[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
dolbyman
Guru
Posts: 36122
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

I can do that too...but for the weekend I am mainly hanging out on mobile..so copy pasting around is a bit more of a hassle there

If OneCD (or any other mod) wants to do it in the meantime..great
lama01
Starting out
Posts: 15
Joined: Sat Jul 30, 2011 3:41 am

Re: [RANSOMWARE] Deadbolt

Post by lama01 »

dosborne wrote: Sun Aug 28, 2022 9:46 pm
lama01 wrote: Sun Aug 28, 2022 9:25 pm What if I do not have the corresponding password anymore?
https://www.qnap.com/en/how-to/faq/arti ... e-password
well thanks, after restoring the admin user and logging on as admin I get less error return messages when I run SDDPd.bin

# sh SDDPd.bin
SDDPd.bin: line 7: chattr: command not found

but still http://nas_ip:8080/index.html leads to the regular QNAP NAS login page.
any idea how SDDPd.bin can be told to restore the Deadbolt landing page?
dosborne
Experience counts
Posts: 2040
Joined: Tue May 29, 2018 3:02 am
Location: Everywhere I go, there I am.

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

lama01 wrote: Mon Aug 29, 2022 4:02 am well thanks, after restoring the admin user and logging on as admin I get less error return messages when I run SDDPd.bin

# sh SDDPd.bin
SDDPd.bin: line 7: chattr: command not found

but still http://nas_ip:8080/index.html leads to the regular QNAP NAS login page.
any idea how SDDPd.bin can be told to restore the Deadbolt landing page?
I'm afraid this is the limit to what I can offer and would just be guessing. Other than perhaps manually checking the index file to ensure that you aren't loading a cached version or some other reason. There are only a handful of reports that I have seen where running that file was possible / necessary, and it in theory should have worked.

chattr is used to change attributes on a file. In an SSH shell, if you simply type "chattr" does it output the help info?
Since in theory the program is trying to manipulate attributes on the index.html file, you could manually go check to see what attributes it currently has and perhaps open all permissions on the file (chmod 777 for example) then try running SDDPd.bin again.

Edit1: to add.....

I saw on BleepingCompiter that they suggested running

Code: Select all

sh SDDPd.vbn
. If that is what you did, then try running it directly

Code: Select all

./SDDPd.bin
or vice-versa. I'd be surprised if it made any difference, but worth a try.

And of course make sure Malware Remover is disabled or uninstalled as you don't want it running in this case as you want the "infection" to occur.

Edit2: Reading more....it seems the error messages may be 'expected'
1. run this command on ssh shell on your NAS - getcfg MalwareRemover INSTALL_PATH -f /etc/config/qpkg.conf
2. whatever path you get, copy it. Open WinSCP or SFTP tool, and FTP to your NAS. Open the path which you have copied.
3. Go to /.quarantine folder and copy the files with latest timestamps. It would be around the dates when it got infected.
4. Download both the files to your local computer and open it using 7zip.
5. One of them should have the SDDPd.bin file.
6. Extract it and FTP to /mnt/HDA_ROOT/update_pkg/.
7. Once done, go back to SSH and cd to /mnt/HDA_ROOT/update_pkg/
8. run the command - sh SDDPd.bin in the directory /mnt/HDA_ROOT/update_pkg/. Ignore the errors
I would have suggested slightly different steps than the ones above, but essentially the same just no need for 7zip, ftp to local then copy back etc. All steps 1-7 do are find the quarantined version of SDDPd.vin and copy it to /mnt/HDA_ROOT/update_pkg/
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
cjsr06
New here
Posts: 7
Joined: Thu Aug 25, 2022 7:30 am

Re: [RANSOMWARE] Deadbolt

Post by cjsr06 »

Hey All, Sorry i am super new to the blockchain stuff. I have gone to www.blockchain.com and created an account but unsure if i have to create a wallet or is signing up a wallet? do i have to buy bitcoin direct or do i link a card and sent it?
Any help would be great or any step by step as i dont want to send money wrong or have to do it again.
Last edited by cjsr06 on Mon Aug 29, 2022 9:03 pm, edited 1 time in total.
cjsr06
New here
Posts: 7
Joined: Thu Aug 25, 2022 7:30 am

Re: [RANSOMWARE] Deadbolt

Post by cjsr06 »

Hey guys,

Also, is my code
bc1qwzzx L or is that another 1

Is there a way to test it and ensure it’s the right place?
You do not have the required permissions to view the files attached to this post.
User avatar
dolbyman
Guru
Posts: 36122
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

that is the payment address

you can type the whole thing and check it with a blockchain explorer
cjsr06
New here
Posts: 7
Joined: Thu Aug 25, 2022 7:30 am

Re: [RANSOMWARE] Deadbolt

Post by cjsr06 »

dolbyman wrote: Mon Aug 29, 2022 9:03 pm that is the payment address

you can type the whole thing and check it with a blockchain explorer
I understand but i dont know if its an L or a number 1?
Also, do you know how to add or send funds? it only says it allows $300 or do i have to verify first?
dosborne
Experience counts
Posts: 2040
Joined: Tue May 29, 2018 3:02 am
Location: Everywhere I go, there I am.

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

cjsr06 wrote: Mon Aug 29, 2022 9:18 pm I understand but i dont know if its an L or a number 1?
Then check carefully. The first looks like a 1 (one) and the second a l (L). But hard to see on my monitor. Do you have a save or can you access the file still so you can copy and paste instead of typing it in? My guess is

Code: Select all

bc1qwzzxl850y4akrejmzd2rg37dchazq46ana4a0f
cjsr06 wrote: Mon Aug 29, 2022 9:18 pm Also, do you know how to add or send funds? it only says it allows $300 or do i have to verify first?
You need to contact the crypto platform that you chose to use. Most likely, yes, they need to verify your identity. Depending on where you live, this is the law. Every platform is different and have their own support for help with adding and transferring.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
User avatar
OneCD
Guru
Posts: 12507
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

dosborne wrote: Mon Aug 29, 2022 9:25 pm
cjsr06 wrote: Mon Aug 29, 2022 9:18 pm I understand but i dont know if its an L or a number 1?
Then check carefully. The first looks like a 1 (one) and the second a l (L).
Agree. Image

If it helps, the Bech32-format addresses always start with 'bc1' (b-c-one): https://en.bitcoin.it/wiki/Bech32

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
cjsr06
New here
Posts: 7
Joined: Thu Aug 25, 2022 7:30 am

Re: [RANSOMWARE] Deadbolt

Post by cjsr06 »

Thanks for the replies and help guys. I do appreciate it and sorry im not great at this stuff.

I have chosen blockchain.com but not sure how to add that much money to it and dont want to lose more money thats all. Does anyone have step by step instructions?
cjsr06
New here
Posts: 7
Joined: Thu Aug 25, 2022 7:30 am

Re: [RANSOMWARE] Deadbolt

Post by cjsr06 »

dosborne wrote: Mon Aug 29, 2022 9:25 pm
cjsr06 wrote: Mon Aug 29, 2022 9:18 pm I understand but i dont know if its an L or a number 1?
Then check carefully. The first looks like a 1 (one) and the second a l (L). But hard to see on my monitor. Do you have a save or can you access the file still so you can copy and paste instead of typing it in? My guess is

Code: Select all

bc1qwzzxl850y4akrejmzd2rg37dchazq46ana4a0f
cjsr06 wrote: Mon Aug 29, 2022 9:18 pm Also, do you know how to add or send funds? it only says it allows $300 or do i have to verify first?
You need to contact the crypto platform that you chose to use. Most likely, yes, they need to verify your identity. Depending on where you live, this is the law. Every platform is different and have their own support for help with adding and transferring.
Thank you dosborne. Appreciate it.
Does you know how much extra bit coin i need to buy to cover the fee? as many people have mentioned not sending enough to cover it?
Also, do you have to buy the coin first and then send or can you just do all in one transaction?
Finally question, i read it holds your funds for 3 days before you can send it to the deadbolt people. Is that true or has anyone else been able to do quicker?
dosborne
Experience counts
Posts: 2040
Joined: Tue May 29, 2018 3:02 am
Location: Everywhere I go, there I am.

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

cjsr06 wrote: Tue Aug 30, 2022 2:41 pm
dosborne wrote: Mon Aug 29, 2022 9:25 pm You need to contact the crypto platform that you chose to use. Most likely, yes, they need to verify your identity. Depending on where you live, this is the law. Every platform is different and have their own support for help with adding and transferring.
Thank you dosborne. Appreciate it.
Does you know how much extra bit coin i need to buy to cover the fee? as many people have mentioned not sending enough to cover it?
Also, do you have to buy the coin first and then send or can you just do all in one transaction?
Finally question, i read it holds your funds for 3 days before you can send it to the deadbolt people. Is that true or has anyone else been able to do quicker?
Again, you need to talk to the bitcoin platform support people. That is their job. Every platform charge different fees. You have to deposit to the platform, wait for your deposit to clear, then make a payment to the ransom address. Every platform has different rules about how long they wait for the payment to clear, and it could be dependent on how you make your deposit.

It is like depositing a cheque in the bank. They hold your funds until the cheque clears before you can write another cheque. Every bank has different rules.

I don't have a BTC account, I've never had any BTC, I've never paid a ransom. My understanding is you could be delayed while your account itself is validated (depending on where you live and the platform you use and the financial / legal requirements that cover that) and you typically look at a delay while your deposit (etransfer, credit card, wire transfer etc) has time to clear (varies by type of transfer, by BTC platform, by local restrictions, by anti-money laundering rules, etc).

The amount of the fee could have many variables and is entirely set by the BTC platform.

All of this should be clearly stated on the BTC platform website and can be verified through their support people.
If they can't provide you the information, switch to a "real" BTC platform.

Edit: From the website that you chose:
Deposits FAQ
What are the limits for depositing
Deposits Holds
Can I expedite my withdrawal?
At this time there is no way for you to speed up your withdrawal nor can you cut down on the holding period
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
gh138
First post
Posts: 1
Joined: Fri Sep 02, 2022 3:25 pm

Re: [RANSOMWARE] Deadbolt

Post by gh138 »

Could someone help confirm that I'm understanding my bitcoin ransom transaction correctly? I seem to have received an OP_RETURN with a 32 character key attached, but that key isn't working for me.

https://www.blockchain.com/btc/tx/42ccb ... a85133c951
payment address = bc1q0l9qpal3qxv8f6khekyt3eqtww8m2wf09mm5j2
OP_RETURN = c864e3f60267aba016f02bb06d6472aa

Initially, I plugged the key into the Deadbolt page, it accepted it, began "decrypting", but then failed around 200 files in and restored the Qnap login screen. I can't find any sign that it actually touched any files.
I tried the Emsisoft tool, but it fails to decrypt any files using the above key.

Does anyone have any guidance? Am I doing something obviously wrong?
ZamaGelu
New here
Posts: 5
Joined: Sun Apr 03, 2016 1:11 am

Re: [RANSOMWARE] Deadbolt

Post by ZamaGelu »

Hi guys,

Just got hit with deadbolt a few hours ago. I was on latest firmware for my model (TS-453mini, 5.0.0.2131) but clearly that didn't prevent my NAS from being attacked.
Have a few questions for you guys:
- MalwareRemover didn't find anything. Is there a new version of deadbolt? Which file should I be looking for and then quarantine/delete?
- I've now disabled upnp on NAS and Router but how can I continue accessing my NAS remotely (admin page, Plex, SSH) without enabling manual Port Forwarding on my router?

Thanks for your help, quite angry to be honest.
munkeenuts02
First post
Posts: 1
Joined: Sat Sep 03, 2022 6:06 pm

Re: [RANSOMWARE] Deadbolt

Post by munkeenuts02 »

Exactly the same thing has happenned to me overnight (TS-653D, 5.0.0.2131). Managed to stop it halfway through and followed same process as below (Malware remover did nothing), but what do I do now? I really don't want to be paying hackers to be able to be access my own files...Quite angry with QNAP too!

ZamaGelu wrote: Sat Sep 03, 2022 5:19 pm Hi guys,

Just got hit with deadbolt a few hours ago. I was on latest firmware for my model (TS-453mini, 5.0.0.2131) but clearly that didn't prevent my NAS from being attacked.
Have a few questions for you guys:
- MalwareRemover didn't find anything. Is there a new version of deadbolt? Which file should I be looking for and then quarantine/delete?
- I've now disabled upnp on NAS and Router but how can I continue accessing my NAS remotely (admin page, Plex, SSH) without enabling manual Port Forwarding on my router?

Thanks for your help, quite angry to be honest.
Post Reply

Return to “Users' Corner”