[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
jswain
New here
Posts: 9
Joined: Tue Jul 05, 2016 5:32 pm

Re: [RANSOMWARE] Deadbolt

Post by jswain »

Hi,

Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?
User avatar
dolbyman
Guru
Posts: 36122
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

Bankbiljet wrote: Fri Jan 28, 2022 12:01 am Ok.. in short... a lot a the files on my NAS (TS-453A) are infected.
They are encrypted not infected ... try to recover them with the qrescue program (after malware remover has removed the active infection)

https://www.qnap.com/static/landing/202 ... rescue/en/

Then kill the NAS and start from scratch .. have backups in the future ..
User avatar
dolbyman
Guru
Posts: 36122
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

jswain wrote: Fri Jan 28, 2022 12:02 am Hi,

Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?
Has been explained many times in this thread .. it's a forum not a chat

viewtopic.php?f=45&t=164797&start=165#p808909
jswain
New here
Posts: 9
Joined: Tue Jul 05, 2016 5:32 pm

Re: [RANSOMWARE] Deadbolt

Post by jswain »

dolbyman wrote: Fri Jan 28, 2022 12:13 am
jswain wrote: Fri Jan 28, 2022 12:02 am Hi,

Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?
Has been explained many times in this thread .. it's a forum not a chat

viewtopic.php?f=45&t=164797&start=165#p808909
Yes, but a bit here and bit there, all over the shop, if there were a simple step by step in one place there is a good chance people would use it instead of waiting for QNAP.
dgagnon
Starting out
Posts: 16
Joined: Fri Jan 28, 2022 12:06 am

Re: [RANSOMWARE] Deadbolt

Post by dgagnon »

Confirmed getting hit with deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3.

This means the reported vulnerability (https://www.qnap.com/en/security-advisory/qsa-21-57) is not the one being exploited right now.

We only have QVPN and the WebUI open to the internet, so it has to be through one of these two services.
User avatar
dolbyman
Guru
Posts: 36122
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

WebUi is the worst thing to have exposed .. might aswell forget about VPN altogether at this point .. smh
dgagnon
Starting out
Posts: 16
Joined: Fri Jan 28, 2022 12:06 am

Re: [RANSOMWARE] Deadbolt

Post by dgagnon »

dolbyman wrote: Fri Jan 28, 2022 12:21 am WebUi is the worst thing to have exposed .. might aswell forget about VPN altogether at this point .. smh
Agreed, that's why we have snapshots and offsite backups; know your risks and mitigate. But with no one at the office anymore, not having the webui available makes it really have to manage the nas.

We use VPN for other stuff. I had to disable OpenVPN completely a few weeks back because we got compromised through it ( shell expansion....like, seriously QNAP, that's like a 10yo exploit ). QNAP needs to remove all marketing regarding using these devices online for the common people. No way most SMBs understand the risks involved.
Last edited by dgagnon on Fri Jan 28, 2022 12:31 am, edited 1 time in total.
User avatar
dolbyman
Guru
Posts: 36122
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

Why would you not use the VPN do manage the NAS? .. sorry that makes no sense
dgagnon
Starting out
Posts: 16
Joined: Fri Jan 28, 2022 12:06 am

Re: [RANSOMWARE] Deadbolt

Post by dgagnon »

dolbyman wrote: Fri Jan 28, 2022 12:30 am Why would you not use the VPN do manage the NAS? .. sorry that makes no sense
Because the service sometimes crashes and we have to reboot the nas.
Kal Rubinson
New here
Posts: 3
Joined: Tue Apr 22, 2014 8:54 am

Re: [RANSOMWARE] Deadbolt

Post by Kal Rubinson »

dolbyman wrote: Thu Jan 27, 2022 11:52 pm Leaving the system as is would be crazy...reinfection could be only a matter of time
kill the NAS..restore from backups (has been said many times throughout the thread)
and of course disable all port forwards and upnp
Of course but now with a bit less urgency. My backups are remotely located.
SimonKenoby wrote: Thu Jan 27, 2022 11:54 pm The good thing for me is that encrypted files are not the important one, the bad thing is as they are not important I didn't had any backup like the more important...
How did you identify those files as encrypted?
kavaa
First post
Posts: 1
Joined: Fri Jan 28, 2022 12:40 am

Re: [RANSOMWARE] Deadbolt

Post by kavaa »

We have a client that has this issue, but no instructions file.

Not in the shares nor /mnt/HDA_ROOT etc.



Anyone an idea where to search?

We also searched with find etc. to look in files for bitcoin etc. but no luck.



Some files are not encrypted... But the most part is...
User avatar
dolbyman
Guru
Posts: 36122
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

dgagnon wrote: Fri Jan 28, 2022 12:32 am
dolbyman wrote: Fri Jan 28, 2022 12:30 am Why would you not use the VPN do manage the NAS? .. sorry that makes no sense
Because the service sometimes crashes and we have to reboot the nas.
Move the service to a dedicated appliance (firewall, raspi) .. my VPN never crash ... fix your issues, before you give up and invite the world to infect your NAS
dgagnon
Starting out
Posts: 16
Joined: Fri Jan 28, 2022 12:06 am

Re: [RANSOMWARE] Deadbolt

Post by dgagnon »

dolbyman wrote: Fri Jan 28, 2022 12:46 am
dgagnon wrote: Fri Jan 28, 2022 12:32 am
dolbyman wrote: Fri Jan 28, 2022 12:30 am Why would you not use the VPN do manage the NAS? .. sorry that makes no sense
Because the service sometimes crashes and we have to reboot the nas.
Move the service to a dedicated appliance (firewall, raspi) .. my VPN never crash ... fix your issues, before you give up and invite the world to infect your NAS
Mine never crash either. But that's legacy stuff I inherited. I am not retraining 25 tech-illiterates employees on how to use a different vpn configuration, plus adding additional systems that need to be managed ( i.e. redundant pfSense or openvpn AS ). I understand the risks, they are mitigated and I've said so. What are you harping about? I don't see any added value to your comment, you are just repeating the same thing over while complaining other are asking for things to be repeated O_o ?

I am reporting this information to assist QNAP and other users in identifying the source of the compromise.

More over, QNAP advertises these as internet-connected devices. If that is not true, then it's false advertising and they open themselves to suits. I run hundreds of internet facing web applications. It is doable and all it takes is a bit of security engineering.
Comy86
Starting out
Posts: 15
Joined: Thu Jan 27, 2022 2:15 am

Re: [RANSOMWARE] Deadbolt

Post by Comy86 »

I've decided to pay the ransom. I know that's not how we should deal with this kind of situations, but I have no choice, the information that I had is essential. Unfortunately, it's a hard-learned lesson.
I'll let you know how it goes.
After it will decrypt the files, I'll copy them on another HDD and then deal with the NAS and the NAS HDD's (while I'll keep the NAS disconnected from the internet)
After this, I'll come back and ask advices on how to protect&back-up my NAS
Davinvi
First post
Posts: 1
Joined: Fri Jan 28, 2022 1:01 am

Re: [RANSOMWARE] Deadbolt

Post by Davinvi »

Hello, I had the same issue with my media composer, so I contacted my regional support he said that he could “exceptionally” help me by making some changes in my Avid settings, it did work for some days but after that my QNAP NAS automatically logged out and the I faced the same problem again, after contacting him for the second time he said that that was the only way and now if im willing to proceed my project using Avid media composer the only available solution is to replace my QNAP NAS with Avid Nexis
Post Reply

Return to “Users' Corner”