QNAP Deadbolt Ransomware

Forums › IT Pro and developers › QNAP Deadbolt Ransomware

Technofreak

6656 posts

Uber Geek
+1 received by user: 3474

Trusted

#298765 14-Jul-2022 15:16

Our QNAP server got hit by a Deadbolt ransomware attack last night. All affected file names have a .deadbolt extension.

Fortunately we do have a backup but it is not right up to date. We run a real time back up to an external drive which we then swap out every few weeks. Yes, I know it should be done more often and we wouldn't have this "little" problem. After having a corrupted backup disk in the early days using the on board eject option I resorted to shutting down the NAS each time I swapped the backup disk. This takes time so consequently the swapping isn't as often as it should be.

We have access to most of the files but we have quite a few important recently created files which we would very much like to retrieve. It looks like the only way of doing that is to pay the ransom of 0.03 bitcoin. Not an insurmountable amount but still significant enough.

Questions.

How likely is it that a third party could decrypt the files? From my research not very likely.
Has anyone been through the process of paying the Deadbolt ransom and unlocking the files? How did it go?
Not having a bit coin account how hard is it to set up an account and buy bit coin?

Thanks for any help.

Sony Xperia XA2 running Sailfish OS. https://sailfishos.org The true independent open source mobile OS
Samsung Galaxy Tab S6
Dell Inspiron 14z i5

1 | 2

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2941896 14-Jul-2022 15:50

1) Unlikely unless a key was released somewhere.

2) Yes, worked for a company where it had to be done (for a 3rd party - we advised against it but they insisted) - luckily it worked (for a price obviously). YMMV however depending on the group holding the keys.

Work out how much it cost to create the files compared to how much you'd pay the *****. What's cheaper ?

And once you've paid, what's to stop them from re-infecting you again ? Its just not worth paying really, as you only fund them to go on and do more and hurt people that can't afford to pay.

XPD / Gavin

LinkTree

Technofreak

6656 posts

Uber Geek
+1 received by user: 3474

Trusted

#2941900 14-Jul-2022 16:09

xpd:

1) Unlikely unless a key was released somewhere.

2) Yes, worked for a company where it had to be done (for a 3rd party - we advised against it but they insisted) - luckily it worked (for a price obviously). YMMV however depending on the group holding the keys.

Work out how much it cost to create the files compared to how much you'd pay the *****. What's cheaper ?

And once you've paid, what's to stop them from re-infecting you again ? Its just not worth paying really, as you only fund them to go on and do more and hurt people that can't afford to pay.

If it were just a matter of creating the files. Most of the files are records that cannot be easily recreated.

What's to stop it happening again? There's a newer version of NAS firmware. Another option is to disable the remote access option, which is where the vulnerability was. It's also been a trigger for us to look at different options.

If I had been more diligent with swapping the back up disk it wouldn't have mattered.

I've calculated the price to be just under $2kNZD. Probably cheaper than the time lost and inconvenience created not having access to those files and or trying to recreate them.

Yes, I know paying up just keeps them going and that goes against the grain. Sometimes there isn't too much choice unfortunately.

Sony Xperia XA2 running Sailfish OS. https://sailfishos.org The true independent open source mobile OS
Samsung Galaxy Tab S6
Dell Inspiron 14z i5

Peppery

919 posts

Ultimate Geek
+1 received by user: 188

Trusted

#2941977 14-Jul-2022 19:06

Technofreak:

What's to stop it happening again? There's a newer version of NAS firmware. Another option is to disable the remote access option, which is where the vulnerability was. It's also been a trigger for us to look at different options.

Definitely disable remote access and instead use a VPN (such as Tailscale) if you require offsite access to any NAS. If it's possible I'd definitely recommend doing a complete format/reinstall of the NAS OS.

Most NAS vendors have had ransomware incidents via remote access at this point but simply using a VPN mitigates much of the risk.

Technofreak:

If I had been more diligent with swapping the back up disk it wouldn't have mattered.

You could set up another device (like a Pi) to pull the backups off the NAS, or alternatively cloud backup services are pretty cheap these days.

Technofreak

6656 posts

Uber Geek
+1 received by user: 3474

Trusted

#2942001 14-Jul-2022 20:25

Peppery:

Definitely disable remote access and instead use a VPN (such as Tailscale) if you require offsite access to any NAS. If it's possible I'd definitely recommend doing a complete format/reinstall of the NAS OS.

Most NAS vendors have had ransomware incidents via remote access at this point but simply using a VPN mitigates much of the risk.

You could set up another device (like a Pi) to pull the backups off the NAS, or alternatively cloud backup services are pretty cheap these days.

I tried setting up a VPN at the start but couldn't get it to work so went with the QNAP remote access option. I'll have another look at the VPN option if we stick with the NAS

If we stick with the NAS option (we are considering a full cloud option) I will be doing a fresh install of the NAS OS. QNAP instructions are to install the updated firmware which also has a Deadbolt removal tool but of course that doesn't unlock your files.

I had thought about using something like a Pi to swap between back up disks. I used the current method for two reasons, to mitigate against an attack like this or a loss of data through other causes plus the disk not in use was kept offsite to safeguard against fire.

It has been suggested using One Drive since we already have it with MS365. If we do that need to get the sharing set up so that at least two people/accounts can access the folders.

The more we think it through we may be able to avoid paying any ransom which is our preferred option for several reasons though we will still lose some data. It will be a pain but a lot of stuff is contained in email attachments etc. Will take some time searching through the various sources.

However in the meantime any tips on getting set up with bitcoin would be appreciated.

Sony Xperia XA2 running Sailfish OS. https://sailfishos.org The true independent open source mobile OS
Samsung Galaxy Tab S6
Dell Inspiron 14z i5

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 841

Trusted

Lifetime subscriber

#2942013 14-Jul-2022 21:39

Technofreak: ... However in the meantime any tips on getting set up with bitcoin would be appreciated.

A: Very easy

Non of this is financial advice or a list of steps of how to do this securely / anonymously / correctly

Sign-up online with the likes of Coinbase, get your address & keys / password
Buy crypto using CC

Sign-up at the likes of https://easycrypto.com/nz or https://www.bitprime.co.nz/
Create crypto wallet address.
Buy crypto using CC

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

Technofreak

6656 posts

Uber Geek
+1 received by user: 3474

Trusted

#2942029 14-Jul-2022 22:18

@ANglEAUT

Thank you.

Sony Xperia XA2 running Sailfish OS. https://sailfishos.org The true independent open source mobile OS
Samsung Galaxy Tab S6
Dell Inspiron 14z i5

New World

Shop on-line at New World now for your groceries (affiliate link).

dacraka

771 posts

Ultimate Geek
+1 received by user: 165

ID Verified

Trusted

#2942039 14-Jul-2022 23:38

Just answering the question of paying the ransom (which I highly discourage) I won't go into detail why as others have already pointed out the bad points about it (including yourself).

Use https://easycrypto.com/nz, you can then pay them directly from your NZ bank account directly to their Bitcoin address without having to create a Bitcoin wallet yourself (saves you a step).

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2942052 15-Jul-2022 07:03

If you’re a business paying a ransom can actually get you in further trouble. You shouldn’t ever do it. You’re not guaranteed to get your data back and you’re opening yourself up as a paying target. It is seriously a stupid move to ever pay a ransom.

Report the incident to Cert and move on; https://www.cert.govt.nz/business/common-threats/ransomware/

Your lesson here is have backups of your important data for the future. Consider this data as lost.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 841

Trusted

Lifetime subscriber

#2942063 15-Jul-2022 08:57

michaelmurfy: If you’re a business paying a ransom can actually get you in further trouble. ...

This is very true in the USA. If the people you pay are found to support a government or company that is on a sanctions list, you can be in for a world of hurt.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

dt

1152 posts

Uber Geek
+1 received by user: 371
Inactive user

#2942080 15-Jul-2022 09:43

ANglEAUT:

This is very true in the USA. If the people you pay are found to support a government or company that is on a sanctions list, you can be in for a world of hurt.

Could actually be there same here - wife is a commercial banker and the amount of work they have to do ensuring they are not in breach of AML or ensuring they aren't linked to sanctioned countries/businesses takes up quite a bit of their time as the repercussions for the bank are huge..

1101

3141 posts

Uber Geek
+1 received by user: 1143

#2942122 15-Jul-2022 10:59

To prevent future hacks

lock down the router . disable UPnP & disable port forwards to the nas
lock down the NAS . remove or disable plugins & addons , disable remote access & 'cloud' NAS services etc.

Keep the firmware updated
as a minimum, backup to USB HD , & have several backup disks & rotate them . test the backups : ie can you recover from them . Their should be a built it backup to USB option .

Mighty Ape

Shop now at Mighty Ape (affiliate link).

CYaBro

4708 posts

Uber Geek
+1 received by user: 1182

ID Verified

Trusted

#2942213 15-Jul-2022 13:48

michaelmurfy: If you’re a business paying a ransom can actually get you in further trouble. You shouldn’t ever do it. You’re not guaranteed to get your data back and you’re opening yourself up as a paying target. It is seriously a stupid move to ever pay a ransom.

Report the incident to Cert and move on; https://www.cert.govt.nz/business/common-threats/ransomware/

Your lesson here is have backups of your important data for the future. Consider this data as lost.

I know of a (cyber) insurance company that has paid a ransom to get the data back for their customer.

Opinions are my own and not the views of my employer.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2942412 15-Jul-2022 22:03

ANglEAUT:

michaelmurfy: If you’re a business paying a ransom can actually get you in further trouble. ...

This is very true in the USA. If the people you pay are found to support a government or company that is on a sanctions list, you can be in for a world of hurt.

And New Zealand too, as we have a sanctions list as well: https://www.mfat.govt.nz/en/peace-rights-and-security/un-sanctions/

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Tinkerisk

4798 posts

Uber Geek
+1 received by user: 3660

#2942476 16-Jul-2022 01:06

The avoidance strategy is actually quite simple: You only have to ask yourself what would happen if the NAS with all its important data were to (metaphorically) explode at that very moment? What is then still there in terms of security backup is what you can continue to work with (or no longer work with).

- NET: FTTH & VDSL, OPNsense, 10G backbone, GWN APs
- SRV: 12 RU HA server cluster, 0.1 PB storage on premise
- IoT: thread, zigbee, tasmota, BidCoS, LoRa, WX suite, IR
- 3D: two 3D printers, 3D scanner, CNC router, laser cutter

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2942536 16-Jul-2022 08:50

Not an answer to "should I pay or not" but in response to a backup strategy. I just use Backblaze and the Synology Backup app. Terabytes of data, with versioning, cost me $100/month. Worth it. None of that "local HDD that needs rotating".

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2