QNAP, a Network Attached Storage (NAS) company, issued a new security alert on Friday, advising consumers to protect their devices against a new wave of DeadBolt ransomware attacks. According to the company, users should upgrade their NAS devices to the latest firmware version and make sure they’re not vulnerable to remote access via the Internet.
“QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running QTS 4.x,” said QNAP. “We are thoroughly investigating the case and will provide further information as soon as possible.”
This warning comes after the business issued three additional advisories since the beginning of 2022, all of which advised customers to keep their gadgets up to date and avoid exposing them to Internet access. It further suggests that all users immediately upgrade their QTS or QuTS hero operating systems on their NAS devices to the newest version.
QNAP said that updating the firmware on a compromised device would allow the built-in Malware Remover application to quarantine the DeadBolt ransom message that has been known to hijack the login page. It further recommends contacting QNAP Support if they cannot discover the ransom letter after updating the firmware and entering the DeadBolt decryption key.
However, before approaching QNAP customer service, consider restoring the DeadBolt page using the instructions on this support page. Because additional ransomware strains, such as Qlocker and eCh0raix, are targeting QNAP systems, all owners should keep their equipment up to date to protect their data from future attacks.
As seen in prior cyberattacks targeting QNAP NAS systems in late January and affecting hundreds of victims, DeadBolt ransomware hijacks the device’s login page to display a message claiming, “WARNING: Your files have been locked by DeadBolt.” When DeadBolt is run on a hacked NAS device, it encrypts data using AES128 and appends a .deadbolt extension to their names. It also alters the /home/httpd/index.html file so that victims can see the ransom note when they access the encrypted device.
The threat actors make a bitcoin transaction to the same bitcoin address with the decryption key beneath the OP_RETURN output after the victims pay a 0.03 bitcoin ransom. Michael Gillespie, a ransomware specialist, has developed a free Windows decryptor that can assist decrypt files without employing the DeadBolt executable.
However, QNAP users who have been infected with this ransomware will still be required to pay the ransom in order to obtain a legitimate decryption key for restoring their data. In February, the DeadBolt ransomware targeted ASUSTOR NAS equipment, purportedly exploiting a zero-day vulnerability.