Connect with us

Hi, what are you looking for?

Technology

QNAP force-installs update after DeadBolt ransomware hits 3,600 devices

Deadbolt ransomware


DeadBolt ransomware

QNAP force-updated customer’s Network Attached Storage (NAS) devices with firmware containing the latest security updates to protect against the DeadBolt ransomware, which has already encrypted over 3,600 devices.

On Tuesday, BleepingComputer reported on a new ransomware operation named DeadBolt that was encrypting Internet-exposed QNAP NAS devices worldwide.

The threat actor claims to be using a zero-day vulnerability to hack QNAP devices and encrypt files using the DeadBolt ransomware, which appends the .deadbolt extension to file names.

The ransomware will also replace the regular HTML login page with a ransom note demanding 0.03 bitcoins, worth approximately $1,100, to receive a decryption key and recover data.

DeadBolt ransom screen on a QNAP NAS device
DeadBolt ransom screen on a QNAP NAS device

The DeadBolt ransomware gang is also trying to sell the full details of the alleged zero-day vulnerability to QNAP for 5 Bitcoins, worth $185,000.

They are also willing to sell QNAP the master decryption key that can decrypt all affected victims and provide information on the alleged zero-day for 50 bitcoins, or approximately $1.85 million.

While it is unlikely that QNAP will give into the extortion demand, numerous users in our DeadBolt support forum topic have reported successfully paying the ransomware to recover their files.

QNAP force-updates firmware on NAS devices

The next day, QNAP began warning customers to secure their Internet-exposed NAS devices against DeadBolt by updating to the latest QTS software version, disabling UPnP, and disabling port forwarding.

Advertisement. Scroll to continue reading.

Later that night, QNAP took more drastic action and force-updated the firmware for all customers’ NAS devices to version 5.0.0.1891, the latest universal firmware released on December 23rd, 2021.

This update also included numerous security fixes, but almost all of them are related to Samba, which is unlikely associated with this attack.

QNAP owners and IT admins told BleepingComputer that QNAP forced this firmware update on devices even if automatic updates were disabled.

However, this update did not go off without a hitch, as some owners found that their iSCSI connections to the devices no longer worked after the update.

“Just thought I would give everyone a heads-up. A couple of our QNAPS lost ISCSI connection last night. After a day of tinkering and pulling our hair out we finally found it was because of the update. It has not done it for all of the QNAPs we manage but we finally found the resolution,” a QNAP owner said on Reddit.

“In “Storage & Snapshots > ISCSI & Fiber Channel” right-click on your Alias (IQN) select “Modify > Network Portal” and select the adapter you utilize for ISCSI.”

Other users who had purchased the decryption key, and were in the process of decrypting, found that the firmware update also removed the ransomware executable and ransom screen used to initiate decryption. This prevented them from continuing the decryption process once the device finished updating.

“It usually asks me if I want to update, but now it didn’t ask me. I was just standing idle while the decryption was in progress and then I heard a beep from the NAS, and when I looked in the menu, it was asking me if I want to restart now for the update to finalize,” an upset owner posted in BleepingComputer’s DeadBolt support topic.

“I pressed NO but it ignored me and started to close down all the apps in order to restart.”

Advertisement. Scroll to continue reading.

In response to numerous complaints about QNAP forcing a firmware update, a QNAP support representative replied, stating it was to protect users from the ongoing DeadBolt ransomware attacks.

“We are trying to increase protection against deadbolt. If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away.

Back in the time of Qlocker, many people got infected after we had patched the vulnerability. In fact, that whole outbreak was after the patch was released. But many people don’t apply a security patch on the same day or even the same week it is released. And that makes it much harder to stop a ransomware campaign. We will work on patches/security enhancements against deadbolt and we hope they get applied right away.

I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of deadbolt and our desire to stop this attack as soon as possible that we did this.” – QNAP support rep.

What is unclear is why a forced update to the latest firmware would protect a device from the DeadBolt ransomware when QNAP initially said that reducing devices’ exposure on the Internet would mitigate the attacks.

One possibility is that an older vulnerability in QTS is being abused to breach QNAP devices and install DeadBolt and that upgrading to this firmware patches the vulnerabilities.

Forced updates come too late

Unfortunately, QNAP’s move may have come too late as CronUP security researcher and Curated Intel member German Fernandez discovered that DeadBolt had already encrypted thousands of QNAP devices.

Internet device search engine Shodan reports that 1,160 QNAP NAS devices are encrypted by DeadBolt. Censys, though, paints a far grimmer picture, finding 3,687 devices already encrypted at the time of this writing.

Both Shodan and Censys show that the top countries affected by this attack are the United States, France, Taiwan, the United Kingdom, and Italy.

To make matters worse, QNAP NAS owners are already targeted by other ransomware operations named Qlocker and eCh0raix, who constantly scan for new devices to encrypt.

BleepingComputer has asked QNAP further questions about the forced update and DeadBolt attacks.





Source link

Click to comment

Leave a Reply

Latest

Social Media

Okay *cracks knuckles* let’s see what the most popular links were on Facebook over the last quarter. Today, Meta has published its latest ‘Widely...

Technology

Source: Nintendo The sports party game you control with your actions, Nintendo Switch Sports, has made its way to the latest Nintendo console, much...

Top Stories

Without fail, crypto has a way of humbling even the most self-assured and this market is definitely not for the faint of heart. NFT...

Technology

Nvidia has released a software security update display driver for GeForce GPUs which are no longer supported by Game Ready Drivers or Nvidia Studio...

Technology

Why it matters: Currently, Apple requires all iOS web browsers to use WebKit – the engine powering its Safari browser. Many consider this policy...

Loan And Finance

Web3 company Medallion, headed up by Matt Jones, the former CEO of Warner-owned concert discovery service Songkick, has raised over $9 million in a...

Advertisement

You May Also Like

Uncategorized

Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...

Advertisement