Qnap is forcibly installing firmware updates on its NAS in an effort to prevent DeadBolt ransomware that has already encrypted over 3,600 devices.
The DeadBolt malware became known earlier this week. According to the hackers themselves, DeadBolt encrypts devices using some kind of 0-day vulnerability. The hacks began on January 25, 2022, when owners of Qnap devices began to discover that their files were encrypted and their filenames were suffixed with .deadbolt.Interestingly, in the ransom note, the hackers left a separate message for the developers, entitled “Important message for Qnap.” The authors of the DeadBolt malware write that they are ready to disclose the full details of the zero-day vulnerability they exploit if the company pays them 5 bitcoins (approximately $184,000). They also reported that they were ready to sell a master key that would help to decrypt the files of all the victims, and information about 0-day for 50 bitcoins, that is, for almost 1.85 million US dollars.
Previously, Qnap developers have already warned NAS owners about a new threat and advised updating QTS to the latest available version, as well as disabling port forwarding on their router and the UPnP function in Qnap NAS as soon as possible. Now the company has moved to more drastic measures.
Qnap has forced a firmware update on all client NAS to version 5.0.0.1891, released on December 23, 2021. This update includes numerous patches, but almost all of them are related to Samba.
Bleeping Computer writes that a forced firmware update occurs even on those devices where automatic updates are disabled. Moreover, some NAS owners found that iSCSI connections stopped working after the upgrade.
Other users who have already paid the hackers and received the key to decrypt the data found that the firmware update removed the ransomware executable and the ransom screen through which the decryption was triggered. This prevented the victims from continuing the decryption process.
Qnap support representatives have confirmed what is happening and note that the forced update was launched to protect users from ongoing DeadBolt ransomware attacks.
Journalists note that it is not entirely clear how a forced firmware update to the latest version protects against DeadBolt, because Qnap initially reported that to mitigate attacks, users just need to not to show they have the NAS on the Internet. The hackers are probably using some old vulnerability in QTS, and the firmware update fixes this problem.
Unfortunately, information security experts say that the decision to force the update seems to have come too late. For example, according to Shodan, the ransomware has successfully attacked more than 1160 NAS devices, and according to Censys it is even worse: DeadBolt has already encrypted 3687 devices. Shodan and Censys report that the United States, France, Taiwan, the United Kingdom and Italy have been hit the hardest by the attacks.
Let me remind you that we talked about With the help of the Qlocker ransomware that is targeting Qnap, hackers have already received $280,000, and also that ECh0raix ransomware again attacks QNAP NAS, and also that QSnatch malware infects thousands of QNAP NAS devices, and yet … Perhaps that’s enough. Update your NAS firmware.
