The IT Nerd

For the last month or so I’ve been writing about QNAP devices being hit by various ransomware strains. Most recently, I said this when news filtered out that QNAP was extending support to end of life devices to fight these sorts of attacks:

The company admits that this is a “special effort to help users protect their devices from today’s security threats”. Which is likely true. But it also is likely an attempt to keep people like yours truly from dumping their QNAP NAS devices and moving to competing brands such as Synology as I don’t hear about such widespread pwnage with those devices, or other devices that QNAP competes against. 

Well, I may have to eat those words as there’s news that Asustor devices are now being hit by Deadbolt ransomware. If that name sounds familiar, it should. It’s one of the strains that has hit QNAP devices:

Asustor NAS owners on Reddit and the official Asustor forums have reported that they’ve fallen victim to a DeadBolt ransomware attack. DeadBolt has been in the wild for some time now, infecting unprotected NAS systems connected to the Internet. The same ransomware previously wreaked havoc on QNAP devices, and it would appear that Asustor was the next target.

DeadBolt’s modus operandi hasn’t changed much. The attacker remotely slips into the victim’s NAS, encrypts the latter’s information, and consequently asks for a ransom in bitcoins. Each victim receives a unique Bitcoin address to send the funds. Once the payment goes through, the criminal sends the victim the decryption key to decrypt the files on the infected NAS system. The perpetrators are asking for 0.03 bitcoin, which by today’s exchange rate is around $1,154. It’s the same sum that the hijackers had demanded from their QNAP victims. Surprisingly, the gang didn’t make Asustor any offers. With QNAP, the group had offered to share the vulnerability details with the company for five bitcoins ($184,000) or sell it the universal decryption master key for 50 bitcoins ($1.85 million)

So it seems that the playbook is the same. Which is that the threat actors go after NAS devices that are exposed to the Internet. Which means that if you don’t have your Asustor NAS exposed to the Internet, and you stop using Asustor’s EZ Connect utility, you don’t have a problem. Or at least as much of a problem.

It does make me wonder if Asus shares some of its NAS hardware and software with QNAP. After all, it does seem kind of weird that two different companies got pwned in this manner. Watch this space for more as I keep an eye on this.

UPDATE: Saumitra Das, CTO and Cofounder, Blue Hexagon provided this commentary:

“Attackers have been targeting a lot of non-PC devices like storage and other IoT type devices (routers, camera) which tend to be less easily patched and not well maintained to gain access to consumer and enterprise networks. In the case of storage devices which today are full-fledged desktops running Linux or Windows or even multiple VMs, lot of unpatched vulnerabilities may exist and remain unpatched specially on the consumer side. Users should keep such devices off the network or create a secondary air gapped or cloud backup of their important data.”

This entry was posted on February 22, 2022 at 10:35 am and is filed under Commentary with tags Asus, Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.