QNAP, a manufacturer of data storage devices, sent a warning to its clients over the weekend, stating that the DeadBolt ransomware organization was exploiting a zero-day vulnerability that had just been patched.
The security team at QNAP informed The Record on September 3 that they had uncovered a new DeadBolt campaign. The spokesman warned that there is a “high risk” if an internet-connected NAS installs the program Photo Station.
QNAP did not disclose a Common Vulnerability and Exposure number (CVE) or provide context for the incident. However, in an advisory, the business claimed that it had patched the Photo Station flaw within 12 hours of its exploitation by DeadBolt actors.
It recommended that consumers take other precautions, including avoiding leaving their devices connected to the internet, as previously warned. Users should also create backups or take snapshots of their computers to protect data in the case of an infestation.
Instead of Photo Station, the business recommends utilizing QuMagie, a photo management program compatible with QNAP NAS devices.
Months Of Attacks
Since January, the DeadBolt ransomware organization has been alleged to have attacked thousands of QNAP customers utilizing the company's NAS systems, demanding a ransom of 0.03 Bitcoin ($1,100) for the decryption key.
After the group's initial attacks in January, which affected around 3,600 devices, they kept popping up with new campaigns in March, May, and June. Customers' laments at losing files, which included family photo albums, wedding movies, and more, have flooded Reddit and other message boards. Scores of users have posted on Reddit about being targeted in the latest wave of attacks.
The hackers sent a note to QNAP in which they demanded 5 Bitcoin (around $93,900 at the time) to reveal information about the alleged zero-day vulnerabilities they used to attack QNAP users and another 50 Bitcoin (around $939,900) to release a master decryption key that would unlock all of the victims' files.
QNAP did not respond to The Record's request for comment on whether or not the company has considered paying the ransom for the universal decryption key.
Still, a company spokesperson did say that the company's investigation has revealed that the group is targeting “legacy versions with known vulnerabilities for which security updates are available.”
I just got hacked. Ransomware named DeadBolt found an exploit in @QNAP_nas storage devices, encrypting all files. They ask $1,000 from individuals or $1.8 million from QNAP. I have 50tb of data there, none of it essential or sensitive, but it hurts a lot. Time for a fresh start. pic.twitter.com/E8ZkyIbdfp
— Lex Fridman (@lexfridman) January 27, 2022
Users are strongly urged to keep NAS systems from being accessible online. “It's important always to have the most recent hardware and software versions,” the representative added.
As soon as the company became aware of the infections in January, it began urging users to upgrade to the most recent version of QTS, the Linux-based operating system developed by the Taiwanese firm for use on its gadgets.
Later, though, QNAP took more severe measures, including a mandatory update to the most recent version of the universal software for all NAS systems in December.
Several users have questioned QNAP's claim that only unpatched devices are vulnerable to attacks.
After some victims reported problems with the DeadBolt decryptor they received after paying a ransom, security firm Emsisoft developed its version of a DeadBolt decryptor.
However, it is useless to obtain the decryption key without paying the ransom demanded by the DeadBolt cybercriminals.
QNAP users who got hit by DeadBolt and paid the ransom are now struggling to decrypt their data because a forced firmware update issued by @QNAP_nas removed the payload that is required for decryption. If you are affected, please use our tool instead. https://t.co/6fvO8ntvrU
— Fabian Wosar (@fwosar) January 30, 2022
Security company Censys reported that of the total 130,000 QNAP NAS devices sold, 4,988 services “exhibited the telltale signs of this specific piece of ransomware.”
Censys discovered that of the previous set of victims, 132 paid ransoms of around $188,000 through Bitcoin wallet transactions related to an infection. The organization also built a dashboard to monitor casualties in different regions.
Recent infections have been concentrated in the United States, Germany, and the United Kingdom.
External storage devices belonging to other companies have also been breached. After numerous customers of Asustor's NAS devices reported being attacked, the company issued a warning in February about the possibility of infection with the DeadBolt ransomware.
QNAP has warned about many types of ransomware, including Checkmate and ech0raix, threatening their users.