hi, my QNAP NAS drive just got attacked by a ransonware that turned all my files to files with a .deadbolt extension. Wondering if this is a new ransomware or if anyone has experience with this? I googled it and have not come up with anything as of yet. This seem more hardcore than qlocker, it seems to have taken over the NAS OS as well as encrypting my files, my drive login page has been hijacked by the ransomware into a page for inputting the decryption key. Hopefully someone has a lead on this here because this is getting old, I got attacked by qlocker and had a real fun time sorting out my files afterwards, hopefully there will be a solution to this one.
Last edited by OneCD on Wed Jan 26, 2022 8:30 am, edited 1 time in total.
User avatar
dolbyman
Guru
Posts: 35428
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Deadbolt ransomware

Post by dolbyman »

So you were hacked by Qlocker and STILL exposed your NAS to WAN afterwards ? ...
sc1207
New here
Posts: 3
Joined: Tue Jan 26, 2021 11:58 am

Re: Deadbolt ransomware

Post by sc1207 »

dolbyman wrote: Wed Jan 26, 2022 12:52 am So you were hacked by Qlocker and STILL exposed your NAS to WAN afterwards ? ...
Yes, call me stupid. I specifically use three differnt NAS drives to help me work between different sites, I don't pretend to be an internet security expert. However I have learned to triple backup my files to offline drives so I am only missing my last few hours of work, but it would be great if I can get this back.
User avatar
dolbyman
Guru
Posts: 35428
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Deadbolt ransomware

Post by dolbyman »

besides using a deleted file recovery method or paying the ransom .. not much to do

https://www.qnap.com/static/landing/202 ... rescue/en/
https://www.bleepingcomputer.com/forums ... -nas-hack/
P3R
Guru
Posts: 13194
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Deadbolt ransomware

Post by P3R »

@dolbyman,
I've seen the first reports today and I think that Deadbolt is in at least some ways a different threat than QLocker. I'm in no way sure but the little things I've seen from affected users so far points in that direction. The QLocker documentation may or may not be useful, I don't know? :S
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
dolbyman
Guru
Posts: 35428
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Deadbolt ransomware

Post by dolbyman »

I quickly checked reddit and bleeping computer and couldn't find anything mentioned.. maybe that has changed now

https://www.reddit.com/r/qnap/comments/ ... nst_qnaps/

Here is a first reddit thread, but I see no indication that files are handled differently (crypt copy + original deleted)
idobitom
New here
Posts: 4
Joined: Sat Sep 09, 2017 5:45 pm

New ransomware

Post by idobitom »

Two of my servers got hit with Deadbolt ransomware this morning

Only a few files had been encrypted (file extension .deadbolt) so far before I shut off the server
You do not have the required permissions to view the files attached to this post.
P3R
Guru
Posts: 13194
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Deadbolt ransomware

Post by P3R »

dolbyman wrote: Wed Jan 26, 2022 4:17 am https://www.reddit.com/r/qnap/comments/ ... nst_qnaps/

Here is a first reddit thread, but I see no indication that files are handled differently (crypt copy + original deleted)
I haven't heard of the deadbolt extension being used with QLocker and the message look different as well.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Keano16
Starting out
Posts: 43
Joined: Tue Dec 23, 2014 6:48 pm

Re: New ransomware

Post by Keano16 »

This is no good. Zero Day Vulnerability means we should expect firmware update ASAP.
QNAP TS-251+
2 x WD40FRX RED inside (2 x 4GB).
User avatar
OneCD
Guru
Posts: 12239
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Deadbolt ransomware

Post by OneCD »

OCR of that first screenshot:
Important Message for QNAP

All your affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage:

1) Make a bitcoin payment of 5 BTC to bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8:

You will receive all details about this zero-day vulnerability so it can be patched. A detailed report will be sent to security@qnap.com.

2) Make a bitcoin payment of 50 BTC to bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8:

You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files. Additionally, we will also send you all details about the zero-day vulnerability to security@qnap.com.

Upon receipt of payment for either option, all information will be sent to you in a timely fashion.

There is no way to contact us.
These are our only offers.
Thanks for your consideration.

Greetings,
DEADBOLT team.
For those interested as-to whether QNAP decide to pay the amounts shown, here's the current balance of that bitcoin address: https://www.blockchain.com/btc/address/ ... 82t6trlnd8

Presently, ₿5 = AU$257,194 (US$183,331)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
dolbyman
Guru
Posts: 35428
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Deadbolt ransomware

Post by dolbyman »

I think it's a different malware as well, but if the recovery method is still valid (search for recently deleted files and restore them), the method should still work

0day means "GET YOUR FLIPPIN NAS OUT OF THE FLIPPIN WEB" ... sadly needs to be said daily ... if you do not expose services, you have no issues
Last edited by dolbyman on Mon May 16, 2022 9:44 pm, edited 1 time in total.
User avatar
OneCD
Guru
Posts: 12239
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Deadbolt ransomware

Post by OneCD »

dolbyman wrote: Wed Jan 26, 2022 5:15 am 0day means "GET YOUR FLIPPIN NAS OUT OF THE FLIPPIN WEB" ... sadly needs to be said daily ... if your do not expose services, your have no issues
+1000

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
Bob Zelin
Experience counts
Posts: 1384
Joined: Mon Nov 21, 2016 12:55 am
Location: Orlando, FL.
Contact:

[Ransomware] .deadbolt Jan 25th, 2022

Post by Bob Zelin »

just saw this today. This unfortunately is real. I did a Google search on .deadbolt, and cannot find anything on it. But my client just got it. 2 Factor Authentication did not prevent this.

I hope to God that this is not a true Zero Day virus, but just another variation of QLocker. If you are reading this, I would pull your QNAP off the internet for now.
Bob Zelin
Bob Zelin / Rescue 1, Inc.
http://www.bobzelin.com
User avatar
dolbyman
Guru
Posts: 35428
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [Ransomware] .deadbolt Jan 25th, 2022

Post by dolbyman »

Already a topic open

viewtopic.php?f=50&t=164797

If Qlocker2 3 weeks ago hasn't educated people, maybe deadbolt will.

Never ever expose ANY QNAP service to WAN
Keano16
Starting out
Posts: 43
Joined: Tue Dec 23, 2014 6:48 pm

Re: Deadbolt ransomware

Post by Keano16 »

Pull it off internet until QNAP reacts... and who knows when that will be!
QNAP TS-251+
2 x WD40FRX RED inside (2 x 4GB).
Post Reply

Return to “Users' Corner”