Skip links

DeadBolt ransomware takes another shot at QNAP storage

QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices’ QTS or QuTS hero operating systems to the latest versions.

The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor’s users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

The previous attacks occurred in January, March, and May.

Taiwan-based QNAP recommended enterprises whose NAS system have “already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then, upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page.”

They should contact QNAP Assistance if they want to input a decryption key given by the attackers but are unable to find the ransom note after upgrading the firmware.

The cybercriminals behind DeadBolt primarily target NAS devices. QNAP systems are the main targets, though in February the group attacked NAS devices from Asustor, a subsidiary of systems maker Asus, said analysts with cybersecurity firm Trend Micro.

QNAP and its customers are examples of a growing interest by cybercriminals in NAS, Trend Micro wrote in a January report. Businesses are relying more on the Internet of Things (IoT) for constant connectivity, workflow continuity and access to data, the analysts said.

“Cybercriminals have taken notice of this dependence and now regularly update their known tools and routines to include network-attached storage (NAS) devices to their list of targets, knowing full well that users rely on these devices for storing and backing up files in both modern homes and businesses,” they wrote. “More importantly, cybercriminals are aware that these tools hold valuable information and have only minimal security measures.”

Of the 778 of known exploited vulnerabilities listed by the US government’s Cybersecurity and Infrastructure Security Agency, eight are related to NAS devices and 10 involve QNAP.

The lowest-hanging fruit

Bud Broomhead, CEO of cybersecurity vendor Viakoo, told The Register NAS drives from QNAP and other vendors are often managed outside of a company’s IT teams, making them attractive targets.

Criminals zero in on NAS drives for a range of reasons, including not being properly set up for security or managed by IT – so applying security patches tends to be slow – and being essentially invisible to corporate IT and security teams, so they aren’t getting audited or seen when they fall out of compliance.

“QNAP devices are very attractive to cybercriminals whose strategy is to ask a large number of victims for a small amount of money, as opposed to few victims being asked for large amounts,” Broomhead said, adding that the low amount “asked for as ransom is at a level where many operators of the devices will choose to pay rather than get their IT or security teams involved.”

In addition, “ransomware is starting to shift towards data theft, as the cyber criminals can gain from both being paid the ransom as well as sale of the data. Threats against NAS devices will increase along with the shift to extending ransomware into data theft,” he said.

“Any NAS device is a big target for ransomware since it is used to store a significant amount of business-critical data,” Scott Bledsoe, CEO of encryption vendor Theon Technology, told The Register. “Given the large number of QNAP NAS devices that are currently deployed, the Deadbolt ransomware can be used to target a wide variety of organizations for profit by the attackers.”

Censys, an attack surface management firm, said that in the January attack, 4,988 of 130,000 potential online QNAP NAS devices showed signs of being infected by DeadBolt, with the number reaching 1,146 in the March outbreak. Trend Micro analysts, in a report earlier this month, said the number of DeadBolt-infected devices seemed high.

DeadBolt is different from other NAS-focused ransomware not only the number of targeted victims, but also in some of its techniques, including offering multiple payment options – one for the user to restore their scrambled documents, and two for QNAP. That is to say, the manufacturer could in theory pay the ransom to unlock people’s files using a master key, though it appears from the code and the encryption method that such a key wouldn’t work anyway.

“Based on our analysis, we did not find any evidence that it’s possible for the options provided to the vendor to work due to the way the files were encrypted,” Trend opined, adding that the attackers use AES-128 to encrypt the data.

“Essentially, this means that if vendors pay any of the ransom amounts provided to them, they will not be able to get a master key to unlock all the files on behalf of affected users.”

DeadBolt attackers demand individual victims pay .03 bitcoin, or about $1,160, for a key to decrypt their files. Vendors get two options, with one for information about the exploit used to infect the devices, and other for the aforementioned impractical master key. The ransom for the exploit info starts at five bitcoins, or about $193,000. The master decryption key costs 50 bitcoins, or more than $1 million.

Another unusual feature is how the DeadBolt slingers take payment. Most ransomware families involve complex steps victims must take to get their data returned. However, DeadBolt comes with a web UI that can decrypt the data once the ransom is paid. The blockchain transaction automatically sends the decryption key to the victim after payment.

“This is a unique process wherein victims do not need to contact the ransomware actors,” Team Trend Micro wrote. “In fact, there is no way of doing so.”

The heavily automated approach used by DeadBolt is something other ransomware gangs can learn from, they wrote.

“There is a lot of attention on ransomware families that focus on big-game hunting and one-off payments, but it’s also important to keep in mind that ransomware families that focus on spray-and-pray types of attacks such as DeadBolt can also leave a lot of damage to end users and vendors,” the team said.

To protect themselves, organization need to keep NAS devices updated and disconnected from the public internet at least – if it must be remotely accessible, use a secure VPN – use strong passwords and two-factor authentication, secure connections and ports, and shut down unused and out-of-date services. ®