Over 3,000 QNAP devices affected by the DeadBolt ransomware

February 22, 2022
3000 QNAP Network Devices DeadBolt Ransomware NAS Network Area Storage Malware

Researchers discovered a new ransomware operation called DeadBolt which already impacted many QNAP NAS devices by encrypting its data. According to the latest reports, ransomware has already targeted and affected approximately 3,600 QNAP devices worldwide.

The DeadBolt threat actors exploit a zero-day flaw to infect and compromise QNAP devices and encrypt files using their ransomware.

Moreover, researchers discovered that the DeadBolt ransomware group has already encrypted over a thousand QNAP devices. The United Kingdom, France, Italy, Taiwan, and the United States of America are the most impacted nations.

The DeadBolt’s operators replace the regular HTML login page with their ransom message that asks for about $1,100 or 0.03 bitcoins in exchange for a decryption key needed by the affected individual to restore data.

They also offer a master decryption key required to decrypt all affected QNAP devices for five bitcoins which is about 185,000 if converted to dollars. Furthermore, another 50 bitcoins are the needed ransom of the threat actors in exchange for the alleged zero-day critical vulnerability information. As of now, 50 bitcoins will reach nearly $20 million.

 

After the attack, QNAP immediately warned its clients to safeguard their NAS devices against the DeadBolt ransomware by disabling port forwarding, UPnP and patching the QTS software version.

 

The QNAP company took precautionary measures and force-updated the firmware of every NAS device to its latest version, which dated back to December last year.

QNAP was also forced by the ransomware to execute a recent firmware update on devices with automatic updates disabled. Researchers said that the update included several fixes, most of them related to Samba.

Nevertheless, the mandatory firmware update deleted the ransomware executable and screen from the infected NAS devices.

In recent malicious activities, ransomware operators do not waste a single ounce of time exploiting any known zero-day vulnerability. The quick reaction of the threat groups when they have the chance to attack using a zero-day is because fixes and updates usually come late.

Company admins should always ensure that every device inside an organisation is updated and not exposed.

About the author

Leave a Reply