QNAP NAS, DeadBolt ransomware also hits in Italy: ready to encrypt all data

His name is Deadbolt new serious danger for the QNAP-NAS connected to the Internet, so much so that the company is implementing significant countermeasures. Taiwanese society is indeed force devices to update (even if automatic updates are disabled) to the latest firmware available to close, or at least mitigate, the vulnerability e protect customers from ransomware that encrypts their data on the NAS. It seems are more than 3600 people who have been faced with the bad surprise, residing mainly in ItalyUnited States, France, Taiwan and United Kingdom.

deadbolt ransomware 1 28 01 2022

The attacks began on January 25, the first QNAP devices suddenly seeing their files encrypted and their names changed by adding the “.deadbolt” extension. Like, how rebuilt by Bleeping Computerinstead of placing files with ransom note in every device folder, the bad guys managed to change NAS login page to display the message “WARNING: Your files have been locked by Dead Bolt“.

The screen informs the victim that to decrypt the files, he just needs to pay 0.03 Bitcoin, or around 980 euros, to a single Bitcoin address. Once the ransom is paid, the attackers make a subsequent transaction to the same address which includes the decryption key to be entered on the appropriate screen.

deadbolt ransomware 2 28 01 2022

When asked about this, QNAP said users can bypass the screen ransom note and access its admin page via URLs http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi. At the same time, QNAP users are encouraged to disconnect your devices from the internet and protect them with a firewall.

To reduce the attack area, QNAP made the decision to force NAS update to the latest firmware, although it’s unclear if this is fully fixed. “We are trying to increase the deadbolt protection. […] During the days of Qlocker, many people were infected after patching the vulnerability. In fact, the whole outbreak happened after the patch was released. But many people don’t apply security patches on the same day or even the same week that they are released. And that makes stopping a ransomware campaign even more difficult.”

“We will be working on security fixes/improvements against Deadbolt and I hope they will be applied immediately. I know there are arguments as to whether we should do this or not (force auto-update, editor’s note). It is a difficult decision to make. But we did it because of Deadbolt and our desire to stop this attack as soon as possible“, has declared a company representative on Reddit.

deadbolt ransomware 3 28 01 2022

The villains they didn’t just take it from NAS owners, but also from QNAP itselfrequest payment of 5 Bitcoins (about 160 thousand euros) reveal all the details of the fault. They also stated that they are willing to sell the master decryption key and zero-day information to QNAP for 50 Bitcoins, or about 1.6 million euros.