[RANSOMWARE] >>READ 1st Post<< Deadbolt

[qscott]

At long last, the Emsisoft decryptor is chugging through some 150 thousand files that got deadbolted mid-June. I had been skeptical but am finally recovering the files successfully. I'd never dealt in cryptocurrency, so learning about bitcoin, verifying an account, waiting for my balance to come available for transfer, fretting whether I got the thieves' address correct (were those 1s or ls in the address??), gritting my teeth to pay the ransom, then waiting for the return transaction with the decryption key, made for a long, painful process. Thank you to all the helpful contributors on this forum for guiding us through this ordeal and advising how to avoid such nightmares next time.

I want to alert folks to a problem I caused via Qsync through ignorance and confusion about its Space-Saving Mode options. I had been using the QNAP to backup files saved on local hard drive and to access them remotely. [Now I know better to make extra backups and turn off port-forwarding.] Soon after I detected deadbolt on the NAS, I hastily, stupidly changed some folder pair setting in Qsync, thinking I could restore the backup from the local files. I can't remember for sure which mode I enabled (locally available or always available), but when it got through syncing, it had done exactly the reverse of what I'd hoped, and now those local files were overwritten with encrypted deadbolt versions! Be careful with paired folders and Space-Saving modes.

[Buckyball60]

Did this failing company ever sent an apology to its users?

[dolbyman]

Just more security bulletins and hopefully less prominent "private cloud" buzzwords.. nothing otherwise.

What exactly do you expect them to do .. or are you just here to 'stir the pot'?

What did other manufacturers do about deadbolt?
https://www.asustor.com/knowledge/detail/?group_id=630

[problem2022]

Hello,

we have a similar problem deadbolt caught us.

I have the key for which we made the payment - unfortunately it was a bit higher 0.05080000 BTC.

Can someone help, has the deactivation key been provided to us?

Deadbolt - bc1q0ms068nwy8977s3ynehcay0dpkrsj6e4dug3r4



Thank you in advance for your help.


Adam

[OneCD]

I have the key for which we made the payment - unfortunately it was a bit higher 0.05080000 BTC.

I think this is Deadbolt v2. The previous version requests 0.03 BTC, and the screens look different.

How long has it been since you paid? It can take a few hours for the decryption key to be published.

[problem2022]

We paid yesterday morning - this sh*t happens yesterday morning about 5 a.m. - we paid 9 a.m., before was 0.03 BTC, right now increase as you can see - up to 0.05 BTC

[dosborne]

We paid yesterday morning - this sh*t happens yesterday morning about 5 a.m. - we paid 9 a.m., before was 0.03 BTC, right now increase as you can see - up to 0.05 BTC

I presume the ransom has gone up as the value of Bitcoin has gone down.

It has received a total of 0.05080000 BTC ($1,001.31)

[OneCD]

I have the key for which we made the payment - unfortunately it was a bit higher 0.05080000 BTC.

Can someone help, has the deactivation key been provided to us?

Deadbolt - bc1q0ms068nwy8977s3ynehcay0dpkrsj6e4dug3r4

I've just rechecked and there's now the expected transaction for +0.00005460 BTC shown.

Your decryption key is: 67a045b357f5d700fec426d6402964cb

[Rockerking]

Hello, everyone.
Maybe someone cares where all the money ends up or can we do something?
A friend of mine got it, too. and I ve just looked from boredom where the money now goes.
It wanders long:D

37Tqm71HdSpGCqXUBzbAzhLuDGhpnUntL5 ( one of the Account )
38JyV1kPHPcGo3W2YXiZ5fT8WPhaQFmtiE ( A Big Main Account )
32yWE85WtzSeuEtCZgHKTBC1zsuhnF2Jar ( A second )
bc1q2frckgjcnk3hnsm7j4gycqpup8ad6ljkcn9nxe ( Maybe a small private )
1CtUASFxYRaWKg3RH6aAn6YHtqfRALhzTH
3Lgdy2QWpWgmPETwgb8VKxMfaCpjwPfyz8
3HGGfNtkwKHFDjzhKRH4Mty2UUTvXt64hm
bc1q5ch73jv88czngker5s73wwmkljwpfupfw9cj96 ( here they copie everytime to another accounts)

But i think the money didn't come back
So much money
Or it is simply the accounts of the services with which they rotate the money.

[dolbyman]

Probably laundered trough exchanges and larger wallets

[Stu-Q]

* Need to track down the elusive HTML page with the crypto details *

Another one here, who's only just discovered the bad news.
And just spent the last few hours reading all 69 pages on here, and making plenty of notes.
Thanks to lots of you for some really good info!

I'll have to pay the ransom sadly. 5TB of data, only backed up to an attached USB drive - with the files also encrypted.

Problem is, I've also lost the HTML page with the details for the crypto transfer.
Have submitted a ticket to QNAP, but doubt I'll hear until Monday.
Their link for how to get it back had been posted numerous times, but is now dead.
One person even very kindly posted a cached version - but that no longer works.

Does anyone happen to have the proper instructions from QNAP for recovering the index html page?
Many thanks all.

[OneCD]

Hi and welcome to the forum.

Does anyone happen to have the proper instructions from QNAP for recovering the index html page?

Looks like QNAP have lost the FAQ page again.

Here's the current Google-cached copy (I'll paste it into this post so we don't lose it again, along with a few corrections):

How do I restore deadbolt page for decrypting the files if I have the correct password?

Applicable Products:

• Malware
• Security

Important: After carrying out the steps below, but failing to access the deadbolt page, please contact QNAP customer service.

Follow the steps to restore the original deadbolt page:

1. Log in to QTS as an administrator,
   
   ‎‎‎
2. Open the App Center,
   
   ‎‎‎
3. Disable Malware Remover,
   
   Note: Malware Remover must be disabled before running the following steps.
   
   ‎‎‎
4. SSH access the NAS,
   
   ‎‎‎
5. Use the command:

   Code: Select all

   wget https://download.qnap.com/Storage/tsd/utility/extract_deadbolt_v4.sh; sh extract_deadbolt_v4.sh; chmod +x /home/httpd/index.html

6. Open Web Browser and access deadbolt page using the URL: http://YOUR_NAS_IP:8080/index.html
   
   For example:
   
   Qfinder locates your NAS at 10.32.72.48
   
   • Deadbolt page can be accessed using the URL http://10.32.72.48:8080/index.html
   • QTS Web interface (HTTP) can be accessed using the URL http://10.32.72.48:8080/cgi-bin/index.cgi
   • QTS Web interface (HTTPS) can be accessed using the URL https://10.32.72.48/cgi-bin/index.cgi
7. After the files are decrypted after inputting the password, enable Malware Remover to remove deadbolt related files.
   1. Log in to QTS as an administrator
   2. Open the App Center
   3. Enable Malware Remover

[OneCD]

Maybe someone cares where all the money ends up or can we do something?
A friend of mine got it, too. and I ve just looked from boredom where the money now goes.
It wanders long:D

If it helps, the OP_RETURNs (in the transactions containing the decryption keys) all appear to be coming from the same BTC address: bc1qh6pku7gg2d6pw87z3t4f6d4rk6c48ajvsmfjjl ... so it would seem the hackers have some control over payments from that address.

[icelucio01]

Hi all, I have a couple of questions to ask...
- when I have undestood what was goin on, I have immediatly removed the power cable from my old and no more supported TS-419p+ ... now, when I will turn on my Nas again... Will Deadbolt continue to encrypt my datas? I would like to check how many files have been encrypted but I would avoid let him continue to encrypt and copy what is still good on other destination.

- I have another old Nas. Can I move my infected disks into this device (it's untouched from years and with an old fw) and try to reset/install the "boot" partition with a "clean" old firmware? It's always an idea to read files without the nightmare of continue to encrypt files (maybe I can run some tool/procedure like qResque).

Thank you, Lucio

[dosborne]

- when I have undestood what was goin on, I have immediatly removed the power cable from my old and no more supported TS-419p+ ... now, when I will turn on my Nas again... Will Deadbolt continue to encrypt my datas? I would like to check how many files have been encrypted but I would avoid let him continue to encrypt and copy what is still good on other destination.

So far, there haven't been any reports that I have seen to indicate that the malware continues to run (or restart). It *seems*, purely from what I have read, that it is initiated solely from the original attack. However, you should read the entire thread here (and elsewhere) about how to look for the process (usually identified by a numeric executable and process) so that if you decide to try, you can at least look to see if it runs.

- I have another old Nas. Can I move my infected disks into this device (it's untouched from years and with an old fw) and try to reset/install the "boot" partition with a "clean" old firmware? It's always an idea to read files without the nightmare of continue to encrypt files (maybe I can run some tool/procedure like qResque).

This is not likely to provide you with any advantage. The malware seems to run in memory, however since there are a lot of unknowns, do you really want to take the risk? Putting infected drives into another system isn't likely to give you any better an environment to work within, if it runs in memory. At worst, it would simply infect the core of your other system, but who knows.

Just my opinion.