DeadBolt Ransomware Targets QNAP Devices In The Latest Ransomware Attack On QNAP Devices

If you own a QNAP NAS like I do, you’ve likely seen reports of various ransomware attacks on these devices over the last few months. The latest of these attacks is the DeadBolt ransomware which started to appear yesterday. It claims to leverage a zero day exploit and encrypts all your files unless you pay 0.03 bitcoins (approximately $1,100 USD). But as usual, paying the ransom will not guarantee that you get your files back.

One thing that’s unique about this latest ransomware strain is that the threat actors are also targeting QNAP:

On the main ransom note screen, there is a link titled “important message for QNAP,” that when clicked, will display a message from the DeadBolt gang specifically for QNAP.

On this screen, the DeadBolt ransomware gang is offering the full details of the alleged zero-day vulnerability if QNAP pays them 5 Bitcoins worth $184,000.

They are also willing to sell QNAP the master decryption key that can decrypt the files for all affected victims and the zero-day info for 50 bitcoins, or approximately $1.85 million.

“Make a bitcoin payment of 50 BTC to bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8,” the threat actors wrote in a message to QNAP.

“You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files. Additionally, we will also send you all details about the zero-day vulnerability to security@qnap.com.”

That’s novel.

This follows other ransomware attacks on QNAP devices. Specifically Qlocker and eCh0raix which have been around for a while. All of these ransomware strains have one thing in common. They target Internet exposed QNAP NAS devices. Thus your first course of action needs to be to take your QNAP NAS off the Internet and stick it behind a firewall. These instructions can help you with that. Your next course of action is to follow these instructions which have suggestions from QNAP as to securing your NAS. Now in my case, my NAS isn’t exposed to the Internet. In fact it never has been as I’ve always considered that to be a massive security risk. I also run QNAP’s Malware Remover to add an extra level of security.

But that doesn’t change the fact that QNAP clearly has some serious security issues that allow these ransomware attacks to take place as I don’t hear about similar attacks from other NAS vendors. Thus it would make sense for me to consider purchasing another brand of NAS as clearly QNAP NAS devices have some extremely serious security issues that clearly haven’t been addressed. Which means that QNAP really needs to step up their security game or more bad things will happen to them. Such as lost market share.

4 Responses to “DeadBolt Ransomware Targets QNAP Devices In The Latest Ransomware Attack On QNAP Devices”

  1. […] is one of these situations where the cure might be worse than the disease. I’ve reported on the latest ransomware attack aimed at QNAP NAS devices and in that story, I made this […]

  2. […] might recall that I wrote about unknown threat actors targeting Internet exposed QNAP devices with ransomware. And that QNAP was force feeding updates to users to try and address this. This story continues […]

  3. […] is a company that is under some degree of pressure thanks to a string of ransomware attacks that led to perhaps thousands of Internet facing NAS devices getting pwned by threat actors. And it […]

  4. […] devices against attacks pushing the now notorious DeadBolt ransomware which has gone after both QNAP and ASUS NAS devices in the past. The warning from QNAP asks users to do the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: