QNAP detected a new DeadBolt ransomware campaign in the morning on September 3rd (GMT+8). The campaign appears to target QNAP NAS devices running Photo Station with Internet exposure.
We have already fixed the vulnerability in the following versions:
QTS 5.0.1: Photo Station 6.1.2 and later
QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
QTS 4.3.6: Photo Station 5.7.18 and later
QTS 4.3.3: Photo Station 5.4.15 and later
QTS 4.2.6: Photo Station 5.2.14 and later
I suggest ignoring the "we have already fixed the vulnerability in the following versions" advice, as it's much safer to not expose your QNAP to the Internet, no-matter which firmware version you're using.
If the hackers are to be believed, they have a list of undisclosed vulnerabilities they are yet to exploit. Continuing to expose any QTS version to the Internet will likely get you hacked sooner-or-later.
Wow! This reeks badly, QNAP definitely knew (or had a very strong suspicion) that another zero-auth ransomware wave was coming. There is no other way they would have been able to get this type of release out so quickly, and on a weekend.
I suggest ignoring the "we have already fixed the vulnerability in the following versions" advice, as it's much safer to not expose your QNAP to the Internet, no-matter which firmware version you're using.
If the hackers are to be believed, they have a list of undisclosed vulnerabilities they are yet to exploit. Continuing to expose any QTS version to the Internet will likely get you hacked sooner-or-later.
Agreed!
If the following web page can be access directly from the Internet (no VPN required), it is a sure bet the NAS will eventually be compromised and there will be more tears shed here.
jaysona wrote: ↑Sun Sep 04, 2022 8:30 am
Wow! This reeks badly, QNAP definitely knew (or had a very strong suspicion) that another zero-auth ransomware wave was coming. There is no other way they would have been able to get this type of release out so quickly, and on a weekend.
Yep, I've never seen them release an advisory so-quickly. I'm also wondering if they had been warned this was going to happen?
Yep. This is the one that got me today. Very very dull.
I have a weekly backup, and daily snapshot both of these are clean. I only store music and photos on the NAS so I’ve only lost a weeks worth which is not much and they are still in my phone so…..
I’ve done the usual, that I should have done but didn’t, closed off all ports to the NAS binned off myqnapcloud, never liked that thing in the first place. Upnp is off. I ran the malware cleaner, which didn’t report anything!!! and my firmware has been the latest since the last update. The question now is what to do.
I have Virtualisation Station hosting my main server in an untouched VM which does have everything on it and is important.
The snapshots in VS3 have been tested and are clean, that VM is safe. However the backup facility in VS3 has stopped working, which is such a pain, but that’s another issue.
My questions are:
I can use ssh, locally of course, can I clean up my NAS as it is now
The deadbolt thread is very long and what I’m looking for is a step by step guide.
I can delete all the .deadbolt files.
How do I reset the admin login screen?
How do I clean out any other deadbolt mischief such as scripts, keys, etc?
I’d love to just backup my VM quickly and just reinitialise the unit, but there is trouble there as I’ve explained. Once VM3 backup facility works I’ll probably do a full reset.
If anyone can help with an idiots guide, and I am an idiot, then I’d be really grateful to you.
Many thanks.
Dj
QNAP TS-253B with 2 x 3TB drives, 8gig RAM
Firmware 4.5.1
Running: WordPress, Piwigo, Nextcloud (20 HUB) in VS3
Subsonic & much much more!
lama01 wrote: ↑Mon Aug 29, 2022 4:02 am
well thanks, after restoring the admin user and logging on as admin I get less error return messages when I run SDDPd.bin
# sh SDDPd.bin
SDDPd.bin: line 7: chattr: command not found
but still http://nas_ip:8080/index.html leads to the regular QNAP NAS login page.
any idea how SDDPd.bin can be told to restore the Deadbolt landing page?
I'm afraid this is the limit to what I can offer and would just be guessing. Other than perhaps manually checking the index file to ensure that you aren't loading a cached version or some other reason. There are only a handful of reports that I have seen where running that file was possible / necessary, and it in theory should have worked.
chattr is used to change attributes on a file. In an SSH shell, if you simply type "chattr" does it output the help info?
Since in theory the program is trying to manipulate attributes on the index.html file, you could manually go check to see what attributes it currently has and perhaps open all permissions on the file (chmod 777 for example) then try running SDDPd.bin again.
in what folder should I find the index.html file ?
in the [/home/httpd] folder I locate a index.html.bak (created well BEFORE the deadbolt attack) and a index.html.old (created well AFTER the deadbolt attack, probably during one of the unsucessfully attempt to recover the starting page).
Maybe this is the cause SDDPd.bin fails to create the Deatbolt landing page?
edit: here is what I found by manual search
/home/httpd/cgi-bin/index.html (created well BEFORE deadbolt)
/home/Qhttpd/index.html (created well AFTER deadbolt)
maybe starting page acesses to the wrong one? How could it be changed?
chattr command seems unkonwn as is returns
[/home/httpd] # chattr
-sh: chattr: command not found
I have been attacked by deadbolt yesterday and all my files have been appended with a deadbolt extension. I simply can’t afford to pay them as I’m going through a crisis and this is the last thing that I wanted to happen to me as I have photos of my kid in there who I lost a few years ago. I know I’m the one at fault for not creating a backup but I have reasons why I couldn’t do it so was relying on my Nas.
I am planning on using qrescue to see if I can salvage anything but I want to get rid of the program/ process first.
I just SSHed in to my Nas and I was trying to follow the procedure explained earlier in this thread but I can’t seem to find any process with a name in my mint folder.
This is what I can see. Can someone please help what do I need to do to kill the deadbolt program/process?
Kn9558 wrote: ↑Sun Sep 04, 2022 7:47 pm
I am planning on using qrescue to see if I can salvage anything but I want to get rid of the program/ process first.
I just SSHed in to my Nas and I was trying to follow the procedure explained earlier in this thread but I can’t seem to find any process with a name in my mint folder.
This is what I can see. Can someone please help what do I need to do to kill the deadbolt program/process?
QRescue will not help you. It is not for Deadbolt. But, you can try, just don't expect it to work.
Use "ps -ef" to check the running processes and you can "kill -9" the process id of anything deadbolt related.
I will take this opportunity to point people again to the first post in this thread and also this post viewtopic.php?f=45&t=164797&start=1380#p825512 that contain a lot of information on Deadbolt and how to protect your data.
Kn9558 wrote: ↑Sun Sep 04, 2022 7:47 pm
I am planning on using qrescue to see if I can salvage anything but I want to get rid of the program/ process first.
I just SSHed in to my Nas and I was trying to follow the procedure explained earlier in this thread but I can’t seem to find any process with a name in my mint folder.
This is what I can see. Can someone please help what do I need to do to kill the deadbolt program/process?
QRescue will not help you. It is not for Deadbolt. But, you can try, just don't expect it to work.
Use "ps -ef" to check the running processes and you can "kill -9" the process id of anything deadbolt related.
I will take this opportunity to point people again to the first post in this thread and also this post viewtopic.php?f=45&t=164797&start=1380#p825512 that contain a lot of information on Deadbolt and how to protect your data.
dosborne wrote: ↑Sun Sep 04, 2022 9:57 pm
"5184" is likely the encrypter/decrypter then.
so does that mean there isnt anything deadbolt related running on my machine and i can give qrescue a go? I have read the first post and other related posts but i cant seem to figure out what other deadbolt related processes files should i be looking for and where
Last edited by Kn9558 on Sun Sep 04, 2022 10:32 pm, edited 1 time in total.
So it is advised to completely reset and restore your NAS rather than kill, delete anything deadbolt related?
If I can I’m trying to not do a full reset as I have a VM which VS3 will not backup. Grrrrrrr!
I do have a full backup of all my other stuff, so if I can just rm all the infected .deadbolt files, clean up the NAS and stick my backup would that work?
I can’t seem to find a step by step for cleaning up the mess rather than a reset. Difficult I know as we can’t say what else is hiding on the disc.
There is lots of good info on what to do if you are paying etc and resetting the NAS so I’m guessing there is nothing in between?
Thanks gang
Dj
QNAP TS-253B with 2 x 3TB drives, 8gig RAM
Firmware 4.5.1
Running: WordPress, Piwigo, Nextcloud (20 HUB) in VS3
Subsonic & much much more!