Register now for better personalized quote!

QNAP warns NAS users of DeadBolt ransomware, urges customers to update

Jan, 27, 2022 Hi-network.com

Taiwanese network-attached storage giant QNAP urged its customers to update their systems this week after the DeadBolt ransomware was discovered targeting all NAS instances exposed to the internet.

See also

Ransomware: An executive guide to one of the biggest menaces on the web

Everything you need to know about ransomware: how it started, why it's booming, how to protect against it, and what to do if your PC is infected.

Read now

"QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version," the company said in a statement. 

Attached to the statement is a detailed guide for customers, noting that if you go to the Security Counselor on your QNAP NAS and see "The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP" on the dashboard, you are at high risk. 

"If your NAS is exposed to the Internet, please follow the instructions below to ensure NAS security: Go to the management interface of your router, check the Virtual Server, NAT or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 443 by default)," the company said. 

"Go to myQNAPcloud on the QTS menu, click the "Auto Router Configuration", and unselect "Enable UPnP Port forwarding."

Two days ago, dozens of people took to QNAP message boards and Reddit to say they logged on only to find the Deadbolt ransomware screen. People reported losing decades of photos, videos and irreplaceable files. Even an MIT professor was hit. 

I just got hacked. Ransomware named DeadBolt found an exploit in @QNAP_nas storage devices, encrypting all files. They ask$1,000 from individuals or$1.8 million from QNAP. I have 50tb of data there, none of it essential or sensitive, but it hurts a lot. Time for a fresh start. pic.twitter.com/E8ZkyIbdfp

- Lex Fridman (@lexfridman) January 27, 2022

One user on Reddit said they were saved because they had a folder titled "Absolutely Worthless" at the top of their directory full of data. The ransomware started with that folder, giving them time to pull the plug before it encrypted anything of value. 

The ransom note demands .03 of Bitcoin for the decryption key and says, "You have been targeted because of the inadequate security provided by your vendor (QNAP)." At least one user on Reddit reported paying the ransom and not getting the decryption key. 

QNAP message board

Recommends

12 cryptocurrencies you need to know

There are thousands in circulation. These are worth watching.

Read now

On the QNAP message board, someone shared a message from the Deadbolt ransomware group that was allegedly sent to QNAP. 

"All you affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage," the group said.  

The group demanded a Bitcoin payment of 5 BTC in exchange for details about an alleged zero day used to launch the attack or 50 BTC for a universal decryption master key and information about the zero day. 

"There is no way to contact us. These are our only offers," the alleged message says. 

QNAP did not respond to requests for comment about whether a zero day was used during the attack. 

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said QNAP NAS devices have been a frequent target of ransomware groups, including by the QLocker ransomware in April 2021 and January 2021, as well as the ech0raix ransomware in December 2020. QNAP has also been hit by malware in the past. 

"The latest activity -- which has been attributed to the Deadbolt ransomware -- is reportedly unsophisticated and relies on targeting unpatched devices. Mitigation for this attack -- and other similar ransomware variants -- can be achieved simply by ensuring devices are not internet facing and are routinely patched with the most regular updates," Morgan explained. 

Vulcan Cyber's Mike Parkin questioned why an organization would have a NAS system exposed on the internet in the first place, noting that while there may be some business cases for making mass storage available to outsiders, there is no reason to have administrative functions available through an unencrypted, unauthenticated, connection. 

"Cases like this highlight how important it is to be sure systems are deployed and maintained to industry best practices. Network scanning and vulnerability management tools can work together to identify risky configurations after the fact, but it's always best to make sure systems are deployed securely in the first place," Parkin said. 

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.