A new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide with an alleged zero-day vulnerability in device software.
The attacks started when QNAP devices suddenly encrypted their files and found filenames with the .deadbolt file extension.
Instead of creating ransom notes in each device folder, the QNAP device login page is hacked to show a screen that says “WARNING: Your files have been locked by DeadBolt” as shown in the image below.
Source: Twitter
This screen informs the victim that they have to pay 0.03 bitcoins (approximately $ 1,100) to an attached Bitcoin address that is unique to each victim.
After the payment is made, the threat actors claim that they will make a subsequent transaction to the same address that contains the decryption key, which can be recovered using the following instructions.
Source: landski at BleepingComputer
This decryption key can then be entered into the screen to decrypt the device’s files.
QNAP has told BleepingComputer that users can bypass the ransom screen and access their admin page by using the http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi URLs.
As with all ransomware attacks against QNAP devices, the DeadBolt attacks only affect devices accessible to the Internet.
As the threat actors claim the attack is conducted through a zero-day vulnerability, it is strongly advised that all QNAP users disconnect their devices from the Internet and place them behind a firewall.
QNAP further announced that their Product Security Incident Response Team (PSIRT) is investigating the attack vectors now and that owners should follow these steps to protect their data and NAS.
With QNAP owners being targeted by ongoing attacks from two other ransomware families known as Qlocker and eCh0raix, all owners should follow these steps to prevent future attacks.
BleepingComputer has created a DeadBolt ransomware support topic that can be used to discuss the attacks and potentially receive help from other QNAP owners.
Attackers demand 50 bitcoin for master key
On the main ransom note screen, there is a link titled “important message for QNAP”, which when clicked will display a message from the QNAP specific DeadBolt group.
In this screenshot, the DeadBolt ransomware gang provides full details of the alleged zero-day vulnerability if QNAP pays them 5 Bitcoins worth $ 184,000.
They are also willing to sell QNAP the master decryption key that can decrypt files for all affected victims and zero-day information for 50 bitcoins, which is about $ 1.85 million.
“Make a 50 BTC bitcoin payment to bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8,” the threat actors wrote in a message to QNAP.
“You will receive a universal decryption key (and instructions) that can be used to unlock all your customers’ files. Additionally, we will send you full details of the zero-day vulnerability to [email protected]
Source: Twitter
The ransomware gang further states that there is no way to contact them other than through Bitcoin payments.
This method of communication is a very different approach than other ransomware attacks that usually provide some form of communication, whether through a dedicated Tor website, email, or messaging platforms.
QNAP force updates to
On January 26th, QNAP began force-updating customers’ NAS devices to firmware version 5.0.0.1891, which is the latest universal firmware released on December 23rd, 2021.
QNAP told announced that they forced-installed this update as they believe the threat actors are using a remote code execution vulnerability fixed in the 5.0.0.1891 firmware version.
However, a customer posted to the QNAP forum stating that they were encrypted even when they had this firmware version installed, indicating that the threat actors are likely exploiting a different vulnerability.
“Confirmed getting hit with deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3,” the NAS owner posted to the QNAP forums.
After asking for a comment on this, QNAP conceded that it could be another vulnerability exploited by the threat actors.
“All the information we have shows DEADBOLT could be prevented with the build. Theoretically, we cannot exclude the possibility that there is the other vulnerability exploited. We are also interested in the user’s observation,” QNAP announced.
“If possible, we would suggest users with similar situation could submit a ticket to Technical Support.”
QNAP also mentioned that the update should only have been installed by those with the ‘Recommended version’ setting enabled in the Auto Updates settings, as shown below.
QNAP asks customers to contact technical support if they are still receiving updates with that setting unchecked.
DeadBolt technical details
When a QNAP NAS device is compromised, the threat actors will install the DeadBolt malware executable as a randomly named file in the /mnt/HDA_ROOT/ folder. For example, the DeadBolt ransomware executable could be located at /mnt/HDA_ROOT/27855.
Ransomware expert Michael Gillespie told BleepingComputer that ransomware is initially launched with a config file, which likely contains various data, including an encryption key used to encrypt files.
The initial command to encrypt files is:
[random_file_name] -e [config] /shareThe /share folder is where QNAP NAS devices store user folders and files.
When encrypting files, the ransomware will only target files with the following file extensions:
.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .ab4, .accdb, .accdc, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ait, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avhd, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkf, .bkp, .blend, .bpw, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfp, .cgm, .cib, .class, .cls, .cmt, .conf, .cpi, .cpp, .cr2, .craw, .crl, .crt, .crw, .csh, .csl, .csr, .csv, .dac, .dat, .db3, .db4, .db_journal, .dbc, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dev, .dgc, .disk, .djvu, .dng, .doc, .docm, .docx, .dot, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gdb, .git, .gray, .grey, .gry, .hbk, .hdd, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .iso, .jar, .java, .jpe, .jpeg, .jpg, .jrs, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m4v, .mail, .max, .mdb, .mdbx, .mdc, .mdf, .mef, .mfw, .mkv, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msi, .myd, .ndd, .nef, .nk2, .nop, .nrg, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nsn, .nwb, .nx2, .nxl, .nyf, .obj, .oda, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .ova, .ovf, .p12, .p7b, .p7c, .p7r, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pio, .piz, .plc, .pmf, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps1, .psafe3, .psd, .pspimage, .pst, .ptx, .pvi, .pvk, .pyc, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdb, .sdf, .sl3, .sldm, .sldx, .spc, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tex, .tga, .thm, .tiff, .tlg, .txt, .vbk, .vbm, .vbox, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmem, .vmfx, .vmsd, .vmx, .vmxf, .vob, .vsd, .vsdx, .vsv, .wallet, .wav, .wb2, .wdb, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xvd, .ycbcra, .yuv, .zip
Gillespie says the files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names. For example, test.jpg will be encrypted and renamed to test.jpg.deadbolt.
DeadBolt will also replace the /home/httpd/index.html file so that when victims access the device, they will see the ransom screen demanding a ransom of 0.03 bitcoins to a specified bitcoin address.
If a ransom is paid, the threat actors will create a bitcoin transaction to the same bitcoin ransom address that contains the decryption key for the victim. The decryption key is located under the OP_RETURN output, as shown below.
Source: BleepingComputer
When you enter this key into the ransom note screen, the web page will convert it into a SHA256 hash and compare it to the SHA256 hash of the victim’s decryption key and the SHA256 hash of the master decryption key.
The SHA256 hash for the master decryption key is 93f21756aeeb5a9547cc62dea8d58581b0da4f23286f14d10559e6f89b078052.
If the decryption key matches either SHA256 hash, it will decrypt the files using the following command:
/mnt/HDA_ROOT/[encryptor_name] -d "[decryption_key]" /shareMultiple victims have reported paying the ransom and receiving a decryption key that has successfully decrypted their files.
However, QNAP’s forced firmware updates are causing the executable and index.html ransom screen to be deleted from the device, which prevents the decryption of files.
Gillespie has created a free Windows decryptor that can be downloaded from Emsisoft and decrypt files without needing the ransomware executable. However, users will still need a valid decryption key, which QNAP owners can only obtain at this time by paying a ransom.