Network-Attached Storage (NAS) vendor QNAP once again warned customers on Friday to secure their devices against a new campaign of attacks pushing DeadBolt ransomware. “QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running QTS 4.x,” QNAP stated. “We are thoroughly investigating the case and will provide further information as soon as possible.” This warning follows multiple other alerts the company has issued since the beginning of 2022. As seen during previous attacks targeting QNAP NAS devices, DeadBolt ransomware hijacks the device’s login page to display a screen stating, “WARNING: Your files have been locked by DeadBolt.” Once launched on a compromised NAS device, DeadBolt uses AES128 to encrypt files, appending a .deadbolt extension to their names. It also replaces the /home/httpd/index.html file so victims will see the ransom note when accessing the encrypted device. After the victims pay a 0.03 bitcoins ransom, the threat actors create a bitcoin transaction to the same bitcoin address containing the decryption key under the OP_RETURN output. DeadBolt ransomware also hit ASUSTOR NAS devices in February, allegedly using a zero-day vulnerability.
Analyst Notes
The company strongly recommends that all users immediately update the QTS or QuTS hero operating systems on their NAS devices to the latest version. Upgrading the firmware on a compromised device will allow the built-in Malware Remover app to automatically quarantine the DeadBolt ransom note known to hijack the login page. QNAP also advises those who cannot locate the ransom note to enter the DeadBolt decryption key after upgrading the firmware to reach out to QNAP Support for assistance. However, before contacting QNAP’s customer service, administrators should first try restoring the DeadBolt page using the steps detailed on QNAP’s support page. Since QNAP devices are also being targeted with other ransomware strains, including Qlocker and eCh0raix, all owners should keep their devices up to date to secure their data from future attacks.
https://www.bleepingcomputer.com/news/security/qnap-thoroughly-investigating-new-deadbolt-ransomware-attacks/
https://www.qnap.com/en/how-to/faq/article/how-do-i-restore-deadbolt-page-for-decrypting-the-files-if-i-have-the-correct-password
