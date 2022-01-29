Is called DeadBolt the new serious danger for the QNAP NAS connected to the Internet, so much so that the company is implementing important countermeasures. The Taiwanese company is indeed forcing the devices to be updated (even if automatic updates are disabled) to the latest firmware available to close, or at least mitigate, the vulnerability and to protect customers from ransomware that is encrypting their data on NAS. It seems that more than 3600 people have found themselves in front of the unpleasant surprise, mainly residing in Italy, United States, France, Taiwan and UK.

The attacks started on January 25th, with the first QNAP devices suddenly finding their encrypted files and names changed by adding the “.deadbolt” extension. As reconstructed by Bleeping Computer, instead of putting files with the ransom note in every folder on the device, the attackers were able to edit the login page of the NAS to show the message “WARNING: Your files have been locked by DeadBolt“.

The screen informs the victim that to decrypt the files, all they have to do is pay 0.03 Bitcoin, around 980 euros, to a single Bitcoin address. After the payment of the ransom, the attackers carry out a subsequent transaction at the same address which includes the decryption key to be entered in the appropriate screen.

When asked about this, QNAP said users can bypass the screen of the ransom and gain access to their administration page via the URLs http: // nas_ip: 8080 / cgi-bin / index.cgi or https: //nas_ip/cgi-bin/index.cgi. In parallel, QNAP users are invited to disconnect your devices from the Internet and protect them with a firewall.

To reduce the attack area, QNAP made the decision to force the update of the NAS to the latest firmware, although it is not clear whether this is entirely conclusive. “We are looking to increase the protection against Deadbolt. […] In Qlocker’s time, many people were infected after fixing the vulnerability. In fact, the whole outbreak broke out after the patch was released. But many people don’t apply security patches on the same day or even the same week they are released. And that makes stopping a ransomware campaign much more difficult. “

“We will be working on patches / security improvements against Deadbolt and hopefully they will be applied immediately. I know there are tensions as to whether we should or not (force automatic update, ed). It is a difficult decision to make. But we did it because of Deadbolt and our desire to stop this attack as soon as possible“said a company representative on Reddit.

The bad guys not only took it out on NAS owners, but QNAP itself as well, requesting payment of 5 Bitcoin (approximately 160 thousand euros) to reveal all the details of the flaw. They also say they are ready to sell the master decryption key and zero-day information to QNAP 50 Bitcoins, or about 1.6 million euros.