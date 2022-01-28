A new group of ransomware, named DeadBolt, is encrypting QNAP NAS systems around the world using a zero-day vulnerability identified in the firmware of the devices.

The attacks began on January 25, when some QNAP users found that their files had been encrypted and renamed with a new extension .deadbolt.

The details of the DeadBolt ransomware attack

Instead of writing ransom notes to every folder on the device, this time the QNAP device login page is hacked, resulting in a message saying “WARNING: Your files have been locked by DeadBolt”. This screen instructs the victim to send 0.03 Bitcoins (just under € 1,000 at the current exchange rate) to a different wallet address for each victim.

After payment, the threat actors claim to send a follow-up transaction to the same address with the decryption key, which can be obtained by following the guidelines. Device files can then be decrypted using this key.

However, there is no guarantee that paying a ransom will automatically result in the receipt of a decryption key or that users will be able to decrypt their files – remember that these are always illegal activities and it is never recommended to take agreements with malicious third parties, as there is no guarantee.

The possible impacts of the ransomware attack

The Network Attached Storage (NAS), we recall, is a device (which is defined as a network) connected to a computer network that provides users, connected to the same network, with the file sharing service on any other device that has access to it. It therefore contains within it various mass memory units, in the form of hard disks, single or multiple (depending on the model).

QNAP is one of the largest and most widespread multinational companies, based in Taiwan, specializing in commercial NAS solutions for individuals and companies, of different and multiple sizes.

BleepingComputer has reported about fifteen victims of the DeadBolt ransomware attack, analyzing which shows that there is no specific reference region. The attack is targeted at QNAP NAS devices globally, in connection with its colossal spread. In fact, we are talking about about 320,000 NAS devices connected to the Network, potentially exposed, with data of all kinds, from personal to corporate ones. QNAP solutions, in fact, are particularly appreciated also by SMEs who need to centralize the document archiving produced over time.

These figures help us to understand the size of the problem, without thinking that it is a large multinational far from our daily lives, in fact, only in Italy, there are just over 30,000 units connected to the Internet.

DeadBolt ransomware mitigation measures

DeadBolt attacks, like all other ransomware attacks against QNAP devices, only impact Internet-connected machines. As threat actors claim to use a zero-day vulnerability, all QNAP customers are strongly advised to disconnect their devices from the internet and protect them with a firewall. Since the rightful owners of QNAP can be targeted by two other ransomware families, Qlocker (isolated a few weeks ago) ed eCh0raix (last December), it is good practice to invite all owners to follow some preventive measures to avoid future attacks.

Among the measures recommended by QNAP to prevent attacks of this type is the thoughtful evaluation of our device’s Internet access. Does it need to be exposed to the Net? If it is possible to limit or inhibit access, we find in this the best mitigation to the problem. Anyway, when Internet exposure is needed, make sure that the router’s Port Forwarding to our NAS (usually port 8080 and 443 by default) is disabled; also disable the UPnP function of the QNAP NAS.

QNAP is certainly, we have seen over time, extremely targeted by attacks of this type: at least once a month, a ransomware variant or a vulnerability to be corrected on these NAS products is identified, which could compromise the content but, it must be acknowledged, it is also the most up-to-date company from this point of view. There are constant updates, with frequent periodic security fixes, as rarely happens in shared storage systems. This pushes the company to keep constantly updated This Page on the alerts detected which, in the last year, has accumulated 181 advisories, each of which, complete with the appropriate mitigations.

