[RANSOMWARE] >>READ 1st Post<< Deadbolt

[mustard]

...
This can be a very hostile forum! I'm fully aware of the difference between dynamic and static IPs and where you're likely to have them. How about answering the question I was asking rather than lecturing me about a question I wasn't asking and not treating me like I'm an idiot?

This was not my intention, but reading the mess of statements some gave for "a safe" access to internet let me feel, that there is a lot of guys who really not know about what they are doing!
If you have dedicated locations with static IP use site-2-site VPN as mentioned some posts ago.
And as I said IPs can be spoofed, so white- or blacklisting is not a real protection!

Regards

Thank you for that. Nice to see cooler communication prevailing.

I understand IPs can be spoofed, but it's not something I'm overly concerned about. I'd have to be specifically targeted for that to happen, which seems vanishingly unlikely. Plus I wouldn't be opening ports with high-risk services running on the other side. I appreciate that this means that the NAS is technically exposed, but I feel the risk would be extremely negligible. Having said that, I'd only be doing this for the times I needed access remotely, and I'll probably set up the VPN option if I can find the time. There's no such thing as zero risk, so I guess it comes down to how much risk you're comfortable with. My NAS is fully looked down at the minute anyway and has been since before Deadbolt.

[dolbyman]

1. how do I 100% make sure I am not infected
2. are there any updates I am missing to be protected.
3. should I be going for the Antivirus and/or QuFirewall

1. without port forwards or upnp, you won't be infected with deadbolt or qlocker
2. Just check the QNAP website for your (unknown) model
3. forget about both

[rtioghl]

Hi, I figured I'd paste my support ticket question here too.

My NAS was infected with Deadbolt.

I had two storage pools: disks 1 & 2 in RAID1 and disk 3 as Single. I had powered off the NAS after noticing it was infected and taking a screenshot of the ransom note. Today I powered it on, and updated the firmware through Qfinder.

Now my RAID1 is showing an "Error (Not active)" and its disks say "Disk does not exist."

None of the files on disk 3 are encrypted.

After powering off the NAS I did connect the two drives to my PC thinking I could see what files were encrypted. I then realized I cannot open them since they are in Ext4. I did not accidentally format them or anything like that.

What should I try to get the RAID1 working again?

EDIT: I also cannot remove deadbolt because I cannot open Malware Remover as it is installed on the missing disk and there is not an option to migrate it to the other drive.

[dolbyman]

You cannot just take NAS disks out and read them in any OS, that's why you need to have EXTERNAL backups at all times ..

Search the forum on how to read the NAS drives (including the LVM layer) on Linux (best to get some help)

[P3R]

...forced https on web connections (don't know if that is just smoke screen).

It's important on the Internet (but the Qnap shouldn't be be exposed there). On a secure local network it's of less importance but is easy to do so why not.

I only had myQNAPCloud...

Only the DDNS part of myQNAPcloud I hope.

...and Qbelt turned on for remote VPN connections...

I recommend that you switch to a different VPN solution implemented on your Internet-facing router/firewall or on a separate device but stop using QBelt and QVPN for these reasons.

1. Qbelt is a proprietary Qnap VPN protocol but consensus in the security community is that encryption protocols must never be proprietary. An encryption protocol should be openly published so that many researchers can study them and test for vulnerabilities. The secret should only be in the encryption key used, never in the protocol.
2. QVPN is a Qnap software that recently had a very bad code-injection vulnerability. No that doesn't say that it's insecure today but given the complete Qnap security vulnerability history, I'd only recommend it to masochists.

I only connected the NAS to internet today and I want to make sure I don't get infected, I saw a few posts from people on the same firmware who were infected but QNAP is not offering any firmware updates on the machine or on the website.

The softwares that we hope are secure from Deadbolt are listed here.

1. how do I 100% make sure I am not infected

You get to 99% simply by not port forwarding (that include QBelt/QVPN) and disabling UPnP in both your router and Qnap.

[P3R]

Plus I wouldn't be opening ports with high-risk services running on the other side.

Which do you consider as high and low risk?

[QNAPDanielFL]

My Ticket Number is:
Q-202201-57103

Hope you can make the difference

Support has now responded to set up a remote session.

[mustard]

Plus I wouldn't be opening ports with high-risk services running on the other side.

Which do you consider as high and low risk?

That's my risk and my concern.

[Hypernurd]

Sad to say that I have been affected by Deadbolt. I was just wondering if anyone has experience of paying the ransom and recovering their files/NAS systems?

So far I have removed port forwarding and Upnp pass through on the router and have downloaded and installed the latest 5.0.0.1891 firmware build. I have not run the Malware Remover yet so at present the deadbolt random demand Home Screen is still live.

I have some backups (Hybrid Backup to Cloud) but not for all my data - most of which is video that I never got around to hacking up due to amount (40TB).

I will probably pay the ransom, but I definitely won’t be reopening my NAS for remote access and I won’t be buying another QNAP that’s for sure. Not will I be recommending them to my clients.

Any help/advice greatly received.

[Markus1980Wien]

The deadbolt infection of my client, and how I bought the key to decrypt

1. My QNAP was quite old. Many things were not working as planned. Although I had configured QNAP to Auto-Update, this feature was not working correct. I always had to update manually whenever I logged in the GUI.
2. Although I had configured "HBS3 Hybrid Backup Sync" to do a weekly backup to Microsoft One Drive, the job started and run for a while, but always failed after running an hour or so.
3. I had done a manual backup in November 2021 to an other QNAP in the same office. This backup was ok, but quite old.
4. I told the client that the QNAP is having problems doing the backup, and I recommend to buy a new one.
5. The client bought a new QNAP in december 2021, but this new QNAP was defect. I did not turn on, after pressing the the power-on button.
6. The client sent back the new QNAP to the shop where had bought it.
7. While waiting for a replacement the client was hit by Deadbolt.
8. Yes, Port 8080 was open to the internet, because the client used this feature, to be able to access their files from everywhere. This feature was one of the reasons they bought a QNAP.
9. After I had noticed that the client was infected, I did a screenshot of the hijacked login-page, added "cgi-bin/index.cgi" to the url, logged in with my user (2FA) and shut down the QNAP.
10. QNAP-Support was not very helpful. After waiting for days, and my client saying they will pay and hope to get back their files I decided to do so even without the help a QNAP-support.
11. I am still waiting for the QNAP-support to get back to the opened ticket.
12. I live in Austria had never bought bitcoins before. I created a new Bitpanda.at account and transferred € 1.100,-- to the bitpanda-account.
13. After having transferred the Euros to the bitpana-account I bought 0.0324 bitcoins, just to be on the save side and have enough bitcoins for the 0.03 bitcoins requeded by the criminals and the fees for the bitcoin-transferring-services.
14. I made the payment to the address stated in my hijacked login page.
15. I opened https://blockchain.com/explorer, and entered the blockchain-address to which I had sent the bitcoins.
16. It took some minutes until I could see my transaction in "Explorer". (2022-02-04 15:01 CET)
17. It took several hours until the transaction was confirmed 6 times. It seems to be importatat that the transaction is confirmed by six other parties.
18. About 5 hours later I could see in "Explorer" that another transaction had been made to the blockchain-address. (2022-02-04 20:20 CET)
19. I clicked on details and searched for a "OP_RETURN" but was not able to find it easyly. Finally I found an OP_RETURN code.
20. I entered the OP_RETURN-code into the "Enter your decryption key here..." field on the hijacked login-page but nothing happened. I thought maybe there is no visual confirmation when I enter the correct code and went to bed.
21. Today in the morning there was still no change in the hijacked login-page.
22. I downloaded Emsisoft "Decrypter for Deadbolt" (https://www.emsisoft.com/ransomware-dec ... s/deadbolt) and installed it on a local computer.
23. I copied a folder with encryted files from my QNAP to my C-Drive, because "Emsisoft Decryptor for Deadbolt" can decrypt only local files. This tools does not see my mapped network-drives.
24. When starting "Emsisoft Decrytor for Deadbolt" the program asks for the decryption-key. I entered the key, and selected the local folder with my enrypted files and clicked the button "Decrypt". The tool stated the the entered key was wrong, and I was not able to decrypt the files.
25. I checked "https://blockchain.com/explorer" again, to see that there was a third transaction to the address, done at 2022-02-05 01:42 CET
26. I clicked on the hash-link to see details for this transaction, and now there was an easy-to-find OP_RETURN code.
27. I entered the new OP_RETURN code again to the "Enter your decryption key here..." field on the hijacked login page, but again nothing happened.
28. I entered the new OP_RETURN code once again into "Emsisoft Decryptor for Deadbolt" and clicked on the button "Decrypt" - this time the decryption was working correct and I got back the files.
29. I logged into my router and allowed internet-access for the QNAP.
30. I logged into my QNAP by adding "/cgi-bin/index.cgi" to the URL and opened "Malware Remover" which found an quarantained deadbolt.
31. QNAP requested for a reboot after the scan for malware with "Malware Remover" finished.
32. When all files from the old QNAP are copied an decrypted to another place, I will format/reset to factory-defaults the old QNAP

[FSC830]

The deadbolt infection of my client, and how I bought the key to decrypt
...
7. While waiting for a replacement the client was hit by Deadbolt.
8. Yes, Port 8080 was open to the internet, because the client used this feature, to be able to access their files from everywhere. This feature was one of the reasons they bought a QNAP.
...
14. I made the payment to the address stated in my hijacked login page.
...
29. I logged into my router and allowed internet-access for the QNAP.
...

Really? You allowed internet-access after this experience again? Without any further protection?
Or did I miss some steps here?

Byt the way: not for blaming you, just to still curiostity: you are talking from a "client", so you are an IT professional/counselor/engineer/whatever...?
And there is no other backup strategy except of a manual backup weeks ago and a failing backup job to M$?

Regards

[Hypernurd]

The deadbolt infection of my client, and how I bought the key to decrypt

1. My QNAP was quite old. Many things were not working as planned. Although I had configured QNAP to Auto-Update, this feature was not working correct. I always had to update manually whenever I logged in the GUI.
2. Although I had configured "HBS3 Hybrid Backup Sync" to do a weekly backup to Microsoft One Drive, the job started and run for a while, but always failed after running an hour or so.
3. I had done a manual backup in November 2021 to an other QNAP in the same office. This backup was ok, but quite old.
4. I told the client that the QNAP is having problems doing the backup, and I recommend to buy a new one.
5. The client bought a new QNAP in december 2021, but this new QNAP was defect. I did not turn on, after pressing the the power-on button.
6. The client sent back the new QNAP to the shop where had bought it.
7. While waiting for a replacement the client was hit by Deadbolt.
8. Yes, Port 8080 was open to the internet, because the client used this feature, to be able to access their files from everywhere. This feature was one of the reasons they bought a QNAP.
9. After I had noticed that the client was infected, I did a screenshot of the hijacked login-page, added "cgi-bin/index.cgi" to the url, logged in with my user (2FA) and shut down the QNAP.
10. QNAP-Support was not very helpful. After waiting for days, and my client saying they will pay and hope to get back their files I decided to do so even without the help a QNAP-support.
11. I am still waiting for the QNAP-support to get back to the opened ticket.
12. I live in Austria had never bought bitcoins before. I created a new Bitpanda.at account and transferred € 1.100,-- to the bitpanda-account.
13. After having transferred the Euros to the bitpana-account I bought 0.0324 bitcoins, just to be on the save side and have enough bitcoins for the 0.03 bitcoins requeded by the criminals and the fees for the bitcoin-transferring-services.
14. I made the payment to the address stated in my hijacked login page.
15. I opened https://blockchain.com/explorer, and entered the blockchain-address to which I had sent the bitcoins.
16. It took some minutes until I could see my transaction in "Explorer". (2022-02-04 15:01 CET)
17. It took several hours until the transaction was confirmed 6 times. It seems to be importatat that the transaction is confirmed by six other parties.
18. About 5 hours later I could see in "Explorer" that another transaction had been made to the blockchain-address. (2022-02-04 20:20 CET)
19. I clicked on details and searched for a "OP_RETURN" but was not able to find it easyly. Finally I found an OP_RETURN code.
20. I entered the OP_RETURN-code into the "Enter your decryption key here..." field on the hijacked login-page but nothing happened. I thought maybe there is no visual confirmation when I enter the correct code and went to bed.
21. Today in the morning there was still no change in the hijacked login-page.
22. I downloaded Emsisoft "Decrypter for Deadbolt" (https://www.emsisoft.com/ransomware-dec ... s/deadbolt) and installed it on a local computer.
23. I copied a folder with encryted files from my QNAP to my C-Drive, because "Emsisoft Decryptor for Deadbolt" can decrypt only local files. This tools does not see my mapped network-drives.
24. When starting "Emsisoft Decrytor for Deadbolt" the program asks for the decryption-key. I entered the key, and selected the local folder with my enrypted files and clicked the button "Decrypt". The tool stated the the entered key was wrong, and I was not able to decrypt the files.
25. I checked "https://blockchain.com/explorer" again, to see that there was a third transaction to the address, done at 2022-02-05 01:42 CET
26. I clicked on the hash-link to see details for this transaction, and now there was an easy-to-find OP_RETURN code.
27. I entered the new OP_RETURN code again to the "Enter your decryption key here..." field on the hijacked login page, but again nothing happened.
28. I entered the new OP_RETURN code once again into "Emsisoft Decryptor for Deadbolt" and clicked on the button "Decrypt" - this time the decryption was working correct and I got back the files.
29. I logged into my router and allowed internet-access for the QNAP.
30. I logged into my QNAP by adding "/cgi-bin/index.cgi" to the URL and opened "Malware Remover" which found an quarantained deadbolt.
31. QNAP requested for a reboot after the scan for malware with "Malware Remover" finished.
32. When all files from the old QNAP are copied an decrypted to another place, I will format/reset to factory-defaults the old QNAP

Thank you for your candid and thorough description of your experience. This is very helpful for anyone (noob or professional) looking to get their data back. Nobody on here should be sitting on their high-horses looking to judge or question anyones capabilities - what’s the point? Everyone is on a learning curve and frankly if Qnap’s software was more secure none of us would be in this mess. I’ve learned a great deal about the integrity and capability of Qnap’s engineering having been affected and I only regret that I didn’t do my own research more thoroughly before deciding to purchase my TVS-872XT. But, that’s on me.

[mustard]

Having just burned through my Saturday morning attempting to set up OpenVPN for inbound access, I'm just gonna laugh in the face of anyone who suggests that this is a simple option that everyone should be using. Four hours in, and I still haven't figured out why it's failing.

[chumbo]

Nobody on here should be sitting on their high-horses looking to judge or question anyones capabilities - what’s the point? Everyone is on a learning curve and frankly if Qnap’s software was more secure none of us would be in this mess.

I couldn't agree with you more! There are a few more 'senior' forum members here who consistently lecture in an often insulting and condescending tone, only to point out the naivety of less expert members. It's sad and in regard to this particular thread, even cruel since many will have lost either precious files or money recovering them. So to have your nose pushed into your own poop when you're feeling down and just seeking help and advice...I don't get it either
I've stopped responding to those kind of attacks and just focus on the more positive and helpful members of which there are still many thankfully!

Which brings me to my own concerns...
Still trying to carry out as many of the recommended steps to secure my NAS as best I can for internet access (I know some will say I shouldn't but please take for granted that I will).
I'll leave aside UPnP and port-forwarding for now because those are the big ones and I'm dealing with that right now but still need to explore some of the recommended alternatives I was offered to keep access to Plex.

What I have done since the deadbolt attack:
- Changed default ports and forced connections to redirect to HTTPS
- Enabled 2-step verification
- Use as few QNAP apps as possible. I already wasn't using many of QNAPs apps but some are still needed of course. I've posted a screenshot below of what I currently have installed, let me know if there is anything evil I should disable. I also have Kodi enabled but I could do without it if it's considered unsafe (I should point out that I use it vanilla/out of the box, no addons at all).


And here are the questions...
1. DDNS myqnapcloud and myqnapcloud link are two different things, right? I think many times posters shorthand and just write "don't use myqnapcloud!" when maybe they mean myqnapcloud link? I'm using a myqnapcloud DDNS but disabled myqnapcloud link...is that ok?
2. Services...I have two running which might be of concern, DLNA and Webserver...are those bad? I'm not totally clear on what they do but I think DLNA is sort of in the same league as UPnP in that it facilitates access to files over a network but not exactly clear on what I'd lose if I disabled it? Webserver, no idea what it's doing? (I also have Multimedia services & Microsoft networking...those ok?)
3. Changing default admin account...I've read almost as many saying you should disable it as those who say you shouldn't...any consensus on that?

For now, I'm leaving the VPN option to the side as to not complicate things too much before I even get the basics and easy stuff done.
Thanks in advance!

[FSC830]

Its vice versa: most who say (me too) dont use myqnapcloud mean myqnapcloud, NOT myqnapcloud link!
But to be honest: I do not have any experience by my own with myqnapcloud link, my prejudice against myqnapcloud link is just that I have learned how careless QNAP deals with security.
Someone said (in this thread?) that myqnapcloul link is totally different from myqnapcloud, I did not check it out yet.
Even if it would be more safe than myqnapcloud, I feel more comfortable with VPN!

As 100+ times said here : neither moving ports from default nor 2FA or https can protect you against malware that uses exploits in QTS!
The ***can*** may be delay some attacks, but they are not a real protection!

At my NAS the admin account is still enabled. All NAS are not exposed to internet. An outgoing connection is possible.
Some people report that some apps require the origin admin account, only thing I can say that a user, even if the user belongs to the administrators group, has not the same permissions as the "original" admin in SSH shell.
He need to run some commands with "sudo" for that.

At one NAS TS-473A/QTS 5.0.0.1891 I am using not the original admin.
But up to now I do not find an obstacle when administrating which needs a switch to the origin admin account.

If your NAS is exposed to internet, I would also recommend to use an "alternative" admin account.

Regards