DeadBolt, a ransomware strain that was previously seen targeting QNAP NAS devices, is now infecting vulnerable ASUSTOR NAS devices that are accessible from the Internet. The threat actors are demanding 0.03 bitcoins, or approximately $1,150, for the decryption key to decrypt all files stored on infected NAS devices.
Similar to the QNAP NAS attacks last month, the threat actors claim to be using a zero-day vulnerability to compromise and infect the ASUSTOR NAS devices. While currently unknown, it is believed that the vulnerability lies in the EZ Connect function, which allows for remote access to the NAS, or the Plex media server. The threat actors have also demanded a payment from ASUSTOR of 7.5 bitcoins for information related to the zero-day vulnerability used and 50 bitcoins for the master decryption key.
ASUSTOR is planning on releasing a recovery firmware which will make the NAS devices that have been infected usable again. However, this recovery firmware will not be able to decrypt any DeadBolt encrypted files and will instead just restore functionality to the NAS for other uses.
It is highly recommended to not expose any NAS devices to the Internet, as they are prime targets for threat actors to attempt to compromise. If Internet access is required, ASUSTOR has provided the following recommendations to help protect against DeadBolt compromises:
• Disable EZ Connect
• Close Plex ports and disable Plex
• Make an immediate backup
• Turn off Terminal/SSH and SFTP services
ASUSTOR has also released a firmware for specific devices that helps protect against these ransomware attacks. While the firmware, labelled ADM 4.0.4.RQO2, does not go into specifics about what security issues are fixed, devices should be upgraded to this version as soon as possible to help prevent DeadBolt from infecting the NAS. ASUSTOR also recommends using strong passwords, changing default ports, and making regular backups to help mitigate the effectiveness of ransomware attacks on their systems.