[RANSOMWARE] >>READ 1st Post<< Deadbolt

[dosborne]

...so get ready for a lot of kicking and screaming first posters

Sadly, the same protection works and has been posted for months / years. Get the NAS off the internet.

[ZamaGelu]

...so get ready for a lot of kicking and screaming first posters

Sadly, the same protection works and has been posted for months / years. Get the NAS off the internet.

Dude I was mostly reporting it for others and asking about why the malware is not picking it contrary to what qnap is saying. I'm not looking to pay the ransom, my important data is not on the NAS.

I'm just disappointed in QNAP not offering a better level of protection and the whole point of me using this NAS was to easily access data on it from anywhere without having to go through using a VPN client on each single device.

Sounds like other NAS are plagued with similar issues too so might have no other choice but buying a router with built-in VPN.

[dosborne]

I'm not looking to pay the ransom, my important data is not on the NAS.

I'm just disappointed in QNAP not offering a better level of protection and the whole point of me using this NAS was to easily access data on it from anywhere without having to go through using a VPN client on each single device.

Very happy to hear that (although nothing wrong with putting critical data anywhere including the NAS - just have a backup no matter where it is), it was not included in the OP. Once you've gone through the "hassle" (15 minutes) to setup a VPN into your LAN, you will realize the huge potential and advantages of using it for remote access. The client (openVPN, in most cases) is literally a single click or tap to start / stop but gives you complete (and secure) access to ALL the resources on your LAN.

Well worth the investment from a safety, ease of use and resource access point of view. Hopefully there will be other advantages to a new router (newer protocols, faster, more secure, etc) should you decide to upgrade. A Raspberry Pi ($40) is another much safer option too (or similar device).

- MalwareRemover didn't find anything. Is there a new version of deadbolt? Which file should I be looking for and then quarantine/delete?

Check out this thread. viewtopic.php?f=45&t=164797&start=1380#p825512 It outlines what to look for and where. May be of use to you.

[robbyaust]

I fixed mine pretty easy.

It hit me 3pm a few days ago and ran for around 3 hours.

I lost all my containers which is easy fixed, lost a few distro isos, then it hit a folder of 50gb files which slowed it right down lol.

I turned off and hard reset with the reset pin on the rear, rebooted and found I had full admin/login access again. None of the antivirus or malware could pick it up so I removed the encrypted files.

As I was already upto date with all software, I approved to beta firmware install and bam fixed.

Noted appcentre trying to install sddpd.bin trying to reinstall which is the payload after finding the file and taking a peek at the code.

Simply done a manual cleanup of anything related to the payload, boot files.

[dosborne]

I turned off and hard reset with the reset pin on the rear, rebooted and found I had full admin/login access again. None of the antivirus or malware could pick it up so I removed the encrypted files.

As I was already upto date with all software, I approved to beta firmware install and bam fixed.

Simply done a manual cleanup of anything related to the payload, boot files.

A word of caution for others......

Updating the firmware can remove the "infected" ransom page and therefore the BTC address could be lost forever. BE EXTREMELY careful to have a backup in case you need to pay the ransom.

This (firmware update) does not "remove" the ransomware, it simply puts back the index.html file for the admin GUI. Similarly, the antivirus does not detect this, it is not a virus, it is malware. The Malware Remover may or may not (yet to be shown) quarantine the virus and / or index.html file. Updating the firmware could delete the quarantine area (so say a number of previous posts) None of these utilities will, or are expected to, do anything at all with your encrypted files. That is not what they do, nor is there any other fix.

Normally, unless things have changed, all that is required is:
- Secure your LAN properly immediately to ensure you are not reinfected.
- Reboot your NAS to stop the malware (no previous evidence that it will restart...that could be new...I'd like to see more info on that)
- There should not be a need to do a reset, it wouldn't seem to offer any advantage, again, unless there is something new.
- Only update your firmware (if you are not already current) after you have saved the index.html or copied the exact BTC address as a safety measure. No indication that Beta firmware is any better protection, it certainly doesn't fix an already hit system. Personally, I would avoid Beta based on the number of outstanding issues at any given time, but up to each user.
- Similarly, you shouldn't panic and run the Malware Remover until you have saved the BTC address as well.

As always, maintain proper backups.

Noted appcentre trying to install sddpd.bin trying to reinstall which is the payload after finding the file and taking a peek at the code.

I'd like to know what you mean and saw in this case.

[ZamaGelu]

Good to know that so far it doesn't restart after a reboot. On my end I checked running processes and like user above, it was still running but was slowed down by a directory with files other >50gb files.
I killed the process (5 digit program running in mnt/HDA_ROOT with -e on /share) and haven't seen it restarting. Took screenshot of the adress as well as pdf the deadbolt page and copied the program, index.html and SDDBin into a tarball just in case. I can't delete the 5 digit program or make it non executable though.

[Alexej1993]

Hello
I was the next victim of a deadbolt
all my files are encrypted
I looked through this thread but I don't know which way to go...

is there another way to pay?
or did it work for you after paying and receiving the decryption code?

[dosborne]

I looked through this thread but I don't know which way to go...

Please read this viewtopic.php?f=45&t=164797 and this viewtopic.php?f=45&t=164797&start=1380#p825512

The (current) options available to you are clearly laid out and there are steps you should take immediately.

[Montana1701]

Hello.
I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?

Here is the transaction detail.

Transaction Hash: a5578192fb895a48872a9a007f479242c89d765e5e4b378765937f52afc4c5b9

Paid: 0,05 btc

Thanks

Kind regards,
Montana1701

[OneCD]

I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?

Here is the transaction detail.

Transaction Hash: a5578192fb895a48872a9a007f479242c89d765e5e4b378765937f52afc4c5b9

Your decryption key is: f50306f3bcfb77eb605f61abbc23062c

[Alexej1993]

I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?

Here is the transaction detail.

Transaction Hash: a5578192fb895a48872a9a007f479242c89d765e5e4b378765937f52afc4c5b9

Your decryption key is: f50306f3bcfb77eb605f61abbc23062c

let us know if it worked
I would be interested to know if it has completely lost all the data or only part of it

[OneCD]

A new security advisory from QNAP regarding this wave of Deadbolt:

https://www.qnap.com/en-au/security-advisory/qsa-22-24

Summary

QNAP detected a new DeadBolt ransomware campaign in the morning on September 3rd (GMT+8). The campaign appears to target QNAP NAS devices running Photo Station with Internet exposure.

We have already fixed the vulnerability in the following versions:

• QTS 5.0.1: Photo Station 6.1.2 and later
• QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
• QTS 4.3.6: Photo Station 5.7.18 and later
• QTS 4.3.3: Photo Station 5.4.15 and later
• QTS 4.2.6: Photo Station 5.2.14 and later

I suggest ignoring the "we have already fixed the vulnerability in the following versions" advice, as it's much safer to not expose your QNAP to the Internet, no-matter which firmware version you're using.

If the hackers are to be believed, they have a list of undisclosed vulnerabilities they are yet to exploit. Continuing to expose any QTS version to the Internet will likely get you hacked sooner-or-later.

[jaysona]

A new security advisory from QNAP regarding this wave of Deadbolt:

https://www.qnap.com/en-au/security-advisory/qsa-22-24

....

Wow! This reeks badly, QNAP definitely knew (or had a very strong suspicion) that another zero-auth ransomware wave was coming. There is no other way they would have been able to get this type of release out so quickly, and on a weekend.

I suggest ignoring the "we have already fixed the vulnerability in the following versions" advice, as it's much safer to not expose your QNAP to the Internet, no-matter which firmware version you're using.

If the hackers are to be believed, they have a list of undisclosed vulnerabilities they are yet to exploit. Continuing to expose any QTS version to the Internet will likely get you hacked sooner-or-later.

Agreed!

If the following web page can be access directly from the Internet (no VPN required), it is a sure bet the NAS will eventually be compromised and there will be more tears shed here.

[OneCD]

Wow! This reeks badly, QNAP definitely knew (or had a very strong suspicion) that another zero-auth ransomware wave was coming. There is no other way they would have been able to get this type of release out so quickly, and on a weekend.

Yep, I've never seen them release an advisory so-quickly. I'm also wondering if they had been warned this was going to happen?

[raxpa]

I took this malware... so without waiting I shut off my NAS now i need help to understand how to solve the problem and get my file back! Any Idea