QNAP, Taiwanese network-attached storage (NAS) manufacturer, issued a warning to customers on Thursday to protect their devices from ransomware attacks that push the DeadBolt payload. The company said that users should upgrade their NAS devices to the newest software version and make sure they’re not vulnerable to remote access via the Internet.
“According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series,” said the NAS maker. “QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet.”
To prevent possible attacks, QNAP urged customers with public-facing devices to take the following steps:
- Disable the router’s Port Forwarding feature: Check the Virtual Server, NAT, or Port Forwarding settings in your router’s management interface, and disable the port forwarding settings for the NAS management service port (port 8080 and 433 by default).
- Disable the QNAP NAS’s UPnP feature: On the QTS menu, go to myQNAPcloud, select “Auto Router Configuration,” and uncheck “Enable UPnP Port Forwarding.”
The NAS manufacturer also includes thorough instructions on how to disable SSH and Telnet connections, change device passwords, alter the system port number, and safeguard IP and account access. In April, QNAP also advised NAS owners to stop Universal Plug and Play (UPnP) port forwarding on their routers to avoid being exposed to cyberattacks.
Those who want remote access to NAS devices should enable their router’s VPN function (if available), employ the myQNAPcloud Link service, and the VPN server offered by the QVPN Service software on QNAP devices, or use the QuWAN SD-WAN solution. With additional ransomware families like Qlocker and eCh0raix targeting QNAP devices, all owners should follow the steps listed above to protect their data from further attacks.
DeadBolt ransomware hijacks the QNAP device’s login page to show a message claiming, “WARNING: Your files have been locked by DeadBolt.” It was first discovered in attacks targeting QNAP NAS systems in late January. This ransomware encrypts files using AES128 and appends a .deadbolt extension after being installed on a NAS drive.
DeadBolt changes the /home/httpd/index.html file with the ransom screen when victims access the hacked device. After the ransom payment, threat actors send a bitcoin transaction with the victim’s decryption key to the same bitcoin ransom address (the decryption key may be found in the OP_RETURN output). Michael Gillespie, a ransomware specialist, has produced a free Windows decryptor that can help you decrypt files without using the ransomware executable.
However, owners of QNAP devices infected with the DeadBolt ransomware will be required to pay the ransom to obtain a legitimate decryption key. In February, the DeadBolt ransomware made a comeback when it targeted ASUSTOR NAS devices and exploited a 0-day flaw.