Deadbolt ransomware comes back and infects more than 1100 QNAP devices

Another wave of the ransomware attack started mid-March on QNAP

QNAP devices hit by the same ransomware months after

The ransomware resurfaced again with a new attack on the network-attached storage devices from a Taiwan-based vendor. This attack is similar to one that affected the devices in January.^[1] DeadBolt ransomware came out with the new attack after a while and targeted the NAS devices.^[2] The attack was successfully detected due to the particular way DeadBolt ransomware creators communicate with victims.

The attack surface reports show that infection on the QNAP gear started on March 16, and total infections were 373 that day only. Researchers report that number of affected devices rose to 1,146 by the 19th of March. The same ransomware gang has already affected these devices.^[3]

Back in January company released unplanned updates to these NAS devices to clear the damage that DeadBolt cryptovirus left. Back then customers received ransomware creators' pop-ups once logged in, and they were locked out of their devices. The security update was not welcomed by users.^[4]

The new wave of attacks with the same old pattern

These new instances follow the pattern of the wave in January. Those facts include that the majority of targeted victims are users of the QNAP QTS Linux kernel version 5.10.60. This is the newer version that came out after the update was released to customers in January.

It is, however, not clear if the attack campaign is new and targeting different versions of the preparing system or it is the original attack that exploits QNAP devices without a patch. A different feature of the new infection chain and attacks at the beginning of this year is the target. This time attackers do not target a particular organization or country. Victims are split into various consumer internet service providers.

The previous attack of DeadBolt ransomware involved exploitation of the zero-day vulnerability and the demand of 50 Bitcoin in exchange for the master key that could unlock files encoded and marked using .deadbolt extension.

If every victim had paid the ransom, this attack would have netted the hackers about $4,484,700.

This is a common feature for criminals like this, but paying is not the best option, and a solution like this is considered risky for a reason. The particular remote code execution vulnerability supposedly was fixed with the newer versions, and the force-installed updates helped.^[5]

Another round of frustration for customers

At the peak of the attacks a few months back, researchers found almost 5000 devices infected by DeadBolt ransomware. The company jumped to action and reacted as soon as possible to release the firmware update that supposedly fixed issues. The immediate release of the updates was not taken positively by customers. Another issue with the QNAP NAS device might cause backlash again.

This attack involves the same Deadbolt ransomware virus and the same ransom as the previous attacks on QNAP devices. The only thing about the infection that got changed was the addresses for the cryptocurrency transfers. This time attackers ask for the 0.03 Bitcoin for the decryption key which is equivalent to $1223 at the time of writing.

The threat actors also demand payment from the QNAP company, and it is 5 Bitcoins for the information that particularly exposes the vulnerabilities used to attack devices. Also, the same 50 Bitcoin for the master key is needed for the decryption of all affected devices. This is not the only company encountering this ransomware recently, so attackers are obviously motivated by financial gains.