[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
Alexej1993
Starting out
Posts: 12
Joined: Sun Sep 04, 2022 12:38 am

Re: [RANSOMWARE] Deadbolt

Post by Alexej1993 »

OneCD wrote: Sun Sep 04, 2022 3:33 am
Montana1701 wrote: Sun Sep 04, 2022 3:18 am I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?

Here is the transaction detail.

Transaction Hash: a5578192fb895a48872a9a007f479242c89d765e5e4b378765937f52afc4c5b9
Your decryption key is: f50306f3bcfb77eb605f61abbc23062c
let us know if it worked
I would be interested to know if it has completely lost all the data or only part of it
User avatar
OneCD
Guru
Posts: 12509
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

A new security advisory from QNAP regarding this wave of Deadbolt:

https://www.qnap.com/en-au/security-advisory/qsa-22-24
Summary

QNAP detected a new DeadBolt ransomware campaign in the morning on September 3rd (GMT+8). The campaign appears to target QNAP NAS devices running Photo Station with Internet exposure.

We have already fixed the vulnerability in the following versions:
  • QTS 5.0.1: Photo Station 6.1.2 and later
  • QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
  • QTS 4.3.6: Photo Station 5.7.18 and later
  • QTS 4.3.3: Photo Station 5.4.15 and later
  • QTS 4.2.6: Photo Station 5.2.14 and later
I suggest ignoring the "we have already fixed the vulnerability in the following versions" advice, as it's much safer to not expose your QNAP to the Internet, no-matter which firmware version you're using.

If the hackers are to be believed, they have a list of undisclosed vulnerabilities they are yet to exploit. Continuing to expose any QTS version to the Internet will likely get you hacked sooner-or-later. :(

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
jaysona
Been there, done that
Posts: 859
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] Deadbolt

Post by jaysona »

OneCD wrote: Sun Sep 04, 2022 4:54 am A new security advisory from QNAP regarding this wave of Deadbolt:

https://www.qnap.com/en-au/security-advisory/qsa-22-24

....
Wow! This reeks badly, QNAP definitely knew (or had a very strong suspicion) that another zero-auth ransomware wave was coming. There is no other way they would have been able to get this type of release out so quickly, and on a weekend.
I suggest ignoring the "we have already fixed the vulnerability in the following versions" advice, as it's much safer to not expose your QNAP to the Internet, no-matter which firmware version you're using.

If the hackers are to be believed, they have a list of undisclosed vulnerabilities they are yet to exploit. Continuing to expose any QTS version to the Internet will likely get you hacked sooner-or-later. :(
Agreed!

If the following web page can be access directly from the Internet (no VPN required), it is a sure bet the NAS will eventually be compromised and there will be more tears shed here.

Image
RAID is not a Back-up!

H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
OneCD
Guru
Posts: 12509
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

jaysona wrote: Sun Sep 04, 2022 8:30 am Wow! This reeks badly, QNAP definitely knew (or had a very strong suspicion) that another zero-auth ransomware wave was coming. There is no other way they would have been able to get this type of release out so quickly, and on a weekend.
Yep, I've never seen them release an advisory so-quickly. I'm also wondering if they had been warned this was going to happen? :'

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
raxpa
New here
Posts: 4
Joined: Sun Sep 04, 2022 3:58 pm

Re: [RANSOMWARE] Deadbolt

Post by raxpa »

I took this malware... so without waiting I shut off my NAS now i need help to understand how to solve the problem and get my file back! Any Idea
User avatar
deljones
Know my way around
Posts: 162
Joined: Wed Nov 16, 2011 7:26 am

Re: [RANSOMWARE] Deadbolt

Post by deljones »

Yep. This is the one that got me today. Very very dull.

I have a weekly backup, and daily snapshot both of these are clean. I only store music and photos on the NAS so I’ve only lost a weeks worth which is not much and they are still in my phone so…..

I’ve done the usual, that I should have done but didn’t, closed off all ports to the NAS binned off myqnapcloud, never liked that thing in the first place. Upnp is off. I ran the malware cleaner, which didn’t report anything!!! and my firmware has been the latest since the last update. The question now is what to do.

I have Virtualisation Station hosting my main server in an untouched VM which does have everything on it and is important.

The snapshots in VS3 have been tested and are clean, that VM is safe. However the backup facility in VS3 has stopped working, which is such a pain, but that’s another issue.

My questions are:

I can use ssh, locally of course, can I clean up my NAS as it is now

The deadbolt thread is very long and what I’m looking for is a step by step guide.

I can delete all the .deadbolt files.
How do I reset the admin login screen?
How do I clean out any other deadbolt mischief such as scripts, keys, etc?

I’d love to just backup my VM quickly and just reinitialise the unit, but there is trouble there as I’ve explained. Once VM3 backup facility works I’ll probably do a full reset.

If anyone can help with an idiots guide, and I am an idiot, then I’d be really grateful to you.

Many thanks.

Dj
QNAP TS-253B with 2 x 3TB drives, 8gig RAM
Firmware 4.5.1
Running: WordPress, Piwigo, Nextcloud (20 HUB) in VS3
Subsonic & much much more!
lama01
Starting out
Posts: 15
Joined: Sat Jul 30, 2011 3:41 am

Re: [RANSOMWARE] Deadbolt

Post by lama01 »

dosborne wrote: Mon Aug 29, 2022 7:16 am
lama01 wrote: Mon Aug 29, 2022 4:02 am well thanks, after restoring the admin user and logging on as admin I get less error return messages when I run SDDPd.bin

# sh SDDPd.bin
SDDPd.bin: line 7: chattr: command not found

but still http://nas_ip:8080/index.html leads to the regular QNAP NAS login page.
any idea how SDDPd.bin can be told to restore the Deadbolt landing page?
I'm afraid this is the limit to what I can offer and would just be guessing. Other than perhaps manually checking the index file to ensure that you aren't loading a cached version or some other reason. There are only a handful of reports that I have seen where running that file was possible / necessary, and it in theory should have worked.

chattr is used to change attributes on a file. In an SSH shell, if you simply type "chattr" does it output the help info?
Since in theory the program is trying to manipulate attributes on the index.html file, you could manually go check to see what attributes it currently has and perhaps open all permissions on the file (chmod 777 for example) then try running SDDPd.bin again.
in what folder should I find the index.html file ?

in the [/home/httpd] folder I locate a index.html.bak (created well BEFORE the deadbolt attack) and a index.html.old (created well AFTER the deadbolt attack, probably during one of the unsucessfully attempt to recover the starting page).
Maybe this is the cause SDDPd.bin fails to create the Deatbolt landing page?

edit: here is what I found by manual search
/home/httpd/cgi-bin/index.html (created well BEFORE deadbolt)
/home/Qhttpd/index.html (created well AFTER deadbolt)
maybe starting page acesses to the wrong one? How could it be changed?

chattr command seems unkonwn as is returns
[/home/httpd] # chattr
-sh: chattr: command not found
Kn9558
Starting out
Posts: 11
Joined: Sun Sep 04, 2022 7:38 pm

Re: [RANSOMWARE] Deadbolt

Post by Kn9558 »

Hi All,

I have been attacked by deadbolt yesterday and all my files have been appended with a deadbolt extension. I simply can’t afford to pay them as I’m going through a crisis and this is the last thing that I wanted to happen to me as I have photos of my kid in there who I lost a few years ago. I know I’m the one at fault for not creating a backup but I have reasons why I couldn’t do it so was relying on my Nas.

I am planning on using qrescue to see if I can salvage anything but I want to get rid of the program/ process first.
I just SSHed in to my Nas and I was trying to follow the procedure explained earlier in this thread but I can’t seem to find any process with a name in my mint folder.
This is what I can see. Can someone please help what do I need to do to kill the deadbolt program/process?

drwxr-xr-x 3 admin administrators 260 2022-09-04 12:21 ./
drwxr-xr-x 23 admin administrators 600 2022-09-04 12:25 ../
-rw-r--r-- 1 admin administrators 5 2008-01-11 07:32 .bash_history
-rw-r--r-- 1 admin administrators 175 2004-10-09 03:49 .bash_logout
-rw-r--r-- 1 admin administrators 161 2004-10-09 03:49 .bash_profile
-rw-r--r-- 1 admin administrators 1687 2007-07-18 11:24 .bashrc
lrwxrwxrwx 1 admin administrators 6 2022-09-04 13:13 .BitTornado -> ../tmp/
-rw-r--r-- 1 admin administrators 36 2022-09-04 12:19 .buzzer_warnning.conf
drwxrwxrwx 2 admin administrators 100 2022-09-04 12:21 .docker/
-rw-r--r-- 1 admin administrators 6526 2007-07-11 10:35 index_default.html
-rw-r--r-- 1 admin administrators 27 2007-01-29 09:47 .profile
lrwxrwxrwx 1 admin administrators 15 2022-09-04 12:19 .ssh -> /etc/config/ssh/
-rw-r--r-- 1 admin administrators 923 2022-09-04 12:15 .vimrc
-rw-r--r-- 1 admin administrators 0 2020-11-15 17:45 .nfs_fix_check
-rw-r--r-- 1 admin administrators 0 2020-11-15 17:10 .QTS.installed
-rw-r--r-- 1 admin administrators 0 2020-11-15 17:10 .QTS.installed.notice
drwxr-xr-x 2 admin administrators 4096 2022-09-01 18:42 ssl_lib/
Alexej1993
Starting out
Posts: 12
Joined: Sun Sep 04, 2022 12:38 am

Re: [RANSOMWARE] Deadbolt

Post by Alexej1993 »

I'm going to pay someone at least an approximate answer Did they send keys in this wave? after receiving the key, are all files decrypted?
dosborne
Experience counts
Posts: 2048
Joined: Tue May 29, 2018 3:02 am
Location: Everywhere I go, there I am.

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

Kn9558 wrote: Sun Sep 04, 2022 7:47 pm I am planning on using qrescue to see if I can salvage anything but I want to get rid of the program/ process first.
I just SSHed in to my Nas and I was trying to follow the procedure explained earlier in this thread but I can’t seem to find any process with a name in my mint folder.
This is what I can see. Can someone please help what do I need to do to kill the deadbolt program/process?
QRescue will not help you. It is not for Deadbolt. But, you can try, just don't expect it to work.

Check in

Code: Select all

ls -al /share/CACHEDEV1_DATA/

Use "ps -ef" to check the running processes and you can "kill -9" the process id of anything deadbolt related.

I will take this opportunity to point people again to the first post in this thread and also this post viewtopic.php?f=45&t=164797&start=1380#p825512 that contain a lot of information on Deadbolt and how to protect your data.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
Kn9558
Starting out
Posts: 11
Joined: Sun Sep 04, 2022 7:38 pm

Re: [RANSOMWARE] Deadbolt

Post by Kn9558 »

dosborne wrote: Sun Sep 04, 2022 9:03 pm
Kn9558 wrote: Sun Sep 04, 2022 7:47 pm I am planning on using qrescue to see if I can salvage anything but I want to get rid of the program/ process first.
I just SSHed in to my Nas and I was trying to follow the procedure explained earlier in this thread but I can’t seem to find any process with a name in my mint folder.
This is what I can see. Can someone please help what do I need to do to kill the deadbolt program/process?
QRescue will not help you. It is not for Deadbolt. But, you can try, just don't expect it to work.

Check in

Code: Select all

ls -al /share/CACHEDEV1_DATA/

Use "ps -ef" to check the running processes and you can "kill -9" the process id of anything deadbolt related.

I will take this opportunity to point people again to the first post in this thread and also this post viewtopic.php?f=45&t=164797&start=1380#p825512 that contain a lot of information on Deadbolt and how to protect your data.
Thanks just checked again and this is what i get

drwxr-xr-x 9 admin administrators 4096 2022-09-03 04:22 ./
drwxr-xr-x 11 admin administrators 240 2022-09-04 12:19 ../
-rwxr-xr-x 1 admin administrators 1096436 2022-09-03 04:22 5184*


but when i do" kill 5184" it says No such process. I have checked in resource monitor and there is no 5184 running.
dosborne
Experience counts
Posts: 2048
Joined: Tue May 29, 2018 3:02 am
Location: Everywhere I go, there I am.

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

"5184" is likely the encrypter/decrypter then.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
Kn9558
Starting out
Posts: 11
Joined: Sun Sep 04, 2022 7:38 pm

Re: [RANSOMWARE] Deadbolt

Post by Kn9558 »

dosborne wrote: Sun Sep 04, 2022 9:57 pm "5184" is likely the encrypter/decrypter then.
so does that mean there isnt anything deadbolt related running on my machine and i can give qrescue a go? I have read the first post and other related posts but i cant seem to figure out what other deadbolt related processes files should i be looking for and where
Last edited by Kn9558 on Sun Sep 04, 2022 10:32 pm, edited 1 time in total.
User avatar
deljones
Know my way around
Posts: 162
Joined: Wed Nov 16, 2011 7:26 am

Re: [RANSOMWARE] Deadbolt

Post by deljones »

So it is advised to completely reset and restore your NAS rather than kill, delete anything deadbolt related?

If I can I’m trying to not do a full reset as I have a VM which VS3 will not backup. Grrrrrrr!

I do have a full backup of all my other stuff, so if I can just rm all the infected .deadbolt files, clean up the NAS and stick my backup would that work?

I can’t seem to find a step by step for cleaning up the mess rather than a reset. Difficult I know as we can’t say what else is hiding on the disc.

There is lots of good info on what to do if you are paying etc and resetting the NAS so I’m guessing there is nothing in between?

Thanks gang

Dj
QNAP TS-253B with 2 x 3TB drives, 8gig RAM
Firmware 4.5.1
Running: WordPress, Piwigo, Nextcloud (20 HUB) in VS3
Subsonic & much much more!
Alexej1993
Starting out
Posts: 12
Joined: Sun Sep 04, 2022 12:38 am

Re: [RANSOMWARE] Deadbolt

Post by Alexej1993 »

Alexej1993 wrote: Sun Sep 04, 2022 4:37 am
OneCD wrote: Sun Sep 04, 2022 3:33 am
Montana1701 wrote: Sun Sep 04, 2022 3:18 am I have paid. I looked in transaction but can't find OP_RETURN. Is someone there which can help me?

Here is the transaction detail.

Transaction Hash: a5578192fb895a48872a9a007f479242c89d765e5e4b378765937f52afc4c5b9
Your decryption key is: f50306f3bcfb77eb605f61abbc23062c
let us know if it worked
I would be interested to know if it has completely lost all the data or only part of it


Hi
Can I ask you to help me find the OP_Return key because the one I have is not working
Transaction hash

ae6b17d241b7c716341fbc3b6f674239fa1c7708a61f86926e4a379dbba60621
https://www.blockchain.com/btc/tx/ae6b1 ... 9dbba60621
:roll:
Last edited by Alexej1993 on Sun Sep 04, 2022 10:57 pm, edited 2 times in total.
Post Reply

Return to “Users' Corner”