How Do I know I have Been Affected?
If your QNAP shares have a bunch of files with the extension .deadbolt and/or if you navigate to the main QTS page for your NAS and are greeted with
Your NAS has been infected with deadbolt.
Here is more details of what the program actually does
>>Here is a good summary on actions to take<<
- Disable or remove any port forward settings in your router that redirect to your NAS
- Disable uPnP on your router
- Update your NAS to the latest available Firmware (Current patched firmware versions are 184.108.40.2064, 220.127.116.112 and 18.104.22.1682)
- If you have full external intact backups, reset your NAS and restore from backups
- If you have no backups and don't intend to pay, try Qrescue (it has been reported many times now, that this method does NOT work on deadbolt)
- If you want to pay, here is a 'user' story' (Make sure that all auto-updates are disabled during the decryption, so the process is not interrupted)
- Current status: decryption keys ARE presently being issued. However, this can change without warning at any time. There are NO assurances you'll receive a decryption key if you pay the ransom. But (so-far) everyone who has paid has received a decryption key eventually.
- Please be patient if you've paid the ransom. It appears decryption keys are being processed (and issued) in batches, every 2 to 3 days.
- If you are missing the ransom note and bitcoin address (removed by a QNAP firmware update or Malware remover) check here
- If you are hit in with the malware wave around September 2022 you can try this payment address retrieval tool (use at your own risk)
Edited to include FAQ (with thanks to @dolbyman for writing this). Original post is below.
Hi, my QNAP NAS drive just got attacked by a ransonware that turned all my files to files with a .deadbolt extension. Wondering if this is a new ransomware or if anyone has experience with this? I googled it and have not come up with anything as of yet. This seem more hardcore than qlocker, it seems to have taken over the NAS OS as well as encrypting my files, my drive login page has been hijacked by the ransomware into a page for inputting the decryption key. Hopefully someone has a lead on this here because this is getting old, I got attacked by qlocker and had a real fun time sorting out my files afterwards, hopefully there will be a solution to this one.