[RANSOMWARE] >>READ 1st Post<< Deadbolt
-
- New here
- Posts: 9
- Joined: Tue Jul 05, 2016 5:32 pm
Re: [RANSOMWARE] Deadbolt
Hi,
Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?
Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?
- dolbyman
- Guru
- Posts: 36122
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
They are encrypted not infected ... try to recover them with the qrescue program (after malware remover has removed the active infection)Bankbiljet wrote: ↑Fri Jan 28, 2022 12:01 am Ok.. in short... a lot a the files on my NAS (TS-453A) are infected.
https://www.qnap.com/static/landing/202 ... rescue/en/
Then kill the NAS and start from scratch .. have backups in the future ..
- dolbyman
- Guru
- Posts: 36122
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
Has been explained many times in this thread .. it's a forum not a chat
viewtopic.php?f=45&t=164797&start=165#p808909
-
- New here
- Posts: 9
- Joined: Tue Jul 05, 2016 5:32 pm
Re: [RANSOMWARE] Deadbolt
Yes, but a bit here and bit there, all over the shop, if there were a simple step by step in one place there is a good chance people would use it instead of waiting for QNAP.dolbyman wrote: ↑Fri Jan 28, 2022 12:13 amHas been explained many times in this thread .. it's a forum not a chat
viewtopic.php?f=45&t=164797&start=165#p808909
-
- Starting out
- Posts: 16
- Joined: Fri Jan 28, 2022 12:06 am
Re: [RANSOMWARE] Deadbolt
Confirmed getting hit with deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3.
This means the reported vulnerability (https://www.qnap.com/en/security-advisory/qsa-21-57) is not the one being exploited right now.
We only have QVPN and the WebUI open to the internet, so it has to be through one of these two services.
This means the reported vulnerability (https://www.qnap.com/en/security-advisory/qsa-21-57) is not the one being exploited right now.
We only have QVPN and the WebUI open to the internet, so it has to be through one of these two services.
- dolbyman
- Guru
- Posts: 36122
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
WebUi is the worst thing to have exposed .. might aswell forget about VPN altogether at this point .. smh
-
- Starting out
- Posts: 16
- Joined: Fri Jan 28, 2022 12:06 am
Re: [RANSOMWARE] Deadbolt
Agreed, that's why we have snapshots and offsite backups; know your risks and mitigate. But with no one at the office anymore, not having the webui available makes it really have to manage the nas.
We use VPN for other stuff. I had to disable OpenVPN completely a few weeks back because we got compromised through it ( shell expansion....like, seriously QNAP, that's like a 10yo exploit ). QNAP needs to remove all marketing regarding using these devices online for the common people. No way most SMBs understand the risks involved.
Last edited by dgagnon on Fri Jan 28, 2022 12:31 am, edited 1 time in total.
- dolbyman
- Guru
- Posts: 36122
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
Why would you not use the VPN do manage the NAS? .. sorry that makes no sense
-
- Starting out
- Posts: 16
- Joined: Fri Jan 28, 2022 12:06 am
-
- New here
- Posts: 3
- Joined: Tue Apr 22, 2014 8:54 am
Re: [RANSOMWARE] Deadbolt
Of course but now with a bit less urgency. My backups are remotely located.
How did you identify those files as encrypted?SimonKenoby wrote: ↑Thu Jan 27, 2022 11:54 pm The good thing for me is that encrypted files are not the important one, the bad thing is as they are not important I didn't had any backup like the more important...
-
- First post
- Posts: 1
- Joined: Fri Jan 28, 2022 12:40 am
Re: [RANSOMWARE] Deadbolt
We have a client that has this issue, but no instructions file.
Not in the shares nor /mnt/HDA_ROOT etc.
Anyone an idea where to search?
We also searched with find etc. to look in files for bitcoin etc. but no luck.
Some files are not encrypted... But the most part is...
Not in the shares nor /mnt/HDA_ROOT etc.
Anyone an idea where to search?
We also searched with find etc. to look in files for bitcoin etc. but no luck.
Some files are not encrypted... But the most part is...
- dolbyman
- Guru
- Posts: 36122
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
Move the service to a dedicated appliance (firewall, raspi) .. my VPN never crash ... fix your issues, before you give up and invite the world to infect your NAS
-
- Starting out
- Posts: 16
- Joined: Fri Jan 28, 2022 12:06 am
Re: [RANSOMWARE] Deadbolt
Mine never crash either. But that's legacy stuff I inherited. I am not retraining 25 tech-illiterates employees on how to use a different vpn configuration, plus adding additional systems that need to be managed ( i.e. redundant pfSense or openvpn AS ). I understand the risks, they are mitigated and I've said so. What are you harping about? I don't see any added value to your comment, you are just repeating the same thing over while complaining other are asking for things to be repeated O_o ?
I am reporting this information to assist QNAP and other users in identifying the source of the compromise.
More over, QNAP advertises these as internet-connected devices. If that is not true, then it's false advertising and they open themselves to suits. I run hundreds of internet facing web applications. It is doable and all it takes is a bit of security engineering.
-
- Starting out
- Posts: 15
- Joined: Thu Jan 27, 2022 2:15 am
Re: [RANSOMWARE] Deadbolt
I've decided to pay the ransom. I know that's not how we should deal with this kind of situations, but I have no choice, the information that I had is essential. Unfortunately, it's a hard-learned lesson.
I'll let you know how it goes.
After it will decrypt the files, I'll copy them on another HDD and then deal with the NAS and the NAS HDD's (while I'll keep the NAS disconnected from the internet)
After this, I'll come back and ask advices on how to protect&back-up my NAS
I'll let you know how it goes.
After it will decrypt the files, I'll copy them on another HDD and then deal with the NAS and the NAS HDD's (while I'll keep the NAS disconnected from the internet)
After this, I'll come back and ask advices on how to protect&back-up my NAS
-
- First post
- Posts: 1
- Joined: Fri Jan 28, 2022 1:01 am
Re: [RANSOMWARE] Deadbolt
Hello, I had the same issue with my media composer, so I contacted my regional support he said that he could “exceptionally” help me by making some changes in my Avid settings, it did work for some days but after that my QNAP NAS automatically logged out and the I faced the same problem again, after contacting him for the second time he said that that was the only way and now if im willing to proceed my project using Avid media composer the only available solution is to replace my QNAP NAS with Avid Nexis