QNAP recently force-installed a firmware update after its NAS (Network Attached Storage) devices were hit by the DeadBolt ransomware. The attackers claim that the malware is deployed using a zero-day vulnerability in the QNAP devices and up until now 3600 devices have been affected. Once installed, the ransomware encrypts the files and appends the file names with the .deadbolt extension.
A ransom note appears on the victim’s server instead of the regular HTML login page and demands 0.03 bitcoins (approximately $1017). The note reads that once the payment has been made, the decryption key will be provided by the attackers.
The alleged Zero-Day is also up for sale by the DeadBolt ransomware group for 5 Bitcoins ($185,000). Apart from this, the attackers are willing to provide a master decryption key that will decrypt all the affected systems for 50 bitcoins (approximately $1.85 million).
Internet device search engine Shodan reports that 1,160 QNAP NAS devices are encrypted by DeadBolt. Censys, though, paints a far grimmer picture, finding 3,687 devices already encrypted at the time of this writing.
On multiple complaints are queries the QNAP support representative said:
“We are trying to increase protection against deadbolt. If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away.
Back in the time of Qlocker, many people got infected after we had patched the vulnerability. In fact, that whole outbreak was after the patch was released. But many people don’t apply a security patch on the same day or even the same week it is released. And that makes it much harder to stop a ransomware campaign. We will work on patches/security enhancements against deadbolt and we hope they get applied right away.
I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of deadbolt and our desire to stop this attack as soon as possible that we did this.” –
QNAP force-updated the NAS devices’ firmware, and it may be the best way to protect against the ransomware. Users should update to the QTS 126.96.36.1991 from https://www.qnap.com/en-us/release-notes/qts/188.8.131.521/20211221
However, some issues were found by owners in their iSCSI connections.
The remedy for this error has been provided by a QNAP Owner:
“In “Storage & Snapshots > ISCSI & Fiber Channel” right-click on your Alias (IQN) select “Modify > Network Portal” and select the adapter you utilize for ISCSI.”