Breach Notification , Business Continuity Management / Disaster Recovery , Cybercrime
New Ransomware Deadbolt Targets QNAP Devices
Automated Update Reportedly Prevents Decryption, Causing Users to ComplainTaipei-based network-attached storage provider QNAP Systems reports that a new type of ransomware called Deadbolt has been targeting all unprotected NAS devices exposed to the internet, encrypting users’ data.
See Also: Gartner Guide for Digital Forensics and Incident Response
According to information from internet scanning company Censys, 3,687 QNAP systems were affected and received the message: "All your files have been locked by DeadBolt."
Tom Cheney, CEO at idobi Network, shared Deadbolt's ransomware note to users in a Twitter post. Deadbolt, in its note, says that users' data - including but not limited to photos, documents and spreadsheets - has been encrypted.
The ransomware group says it's not a personal attack, but users were targeted because of "inadequate security" provided by QNAP.
The ransom note directs affected users to make a payment of 0.03 bitcoins - around $1,096 - to a specified address.
"Once the payment has been made, we'll follow up with a transaction to the same address - this transaction will include the decryption key as part of the transaction details," the note says.
Zero-Day Exploited
The Deadbolt ransomware group claims to have encrypted QNAP's NAS devices by exploiting a zero-day vulnerability in the firmware installed on the devices, according to a report by Bleeping Computer.
Reacting to the ransomware attack, one QNAP user on Reddit says a client of theirs, despite taking basic security measures such as deactivating default admin accounts, had their files encrypted by Deadbolt.
QNAP expert Bob Zelin says in a Reddit post that his client was affected by the Deadbolt ransomware even though they used a secure password and had enabled two-factor authentication.
Here is some map related to the compromised #QNAPs by the #Deadbolt #ransomware. Most of them are 5.0.0 (77.95%) and 4.5.4 (21.50%) + few 4.5.3 (0.57%) - data from this morning ↘️ pic.twitter.com/Adgy9KJRK7
— Félix Aimé (@felixaime) January 27, 2022
The targets are spread all over the globe, affecting both Windows and Linux systems in Taiwan, Hong Kong and Singapore. But Félix Aimé, a threat intel researcher at Sekoia, says in a Twitter post that most of the targets are based in Europe and the U.S.
Remediation
To check if a user's NAS is exposed to the internet, QNAP advises opening "Security Counsellor." If a user sees the message, "The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP," on the dashboard, it implies the NAS is exposed to the internet and is at high risk.
If a user's NAS is exposed to the internet, QNAP recommends disabling the "Port Forwarding" function of the router by accessing the router's management interface and disabling the port forwarding setting of the NAS management service port.
After doing that, QNAP advises affected users to disable the "UPnP function" of the QNAP NAS by going to the myQNAPcloud application on the QTS menu, clicking the "Auto Router Configuration" option and deselecting "Enable UPnP Port forwarding."
All QNAP users are also advised to immediately update QTS to the latest available version.
Forced Update Faces Flak
Some QNAP users reported on Bleeping Computer's support page that QNAP had made some changes to the "Firmware Updates" settings and included a new option under the "Auto Update" section. They say their QNAP NAS versions were updated from v4.5 to v5 even with "Auto Update" disabled.
One disgruntled user says they made the crypto payment and received a valid decryption code - and the decryption script appears to have worked. But, they say, QNAP's automatic forced update interrupted the decryption process.
A user who goes by the name DarkComy says, "It usually asks me if I want to update, but now it didn't ask me."
While the decryption was in progress, the user received a notification from QNAP recommending a restart for an update to finish. "I pressed 'No' but it ignored me and started to close down all the apps in order to restart," the user says.
As a result of the forced update, the user lost access to the "lockscreen" needed to continue the decryption process.
QNAP user jlstyle82 says that they were ready to pay for decryption but couldn't access the Deadbolt warning page. Following the forced update, QNAP sent a message saying the malware had been removed.
Once Deadbolt malware has been removed, QNAP says, users won't be able to decrypt the files. "Have they gone mad and blew up my last chance to decrypt?" the user says.
Defending its decision to roll out the auto-update for the firmware, QNAP acknowledges that there are arguments both ways. "It is a hard decision to make. But it is because of Deadbolt and our desire to stop this attack as soon as possible, we did this," it says.
In a Reddit post, QNAP says, "We are trying to increase protection against Deadbolt. If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away."
It adds that many people don't apply a security patch on the same day or even the same week it is released, which makes it "much harder to stop a ransomware campaign." The company says it will work on patches and security enhancements against Deadbolt and have them applied right away.