A new ransomware gang known as "DeadBolt" is targeting QNAP NAS customers using an alleged zero-day vulnerability.
The attacks have impacted vulnerable QNAP network-attached storage (NAS) devices exposed to the internet. DeadBolt, the ransomware at the center, appears to be a new gang and ransomware strain, as initial reports came early this week.
Taiwanese hardware vendor QNAP published a blog Wednesday to confirm the ongoing attacks and urge users to secure their devices. Specifically, the blog provides instructions to users on how to check whether an NAS device is accessible from an external IP address, as well as how to change this by disabling port forwarding and Universal Plug and Play functionality.
"DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users' data for Bitcoin ransom," the post read. "QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version."
According to ransom notes posted by alleged victims and security researchers, DeadBolt is demanding 0.03 bitcoin from victims (currently valued at just over $1,100 USD).
"This is not a personal attack. You have been targeted because of the inadequate security provided by your vendor (QNAP)," the ransom note read. QNAP NAS users have dealt with other ransomware variants in recent weeks and months, including variants Qlocker and eCh0raix.
The ransom note includes an additional note from DeadBolt to QNAP, claiming the threat actor is targeting users via a zero-day vulnerability and that in order to receive vulnerability details and a universal decryption key, the vendor must send 50 bitcoin (almost $2,000,000 as of this writing) to the threat actor. Alternatively, QNAP can send 5 bitcoin (approximately $190,000 as of this writing) to receive only the vulnerability details.
"Hi, my QNAP NAS drive just got attacked by a [ransomware] that turned all my files to files with a .deadbolt extension. Wondering if this is a new ransomware or if anyone has experience with this?" QNAP NAS forum user "sc1207" wrote. "I Googled it and have not come up with anything as of yet. This [seems] more hardcore than Qlocker, it seems to have taken over the NAS OS as well as encrypting my files, my drive login page has been hijacked by the ransomware into a page for inputting the decryption key. Hopefully someone has a lead on this here because this is getting old, I got attacked by Qlocker and had a real fun time sorting out my files afterwards, hopefully there will be a solution to this one."
One user on the QNAP NAS forums, "citgtech," wrote Wednesday that they had paid the ransom and were given an invalid decryption key.
"We paid the ransom for a client and it didn't work!! My thought is that the instructions say to send .030000 (exactly). I copied and pasted that in Coinbase, but once the transaction has settled it now shows .03000165 instead. I don't know how picky it is since they actually get MORE $, but that's the only reason I can see for it to not have worked. I see the OP_RETURN output as the instructions say, but when I copy/paste the decryption key to the NAS page it just says 'invalid decryption key entered,'" the user wrote. "I guess now we wait for QNAP to do the right thing!"
QNAP NAS forum user "remainz" claimed to have received a customer support message from QNAP recommending to wipe the NAS and restore from a backup.
QNAP did not respond to SearchSecurity's request for comment.
Alexander Culafi is a writer, journalist and podcaster based in Boston.