It is possible the message was suppressed due to running in a shell. I would have written the script differently
So, you may not have done anything wrong, but in theory, it the file was found then there should have been a notice *somewhere*, just maybe not visible.
Code: Select all
echo "[O] Found malware pkg \"$targetFile\" in $foundPath and used it to generate index.html under /home/httpd/"
Update: As of October 14, 2022, police raids may have slowed or stopped the issuing of decryption keys. Some information can be found here and there is a web form where you can upload a *.deadbolt files and see if you can get your decryption key here (Note: This depends partly on when you were infected)Then continue reading....
Topics that can be found below:
-IF YOU HAVE BEEN INFECTED BY DEADBOLT
-DEADBOLT - A QUICK OVERVIEW
-CHECK TO SEE IF THE MALWARE IS STILL RUNNING AND ENCRYPTING MORE FILES
-SECURE YOUR NETWORK NOW!
-PROTECT YOUR RANSOM PAGE
-PROTECT YOUR DATA
-IF YOU NEED HELP RECOVERING YOUR RANSOM PAGE
-IF YOU NEED HELP FIGURING OUT HOW TO PAY THE RANSOM
-IF YOU PAID THE RANSOM AND NEED TO GET YOUR DECRYPTION KEY
-General Preventative Measures
-MORE CLEANUP INFORMATION and THE CURRENT QNAP SCRIPT
-HOW TO COPY FILES TO A SAFE LOCATION
-Basic commands to run in the SSH Shell
-FINAL STEPS
One way to scan your data and see if you have been infected is to use SSH to access your NAS (details further down) and run the "find" command.IF YOU HAVE BEEN INFECTED BY DEADBOLT AND GET A RANSOM PAGE instead of your Admin GUI Login or see FILES WITH .DEADBOLT EXTENSION, then take a screen capture, take a photo, print, save, write down (do whatever you can) the Ransom Bitcoin Address. It looks something like bc1q2mavpmjl82zf5ltl25deyd99eqw3hd3smxf8ex. This is VERY important. If you decide to pay, you NEED THAT ADDRESS and may have difficulty finding it later. Be very careful as one wrong character means the entire address is wrong. It is absolutely necessary if you end up wanting to pay the ransom (currently there is no free "fix" or other alternative other than your own backups). Do NOT run Malware Remover or update your firmware until you have saved this data. Once you start recovering your system this information could easily be lost.
Code: Select all
find /share/. -iname *deadbolt* -printCHECK TO SEE IF THE MALWARE IS STILL RUNNING AND ENCRYPTING MORE FILES- Your Network and NAS were compromised because you had an open port and there is a vulnerability (actually, several) in the NAS firmware and applications.
- Your files were encrypted with a password very similar to using WinZIP (or similar tool) with a password option. This process MAY BE ONGOING depending on how quickly you noticed there was an infection on your system. A reboot should stop it at least temporarily, but you need to perform more steps listed below.
- Your NAS Admin GUI Login page file (/home/httpd/index.html) was replaced with the "Ransom" notice.
- Some or all of your data files will be renamed with a ".deadbolt" extension indicating they have been encrypted.
- Currently there is no way to decrypt your files other than to pay the ransom or restore your files from a backup.
Other indications that you may have been infected with this malware. These files are associated with the malware script. They aren't particularly useful (just flag files) but you should look for them and remove them.A reboot should have stopped the encryption process, but you should manually check to ensure it has indeed stopped. These steps tell you how to do that.
It is **VERY** important to save any of the files listed in this section as they may be your only hope at recovery. Some or all may be missing from your system depending on what options you have selected and what steps you have taken at this point.
Code: Select all
PID_FILENAME=/tmp/deadbolt.pid
STATUS_FILENAME=/tmp/deadbolt.status
FINISH_FILENAME=/tmp/deadbolt.finishCode: Select all
ls -al /mnt/HDA_ROOT
ls -al /share/CACHEDEV1_DATA/Code: Select all
ps -ef | grep <<insert 4-5 digit filename here>> | grep -v grepCode: Select all
kill -9 <<insert the process id (PID) of the 4-5 digit file here>>PROTECT YOUR RANSOM PAGE- Disable or remove any port forward settings in your router that redirect to your NAS Seriously! DO THIS NOW!
- Disable UPnP on your router (this may affect usage of other apps / devices) but you should do it. Seriously! DO THIS NOW!
- Disable DMZ on your router or at least remove your NAS from this setting.Seriously! DO THIS NOW!
- Disable UPnP on your NAS (Control Panel -> Network & File Services -> Service Discovery -> UPnP Discovery Service -> [uncheck] Enable UPnP Discover Service -> Apply) Seriously! DO THIS NOW!
- Disable all applications in the QNAP Application Center that are not critical during recovery. Photo Station for example MUST BE disabled NOW as it is reported as the attack vector for the 2202-09-03 "wave"
- Would be a good idea to reboot your router to ensure that all the settings take effect and forwarded ports are cleared.
PROTECT YOUR DATA-disable the "check for new firmware versions" on your NAS (to prevent the BTC address from being erased)
-disable the beta program opt in (to prevent the BTC address from being erased)
-disable the "recommended version" autoupdate option (to prevent the BTC address from being erased)
-disable the "latest version" autoupdate option (to prevent the BTC address from being erased)
-disable the Malware Remover application (to prevent the BTC address from being erased)
-disable all qnapcloud options
Note: For the files below, you may have to alter the attributes on order to delete them. Type "chattar -i <<filename>>" if you get an "Operation not permitted" error trying to delete them, then try the deletion again.-disable any 3rd party HBS3 option
-disable any automated backups until recovery is complete to maintain the integrity of the backups
-disable any sync jobs you may have to avoid replacing good files with bad ones or deleting good files
Code: Select all
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><title>DEADBOLT Payment Information Tool</title><style>body{background:#222;color:#fff;font-family:"PT Mono",courier}input[type=file]{display:none}.fu{border:1px solid #ccc;display:inline-block;padding:6px 12px;cursor:pointer;color:#ccc}.fu:hover{border:1px solid red;color:#fff}.db{color:#30db97}center>p{width:600px;text-align:left}#main{position:absolute;top:50%;left:50%;transform:translateX(-50%) translateY(-50%);width:50em;background:#444;padding:15px;border:2px solid #139a43;border-radius:4px}</style></head><body><div id="main"><h1 style="text-align: center"><span class="db">DEADBOLT</span> Payment Information Tool</h1><p>Select encrypted (<b>.deadbolt</b> extension) file to retrieve the payment info in case you lost access to the <span class="db">DEADBOLT</span> portal page.</p><p>Please note: this only works for files encrypted by the <b>latest version</b> of <span class="db">DEADBOLT</span>. This tool will tell you if your file is compatible.</p><center><label class="fu"><input type="file" id="filebox" onchange="pf(event);"> 📄 select encrypted file</label></center><p id="fi"></p><p id="pi"></p></div><script>function $(e){return document.getElementById(e)}function bp(e){let n=[996825010,642813549,513874426,1027748829,705979059],i=1;return e.forEach(e=>{let t=i>>25;i=(33554431&i)<<5^e,[0,1,2,3,4].forEach(e=>{t>>e&1&&(i^=n[e])})}),i}function bc(e){let t=[],n=1^bp([3,3,0,2,3].concat(e).concat([0,0,0,0,0,0]));return[0,1,2,3,4,5].forEach(e=>t.push(n>>5*(5-e)&31)),t}function rc(t){let n=BigInt(0);for(let e=0;e<20;e++){var i=BigInt(t[e]);n=(n<<BigInt(8))+i}let r=[0];for(let e=0;e<32;e++)r.push(Number((n>>BigInt(160-5*(e+1)))%BigInt(32)));r=r.concat(bc(r));let a="bc1";return r.forEach((e,t)=>a+="qpzry9x8gf2tvdw0s3jn54khce6mua7l"[e]),a}function fi(e){$("fi").innerHTML=e}function pi(e,t=!1){t&&(e="<font color='red'>error: "+e+"</font>"),$("pi").innerHTML=e}function pf(e){pi(""),fi(""),1!=e.target.files.length?pi("too many/few files selected.",!0):(fi("filename: "+(e=e.target.files[0]).name+"<br />filesize: "+e.size+" bytes"),e.size<128?pi("file is too small.",!0):e.slice(e.size-128,e.size).arrayBuffer().then(t=>{let n=new Uint8Array(t),i=n.slice(0,8);"DEADBOLT".split("").forEach((e,t)=>{i[t]!=e.charCodeAt(0)&&(ok=!1)});var r=n.slice(112,116);if(0==r[0]&&0==r[1]&&0==r[2]&&0==r[3])pi("this file was encrypted with an older version of DEADBOLT. please contact your vendor for assistance in recovering the portal.",!0);else{r=rc(n.slice(16,36));let e=new DataView(t);pi("payment address: <b><span class='db'>"+r+"</span></b><br />\npayment amount : <b><span class='db'>"+parseFloat(e.getFloat32(112).toFixed(4))+" BTC</span></b>")}}))}</script></body></html>IF YOU NEED HELP FIGURING OUT HOW TO PAY THE RANSOMIF YOU NEED HELP RECOVERING YOUR RANSOM PAGE to get the BTC address you need to pay, then contact QNAP support. The Malware Remover tool could have moved it to a quarantine area, QNAP can help you with that. Disable or remove the Malware Remover app temporarily. (I know this seems strange, but you do not want it to accidently delete the BTC ransom address by mistake). DO NOT UPDATE YOUR FIRMWARE until you have recorded the BTC ransom address. If you do update your firmware, you may never be able to get the BTC ransom address. There may be a *small* chance that you can find the SDDPd.bin file under /mnt/HDA_ROOT/update_pkg/ (use SSH to go look), in which case you *may* be able to recover the ransom page. For more info on that CONTACT QNAP SUPPORT as their script attempts recovery. If that doesn't work, you can try manually doing the same thing. Read this link https://www.bleepingcomputer.com/forums ... on/page-38 (note that Bleepingcomputer references the file with the wrong spelling!). I would recommend taking a FULL BACKUP of your (encrypted) system before attempting anything as a safeguard against making things worse. Essentially, you are re-infecting yourself, very risky and to be performed at your own risk. (Although it seems the QNAP script [more detail on the script is posted below] also performs this step)
IF YOU PAID THE RANSOM AND NEED TO GET YOUR DECRYPTION KEYIF YOU NEED HELP FIGURING OUT HOW TO PAY THE RANSOM (I hope you seriously consider this as a last resort only - as you are supporting criminal activity), then read this viewtopic.php?p=810191#p810191 I know many of you have no other option, that is the point of ransom attacks. Please consider having a backup in the future so you are not hit by the next attack, disaster, whatever...
viewtopic.php?p=818604#p818604IF YOU PAID THE RANSOM AND NEED TO GET YOUR DECRYPTION KEY, just follow the directions, there is NO NEED to ask others to follow the simple steps for you. The OP_RETURN posting of the decryption key seems to generally be automated so the key gets posted usually within a few minutes if you paid the proper amount (note there may be transaction fees imposed by the BTC provider you use and the ransom is in ADDITION to the fees).
If you paid the ransom, have your key, but you do not have the original ransom pageOneCD wrote: ↑Tue May 17, 2022 3:34 pm Use https://www.blockchain.com for this.
- When you've loaded that site, use the search bar (near the top-right of the web-page) and copy-paste your specific ransomware bitcoin address into the search field, then push <enter>.
NOTE: These are examples only! These links WILL NOT WORK for YOUR transaction
That will take you to this page: https://www.blockchain.com/btc/address/ ... q27rm8857c
- Scroll down to the "Transactions" section.
- There are presently 2 transactions with this hash (in this example). We're interested in the transaction for +0.00005460 BTC, as this is the amount the hackers pay to the same bitcoin address to provide your decryption key. So, click on the "Hash" value for that transaction: https://www.blockchain.com/btc/tx/cf42a ... d6af367b18
- Now, we're on a new page with the transaction details. Scroll down to the "Outputs" section - it's the last one on the page.
- Then find index 2 (OP_RETURN). The attached hexadecimal number is the decryption key.
General Preventative Measures:If you paid the ransom, have your key, but you do not have the original ransom page (to run the decryption), then you can COPY ALL YOUR ENCRYPTED FILES to a local drive, USB drive, etc and run the EmsiSoft decryption program. NOTE THIS STILL REQUIRES A KEY that you PAID for! It is essentially just a copy of the same tool used by the hacker to encrypt your files in the first place. Update: As of September 3rd, 2022, there *MAY* be a slight issue with the current (as of this posting) version of the Emsisoft utility. It has been reported that some files (notably movie files in particular, may not decrypt properly and you may be forced to use the original encryption program or the one "provided" by this new version of ransomware. This possibly has something to do with the "new" way the files are encrypted and the ransom info is now included in the archive. It is possible Emsisoft will release an update, contact them directly if you need the utility or an update.
If you get your data back, or if you don't have a backup, MAKE A BACKUP NOW!Perform these steps after you have cleaned and recovered your system and data to help protect your system from (further) attacks.- Have a backup plan!!! Test and verify your backups. It is YOUR data, how important is it to you? That determines how many and what type of backup you have. Backups protect against Ransomware, Viruses, Theft, Fire, Data deletion, power outages, etc.
- Have a backup plan!!! Yes it is said twice.
- Read the QNAP Advisory and signup for notifications https://www.qnap.com/en/security-advisory/qsa-22-19
- Disable or remove any port forward settings in your router that redirect to your NAS Seriously! DO THIS NOW!
- Disable uPnP on your router (this may affect usage of other apps / devices) but you should do it. Seriously! DO THIS NOW!
- Disable DMZ on your router or at least remove your NAS from this setting Seriously! DO THIS NOW!
- Disable uPnP on your NAS Seriously! DO THIS NOW!
- Update your NAS to the latest available Firmware (but be sure to save the BTC ransom information first!). See QNAP download site for current versions.
- Update your QNAP applications to the latest versions (2022-09-04 particularly Photo Station if you have it installed)
- Use ONLY a VPN to connect from a remote device / location. Run the VPN (free) on your (best option) router or other device such a Raspberry Pi
These steps provide minimal actual value from an attack like Deadbolt, but should be considered:
- Create a secondary admin user and disable the default "admin" account (there may be some issues with this)
- Use Two Factor Authentication (2FA) - no actual protection for THIS attack
- Use a "complex" password - Deadbolt does not use this vector, but it is a good idea
- Install, configure and run the QFirewall app to limit the IP addresses that can access your NAS
Here is *MY* interpretation of the steps provided by QNAP and the script:First, set up ssh access:
How do I access my QNAP NAS using SSH? https://www.qnap.com/en/how-to/faq/arti ... -using-ssh
Disable Malware Remover before all steps below and enable MR after job is done!
========================================
removed by Malware remover
# wget https://www.dropbox.com/s/14eyexqrcm9y6 ... ecovery.sh; sh deadboltRansomPageRecovery.sh
=======================================
removed by support script
# cd /mnt/HDA_ROOT/clean_deadbolt
# mv /home/httpd/index.html /home/httpd/index.html.old
# cp index.html /home/httpd/index.html
# cp $number$ /mnt/HDA_ROOT
Change URL http://nas_ip:8080/index.html
Code: Select all
Deleted by administrator. Please contact QNAP Tech Support if you need assistance. Code: Select all
FindNum
FindIndex
FindPkg
Code: Select all
ls -al /mnt/HDA_ROOT
ls -al /share/CACHEDEV1_DATA/Code: Select all
ps -ef | grep <<insert 4 digit filename here>>Code: Select all
kill -9 <<insert the process id (PID) of the 4 digit file here>>Code: Select all
cat index.htmlCode: Select all
http://your_nas_ip_address:8080/index.htmlFINAL STEPSThe files that you need to save exist in the system area of your NAS. You will need some general information on basic Linux commands in order to be able to copy them to a USB stick for safe keeping. There is no danger of them "infecting" your Windows or Mac computer as they are Linux programs. Similarly, your encrypted files (that end in ".deadbolt") are simply encrypted and contain no malware within them and can be safely backed up or copied.
Basic commands to run in the SSH Shell
Linux commands are a bit different from Windows/DOS commands. First, everything in Linux is case sensitive. A file named "ThisIsAFile" is treated completely seperately from a file named "thisisafile". Also, when dealing with directories/folders. the forward slash "/" is used instead of the backslash "\" in Windows. Most commands provide basic help by using the parameter "--help", for example, to get help with the "ls" command, type "ls --help" and press enter. Most of my examples will use explicit paths, which isn't absolutely necessary, it just makes it harder for beginners to make mistakes.
Once you connect to the SSH shell and have entered your admin password, you get a simple promptFrom there, you can do things like list the files in the current directory:Code: Select all
[~] #You change directories with the "cd" command. Example:Code: Select all
ls -alHow to "Find" files in LinuxCode: Select all
cd /mnt/HDA_ROOT/
If you know the name of a file you want to locate, you can use the "find" command. One of the files you may need to locate per the above intructions is "SDDPd.bin". You can search the whole system to see if it exists by typing:If it is found, then the path and filename will be displayed. A null return indicates it was not found.Code: Select all
find /. -iname SDDPd.bin -print
Copy files with the "cp" command
You will need to copy the files you want to save to a location that is accessible from your PC. I will use the "/home/httpd/index.html" file as an example. First, you need to determine the name of one of the shares that you have configured on your system. You can use the "ls" command like this "ls -al /share" to list all the possible options, then pick one that you may have used previously and mapped to a drive already.
Create a directory for the files
Optionally, you can now create a directory within that share to "store" the files temporarily. You can create the directory from your computer or from the SSH prompt using the "mkdir" command. As an EXAMPLE, I will use the share named "Public", yours will be a different name. I will create a directory named "TempSave" using the command:AS AN EXAMPLE only, I will use "Public" as the name of **MY** share, and optionally the "TempSave" directory. So, to copy a file I would type:Code: Select all
mkdir /share/Public/TempSave[mv]Move or Rename files with the "mv" command[/b]Code: Select all
cp /home/httpd/index.html /share/Public/TempSave/
Another example of something you may have to do is to move or rename the index.html file which is the NAS Admin GUI console login page. This files would potentially have been "replaced" with the ransom notice when the malware ran. AFTER you have copied the "index.html" file, if you also have a backup (created by the ransomware) you can restore the original by using the following commandCopying to a USB StickCode: Select all
mv /home/httpd/index.html.bak /home/httpd/index.html
Once you have collected all the files into the share/directory (You can verify they are there by typing "ls -al /share/Public/TempSave" in my example), then use your PC to copy these files off the NAS, I suggest a USB stick but obviously anywhere on your PC will work.
Deleting files
Files can be deleted in SSH using the "rm" remove command. For example, if you want to delete the SDDPd.bin (AFTER YOU HAVE ENSURED YOU HAVE A COPY ELSEWHERE!!) you can type:Code: Select all
rm /mnt/HDA_ROOT/update_pkg/SDDPd.bin
Note: This is a user forum. I'm just another user. This is NOT an official way to contact QNAP. I am not associated with QNAP. I offer my advice, do with it as you wish. Ignore it or follow it. I am just trying to help as many others help too. I have not been infected. I did not write the script. I have never used BTC. I do not have examples of infected files, etc so this summary is based purely on the posts of others, but seem to be validated.Now that your network has been secured and the NAS system has been recovered, you can re-enable the applications you use including the Malware Remover. You should not use UPnP, DMZ or forward any ports as this leave you vulnerable to future attacks. The most secure way to access your NAS and your network from a remote location is to use a VPN (preferably on your router). Do not confuse an inbound VPN which can be installed in most cases for free with a paid VPN service (ads on TV all day long) which offers outbound traffic encryption. This topic is well covered elsewhere. The most important thing to learn from all this is to have good, complete and tested backups of YOUR data. RAID is not a backup. Consider that you could have a hardware failure, theft, data deletion, virus, malware or other issues at ANY time. Be prepared.
I tried to manually run SDDPd.bin but got some error messages in return. Starting page is still the regular QNAP NAS login page.
It was done with another user which has admin rights (member of the administrators group). Does it have to be the "admin" user?
Just read this. Wouldnt it be better to add an advise to store the information at ransompage prior updating to latest firmware?dosborne wrote: ↑Wed Jan 26, 2022 12:45 am ========================
Deadbolt FAQ:
...
Preventative Measures
- Disable or remove any port forward settings in your router that redirect to your NAS
- Disable uPnP on your router
- Update your NAS to the latest available Firmware (Current patched firmware versions are 4.3.3.1864, 4.5.4.1892 and 5.0.0.1932)
...
), by copying the file...Good idea. I can update my post, hopefully @sc1207 or @OneCD will see this and update the first post in a similar way.
Cant an admin/mod doing this?
well thanks, after restoring the admin user and logging on as admin I get less error return messages when I run SDDPd.bin
I'm afraid this is the limit to what I can offer and would just be guessing. Other than perhaps manually checking the index file to ensure that you aren't loading a cached version or some other reason. There are only a handful of reports that I have seen where running that file was possible / necessary, and it in theory should have worked.lama01 wrote: ↑Mon Aug 29, 2022 4:02 am well thanks, after restoring the admin user and logging on as admin I get less error return messages when I run SDDPd.bin
# sh SDDPd.bin
SDDPd.bin: line 7: chattr: command not found
but still http://nas_ip:8080/index.html leads to the regular QNAP NAS login page.
any idea how SDDPd.bin can be told to restore the Deadbolt landing page?
Code: Select all
sh SDDPd.vbnCode: Select all
./SDDPd.binI would have suggested slightly different steps than the ones above, but essentially the same just no need for 7zip, ftp to local then copy back etc. All steps 1-7 do are find the quarantined version of SDDPd.vin and copy it to /mnt/HDA_ROOT/update_pkg/1. run this command on ssh shell on your NAS - getcfg MalwareRemover INSTALL_PATH -f /etc/config/qpkg.conf
2. whatever path you get, copy it. Open WinSCP or SFTP tool, and FTP to your NAS. Open the path which you have copied.
3. Go to /.quarantine folder and copy the files with latest timestamps. It would be around the dates when it got infected.
4. Download both the files to your local computer and open it using 7zip.
5. One of them should have the SDDPd.bin file.
6. Extract it and FTP to /mnt/HDA_ROOT/update_pkg/.
7. Once done, go back to SSH and cd to /mnt/HDA_ROOT/update_pkg/
8. run the command - sh SDDPd.bin in the directory /mnt/HDA_ROOT/update_pkg/. Ignore the errors