New Case Study: Threat Hunter finds renamed system utilities by file hash to uncover multiple attacks   

Read Case Study


QNAP Alerts NAS Customers of New DeadBolt Ransomware Attacks

May 19, 2022

Taiwan-based Network-Attached Storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads. The company asked users to update their NAS devices to the latest software version and ensure that they’re not exposed to remote access over the Internet. “According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series,” the NAS maker said. First spotted in attacks targeting QNAP NAS devices in late January, DeadBolt ransomware hijacks the QNAP device’s login page to display a screen stating, “WARNING: Your files have been locked by DeadBolt.” Once deployed on a NAS device, this ransomware uses AES128 to encrypt files, appending a .deadbolt extension to their names.

DeadBolt also replaces the /home/httpd/index.html file so that victims will see the ransom screen when accessing the compromised device. After the ransom is paid, the threat actors create a bitcoin transaction to the same bitcoin ransom address containing the decryption key for the victim (the decryption key can be found under the OP_RETURN output). Ransomware expert Michael Gillespie has created a free Windows decryptor that can help decrypt files without using the ransomware executable. However, QNAP owners hit by DeadBolt ransomware will need to pay the ransom to get a valid decryption key.

Analyst Notes

“QNAP urges all NAS users to check and update QTS to the latest version as soon as possible and avoid exposing their NAS to the Internet.” This warning comes after another one about ransomware targeting Internet-exposed NAS devices published in January.
QNAP advised customers with public-facing devices to take the following actions to block potential attacks:

• Disable the Port Forwarding function of the router: Go to the management interface of your router, check the Virtual Server, NAT, or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 433 by default).
• Disable the UPnP function of the QNAP NAS: Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration,” and unselect “Enable UPnP Port forwarding.”

The NAS maker also provides detailed steps on how to toggle off SSH and Telnet connections, change the system port number, change device passwords, and enable IP and account access protection. In April, QNAP also urged NAS users to disable Universal Plug and Play (UPnP) port forwarding on their routers to prevent exposing them to attacks from the Internet. Those who need access to NAS devices without direct access to the Internet are advised to enable their router’s VPN feature (if available), use the myQNAPcloud Link service, and the VPN server on QNAP devices provided by the QVPN Service app, or the QuWAN SD-WAN solution. With QNAP devices also being targeted by other ransomware families such as Qlocker and eCh0raix, all owners should immediately take the above measures to secure their data from future attacks.