Taiwan-based Network-Attached Storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads. The company asked users to update their NAS devices to the latest software version and ensure that they’re not exposed to remote access over the Internet. “According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series,” the NAS maker said. First spotted in attacks targeting QNAP NAS devices in late January, DeadBolt ransomware hijacks the QNAP device’s login page to display a screen stating, “WARNING: Your files have been locked by DeadBolt.” Once deployed on a NAS device, this ransomware uses AES128 to encrypt files, appending a .deadbolt extension to their names.
DeadBolt also replaces the /home/httpd/index.html file so that victims will see the ransom screen when accessing the compromised device. After the ransom is paid, the threat actors create a bitcoin transaction to the same bitcoin ransom address containing the decryption key for the victim (the decryption key can be found under the OP_RETURN output). Ransomware expert Michael Gillespie has created a free Windows decryptor that can help decrypt files without using the ransomware executable. However, QNAP owners hit by DeadBolt ransomware will need to pay the ransom to get a valid decryption key.