A new DeadBolt ransomware gang is encrypting QNAP NAS systems all around the world, claiming that the device’s firmware has a zero-day vulnerability. The attacks began on January 25th, when QNAP devices discovered their files had been encrypted and their names had been added with a .deadbolt file extension.
Instead of writing ransom notes within every folder on the device, the QNAP device’s login page is hacked to display a message reading, “WARNING: Your files have been locked by DeadBolt.” This screen instructs the victim to send 0.03 bitcoins (about $1,100) to a Bitcoin address that is different for every victim.
Following payment, the threat actors claim to send a follow-up transaction to the same address with the decryption key, which may be obtained by following the guidelines. The device’s files may then be decrypted using this decryption key, which can be input into the screen in order to decrypt the device’s files. However, there is no guarantee that paying a ransom will result in the receipt of a decryption key or that users will be able to decrypt files.
BleepingComputer reported some fifteen victims of the DeadBolt ransomware attack, which had no specific targeted region.
The DeadBolt attacks, like all other ransomware attacks against QNAP devices, only impact machines that are connected to the Internet. Because the threat actors claim to be using a zero-day vulnerability, all QNAP customers are strongly urged to disconnect their devices from the Internet and secure them with a firewall. As QNAP owners are being targeted by two more ransomware families, Qlocker and eCh0raix, all owners must follow these preventive measures to avoid future attacks.