QNAP investigating new Deadbolt ransomware campaign

Taiwanese hardware vendor QNAP said on Friday that it is investigating yet another Deadbolt ransomware campaign targeting users of its network-attached storage (NAS) devices.  

The company did not respond to requests for comment but released an advisory saying it recently detected a new batch of DeadBolt ransomware victims. 

“According to victim reports so far, the campaign appears to target QNAP NAS devices running outdated versions of QTS 4.x. We are thoroughly investigating the case and will provide further information as soon as possible,” the company said.

QNAP urged customers to update their QTS or QuTS hero systems to the latest version as soon as possible. 

For those who have already been compromised, QNAP said they should take a screenshot of the ransom note – in order to keep the Bitcoin address – then “upgrade to the latest firmware version.”

“The built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page,” QNAP explained. 

“If you want to input a received decryption key and are unable to locate the ransom note after upgrading the firmware, please contact QNAP Support for assistance.”

Almost exactly one month ago, QNAP released a similar warning after several customers reported Deadbolt ransomware infections.

There continues to be significant debate among QNAP NAS users about whether even updated versions of the system are still vulnerable to the ransomware, which emerged in January. It is unclear where members of the Deadbolt ransomware group are based.

In January, dozens of people turned to QNAP message boards and Reddit to say they logged on only to find the Deadbolt ransomware screen. People reported losing decades of photos, videos and irreplaceable files.

Other companies’ devices also have been attacked. Users of Asustor’s NAS hardware were also warned in February of potential Deadbolt ransomware infections after dozens of people took to Reddit and other message boards to complain of attacks. 

The ransom note most victims see demands 0.03 Bitcoin for the decryption key and says, “You have been targeted because of the inadequate security provided by your vendor (QNAP).” At least one user on Reddit reported paying the ransom and not getting the decryption key. 

The group also sent out a message directly to QNAP in January claiming all affected customers were “targeted using a zero-day vulnerability.” 

“We offer you two options to mitigate this (and future) damage,” the group said, demanding a payment of 5 Bitcoin in exchange for details about the alleged zero-day used to launch the attack, or 50 Bitcoin for a universal decryption master key and information about the zero-day. 

“There is no way to contact us. These are our only offers,” the January message reportedly said.

Security company Censys reported that of the total 130,000 QNAP NAS devices sold, 4,988 services “exhibited the telltale signs of this specific piece of ransomware.”

Lookout’s Hank Schless said NAS devices are tools connected to a network that allow for the storage and retrieval of data from a centralized location for authorized users and others. 

Organizations use NAS to bring the benefits of cloud infrastructure inside their network, and now with people working from anywhere, these systems are web-facing to ensure employees have access to the data they need regardless of location, Schless explained. 

“While this enables productivity, it can introduce serious risk if not done correctly. Not only could attackers compromise the data within the particular resources they discover, but they could also move laterally around your network after initial compromise,” he added.  

In May, Censys managed to track the Bitcoin wallet transactions associated with an infection and figured out that of the previous batch of victims, 132 paid ransoms totaling about $188,000. The company also created a dashboard to track the number of victims around the world.

Most of the recent infections are taking place in the United States, Germany and the United Kingdom.

After a brief respite following the January attacks, Censys said more than 1,000 QNAP devices were infected with the Deadbolt ransomware in March. 

Theon Technologies CEO Scott Bledsoe noted that any NAS device is a big target for ransomware since it is used to store a significant amount of business critical data. 

“Given the large number of QNAP NAS devices that are currently deployed, the Deadbolt ransomware can be used to target a wide variety of organizations for profit by the attackers,” he said.

Security company Emsisoft released its own version of a decryptor after several victims reported having issues with the one they received after paying a ransom. Some users even said they never got a decryptor after paying the ransom, while others said the decryptor malfunctioned. 

Emsisoft’s decryptor requires users to have already paid the ransom and received the decryption keys from the Deadbolt ransomware operators.

Bud Broomhead, CEO at IoT security company Viakoo, said QNAP drives are often managed outside of IT departments and have become targets for cybercriminals. Many NAS instances are not protected by firewalls and are left unpatched. 

“QNAP devices are very attractive to cybercriminals whose strategy is to ask a large number of victims for a small amount of money (as opposed to few victims being asked for large amounts),” Broomhead said.  

“The ~$900 asked for as ransom is at a level where many operators of the devices will choose to pay rather than get their IT or security teams involved (and potentially face internal consequences for not having properly onboarded and secured the devices).”

Other experts, like Vectra CTO Oliver Tavakoli, urged NAS users to not expose their devices to the internet because they are not designed to withstand a capable adversary.

The post QNAP investigating new Deadbolt ransomware campaign appeared first on The Record by Recorded Future.

Article Link: QNAP investigating new Deadbolt ransomware campaign