New DeadBolt Ransomware Targets QNAP Devices, Asks 50 BTC For Master Key

ryanw shares a report from BleepingComputer: A new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide using what they claim is a zero-day vulnerability in the device's software. The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a .deadbolt file extension. Instead of creating ransom notes in each folder on the device, the QNAP device's login page is hijacked to display a screen stating, "WARNING: Your files have been locked by DeadBolt." This screen informs the victim that they should pay 0.03 bitcoins (approximately $1,100) to an enclosed Bitcoin address unique to each victim.

After payment is made, the threat actors claim they will make a follow-up transaction to the same address that includes the decryption key. This decryption key can then be entered into the screen to decrypt the device's files. At this time, there is no confirmation that paying a ransom will result in receiving a decryption key or that users will be able to decrypt files. The DeadBolt ransomware gang is offering the full details of the alleged zero-day vulnerability if QNAP pays them 5 Bitcoins worth $184,000. They are also willing to sell QNAP the master decryption key that can decrypt the files for all affected victims and the zero-day info for 50 bitcoins, or approximately $1.85 million.

I'm on the fence about this

[Kokuyo]

The fact that they offer QNAP the information to fix this.... kinda makes this... hell, certainly not good but... let's say one kick in the nads would suffice?

The master key for 50 million is probably a bit on the high side :D.

Re:

[shaitand]

They are selling the zero-day to the vendor for 5 BTC (~$200k) or the master key for 50 BTC (~$1.9M). Those actually seem like reasonable values little different than what they'd face from a small player with similar leverage in the conference room.

Re:

[sjames]

OTOH, QNAP could offer 51 bitcoins for their heads (and JUST their heads) delivered on a platter.

Re: I'm on the fence about this

[saloomy]

That would not fix the vulnerability. QNAP should have had a big bug bounty program. Just took my device off the internet until a firmware update comes back.

Re:

[AmiMoJo]

Looking at their website (https://www.qnap.com/en-uk/security-advisories) they don't seem to have a bug bounty in place. If they did, they might have avoided all this.

Re:I'm on the fence about this

[MachineShedFred]

And the good news is that the ransom gets cheaper every day they wait!

Re:

[shaitand]

Not really, BTC dropping was a monday thing and correlated with the US markets dropping. It already recovered 2/3rd of the drop and is climbing so at this point it just looks like a market correction.

Re:

[MachineShedFred]

If you are looking at day-to-day values on investments, you're doing it wrong.

Bitcoin is still down 25% on the month. How are you to say that the recent 1-day upswing isn't just normal volatility before continuing the downward plunge?

You can't, and neither can anyone else.

Re:

[shaitand]

If you are looking at month-to-month values on investments, you're doing it wrong.

Bitcoin is up 23% vs the price one year ago. How are you to say that the recent dip from the recent all-time historical high isn't just normal volatility before continuing the decade long upward trend?

You can't. and neither can anyone else.

Re:

[shaitand]

He says by cherry picking a time to create an artificial dip on a price that has been relatively stable over the last 24hrs and an instrument that ripples up and down 2-3% hourly.

As for 3 months that is again both short term and coming off the all time high, both the peak of that high and the subsequent dip are both a routine, predictable and boring double peak formation that is literally the first thing anyone learns about in chart analysis.

Sorry, you don't have anything to beat the decade and a half trend

Crypto Trash

[Tuxguin]

When are we going to make collective efforts to actually shut down cryptocurrency payments? Their only real value seems to be abuse. It seems a lot harder to run these kinds of scams if crypto doesn't exist

Re:

[Paco103]

And how does that happen? It's completely decentralized. There's nobody in control, just "the network". Do we take down the internet? I repeat the question, as again it's decentralized by design and semi-decentralized in practice.

Do we ban the network traffic? Do we ban the buying and selling of crypto, like we banned the buying and selling of drugs?

It's a pandora's box. It's not going away.

Re:

[Lisandro]

And how does that happen?

Regulate exchanges, then watch the little real liquidity in the crypto "markets" disappear overnight.

Re:

[ArchieBunker]

Yeah make drugs illegal too for good measure...

Re:Crypto Trash

[Lisandro]

That's a shit analogy: i said regulate. Pretty much all exchanges out there operate with little, if any, government oversight. It's a Wild West right now.

No one gives two shits about Bitcoin per se; it is either used as a speculative asset or, in the case of ramsomware creators, to collect online payments without going through formal channels. In either case, the end goal is to convert BTC back, and forth, "real" money.

All it takes is a little regulation to make this house of cards fall apart; just enforcing "know your customer" requirements is enough. The DoJ already did something similar with online poker websites back in 2011 (the so called "Poker Black Friday"), which were at the time rampant with illegal money transactions.

Re:

[times05]

All the speculation gambling is acting as cover for illegal activity, such as ransoms and money laundering. Kind of "Oh, it might have been a perfectly legal legitimate transaction, just another guy/gal trying to gamble on the market". You outlaw using it legally, suddenly illegal activity has no cover to hide behind.

Re:

[ctilsie242]

This is probably crypto's biggest weakness. It may be impossible to regulate crypto, but darn easy to regulate the gateways where crypto is turned into physical goods and vice versa.

The only real way to decentralize this is with a lot of trusted escrow parties and multisig transactions, so that Alice gives Bob a chicken, Bob gives Alice a few units of a cryptocurrency, and Charlie verifies that Bob actually got his chicken before signing off to hand Alice her currency. However there is always collusion wh

Re:

[MachineShedFred]

Yeah, because ransom *just* started with crypto, and holding things hostage was never a thing criminals did until bitcoin came along.

Done with Qnap

[coofercat]

I bought a Qnap for home - primarily as a regular, plain old boring NAS, but also because it can run containers/VMs, which I hoped to use for miscellaneous crap (eg. the software that configures my Wifi APs, bacula backups, etc).

It's technically fine at being a NAS - it serves files just fine. But my god, it's a horrible mess of different windows (on their "web desktop" OS), different "centers" and "stations" (Container Station, App Center, bla bla). It's incredibly complicated and even simple tasks like "make a share, assign some permissions" seems like a long job across multiple screens. Trying to run a VM isn't impossible at all, but I'm dumping all the things I thought I'd use it for and moving them to a raspberry pi or two - the qnap just makes it all far too difficult (and very "proprietary" feeling).

Franky, the vastness of their shit-show software makes the chances of bugs in it almost an absolute certainty. Anyone that lets one of these onto the Internet needs to donate their brain to medical science.

All of this is not what I buy a NAS for - I buy them to hum away in the corner and not get in my way. This QNAP seems to constantly want to remind me about something, make me do something, pay it some attention or whatever else. When the one I have starts getting grumpy, it's going to the great recycling facility in the sky and getting replaced with something far, far better. I believe there's an open NAS product you can install on these things - maybe I need to spend a weekend doing that...?

The time I found a Qnap in a client's datacentre... well, it was first into the skip - no way in hell I'd trust them to run anything "real". Yet I know that lots of small shops do indeed run their entire office on one (NAS, DHCP, print server, email, web site, databases, you name it). Good luck to those folks, I fear they may have backed the wrong horse.

Re:

[JackieBrown]

My problem was lack of flexibility. If I didn't want raid, I couldn't use any of their tools. I switched to running Debian directly on it from a USB stick.

Re:

[bradley13]

I don't disagree with their web interface being cluttered, but I do thing you are being a bit overly dramatic about it. As I posted elsewhere, the real question is: why would you ever expose your NAS directly to the internet?

More, let me point out one *huge* positive for QNAP: security updates. I have an absolutely ancient QNAP device, and they *still* issue regular firmware updates for it. You can't say that about every manufacturer.

Re:

[pixelpusher220]

Plex viewing is a big reason, Phone storage backup on the go, among numerous others

The real problem is combining your *data* and your services onto a single appliance that is then exposed to the world.

Re:

[Bourdain]

so much easier/cheaper to just use a fire stick + kodi than plex...though not quite as pretty

I used plex for years and will never go back

Re:

[pixelpusher220]

from scratch, certainly possible.

From my standpoint of Plex working currently with zero maintenance...not so much ;-)

Re:

[Bourdain]

oh, i mean, more so in the context of needing a machine running all the time doing all sorts of, often needless, reencodes

whereas, generally speaking, even a cheapo firestick can play most filetypes with zero issues without triggering a reencode (not to mention much better subtitle support than at least the last time i checked out plex)

Re:

[MachineShedFred]

How is Plex complex? You fire up a docker container, go to the web site for that container and browse a file path to where your media is, and let it scan and index everything. Or, in the case of a set-top box with some actual compute available (Nvidia Shield TV, for example) you plug in your media on a USB drive or even a network share and install Plex Media Server right on the device and scan.

Plex has never been overly complex. I even have it running with GPU transcode within Docker because Nvidia went

Re:

[Bourdain]

well, I suppose, though with kodi you don't even need a server besides some basic VM hosted wherever with https and the cheapo firestick (or raspberry pi) handles the decoding...

Re:

[Bourdain]

yeah, you're right, it's not complex by design, it's just a bit overbaked IMO at least in that it often triggers a transcode unnecessarily at least years ago when I last used it

I've grown to really appreciate kodi being able to play media natively without any sort of transcode and the far more powerful confluence interface along with using a simple folder structure instead of the plex "library"

I can simply host files on some basic https share and have a handful of people watching content and it barely touch

Re:

[MachineShedFred]

Plex only transcodes if the client can't play back the original file format. My Plex Media Server almost never transcodes anything when I'm playing media on an Nvidia Shield TV. It transcodes practically everything for an iOS / tvOS device, because Apple doesn't support nearly as many codecs and formats.

Re:

[Bourdain]

fair enough - I just have seen it, at least historically, do a lot of unnecessary transcodes for my old roku (even if I made sure to transcode it myself ahead of time via ffmpeg to some completely compatible format)

that said, so much "media" is already in h264/aac so unclear why ios devices would need so much transcoding except for bandwidth requirements as they should be able to decode h264/aac natively

Re:

[MachineShedFred]

Plex will transcode for size format as well, and sometimes it's just an audio transcode where it's going from a 7.1 DTS stream that iOS will not natively do, to a 5.1 Dolby AC3 stream that it will. It does a shitload more work when playing to an Apple TV or iPad than it does when playing to an Android phone or Nvidia Shield TV.

Re:

[Bourdain]

fair enough re: just audio - I'm pretty light weight in my media serving and consumption

just two fire sticks in different locations using kodi to load things off of a minimal server far far away - largely h.265/h.264 + aac or dd5.1 which kodi has no trouble with

I'm a bit disappointed that an apple tv really needs video transcoding, i'd like to think it could natively handle h.265/h.264 in most any resolution with ease...

that said, you should try the confluence skin/interface on top of kodi, it's so much mo

Re:

[jon3k]

Plex viewing is a big reason, Phone storage backup on the go, among numerous others

That would presumably require a bug in Plex, if that was the only exposed service. And those are typically deployed via a container on QNAP as far as I know. No one knows the details obviously, but this seems unlikely. Otherwise we would hear about tens or hundreds of thousands of NAS that had already been affected.

I think the problem here is that the management service for the QNAP NAS must be publicly accessible for remote management.

Re:

[pixelpusher220]

Given that QNAP issued an urgent "DISCONNECT YOUR DEVICE NOW!" in the last couple weeks, they seem to know this was already happening

take-immediate-actions-to-secure-qnap-nas [qnap.com]

Re:

[Megane]

why would you ever expose your NAS directly to the internet?

IIRC the original problem was that they enabled UPnP support by default, exposing it without the owner's knowledge. Then your internet modem thingy will cheerfully let anybody talk to it. It's one thing to expose it intentionally, it's quite another for it to silently expose itself.

Re:

[fuzzyfuzzyfungus]

It seems like NAS vendors have fallen into the unfortunate trap of chasing checkbox features, not implemented very well, presumably to escape the commodification that would afflict them if they just made boxes with drive cages and HBAs.

It's unfortunate because some NAS designs are actually a fairly pleasing compromise between actually supporting a decent number of disks and not being a screaming rackmount server; but that's a lot less helpful when the software is actively untrustworthy, and often treated

Re:Done with Qnap

[dslbrian]

I did a similar thing a few years ago. I got an expensive QNAP to act as a NAS and Docker station, and it worked "ok" for about a year, after which it had a hardware problem. It would occasionally cycle in a boot loop. If it managed to come up it would run stable, but over time it became less and less likely. So they did fix it on RMA, but within a month or two it started having the same problem, and had to get RMA'd again.

And herein lies the problem with QNAP - their software and hardware are all proprietary. Their RMA cycle is a couple months. So if you can imagine your NAS disappearing for two months at a time every few months, you realize this is an untenable situation. There are numerous other issues with the QNAP experience, but I'll refrain from elaborating.

So after this experience I decided to custom build a machine using commodity parts and software to avoid this RMA nightmare. I took my old desktop machine (Intel 3770, circa 2012), put it into a server case and loaded it with hotbays. Then I installed Linux (Ubuntu server I think), using ZFS storage, and running Docker. As a side note there are various OS that could be used here, but Linux has the nice ability to run both ZFS and Docker well, which was not the case on some BSD alternatives like FreeNAS (at least back when I did the build they did not support Docker well at all).

It took some work (a few weeks), but I was able to achieve something that works vastly better and faster than the QNAP I had. On mine I run the NAS, plus Portainer, Plex, and Gitlab as Docker containers. There are some elements that are not as point-and-clicky (QNAP is better at that), but at least Docker management is GUI driven. ZFS management is all from command-line, but once the arrays are setup it is not too bad (I've only had to replace one failed drive, and it went ok). To assist with remembering CLI commands I maintain a doc for myself with setup notes. On the plus side it is fairly automated, it has auto-backup across two ZFS arrays, and the Docker images auto-update also.

The software I run on it to replace QNAP functions is as follows:

Storage - ZFS, Samba and WSDD (note: search "toponce zfs admin" for a good intro to ZFS, and search "christgau wsdd" for a daemon to help Windows discovery)

Backup - sanoid/syncoid (ZFS autosnap utility), and rsync for mirroring the array to NTFS drives every so often (I find offline NTFS backups are good to cover the case of machine catastrophic failure, as it allows mounting the data on Windows if needed)

Containers - Docker and Portainer (Portainer is the GUI docker management tool)

Front-end "Desktop" - Heimdall (as a Docker container)

Other useful containers - Watchtower (auto updates containers), Glances (like web-based "top" command), GitLab (it is a personal Github, awesome), Plex (of course)

VNC/ssh - Something to allow remote access and config

I don't currently run straight VMs, I only use containers, but for that: KVM, QEMU, and Virtual Machine Manager.

Others might have software recommendations also. If I knew back when I got the QNAP what I know now, I would not have invested in it. The one feature QNAP is arguably better at is their camera monitoring software (QVR Pro), but it is time locked (2 weeks I think) unless you pay more for it. For everything else the Linux solution has been far better in my experience. And if anything breaks it is easier to fix it (nothing proprietary).

I will mention one thing I do not have a handle on yet is the Ubuntu server itself (root OS). I would recommend mirroring the boot drive before updating. I have had very bad luck with Linux (of various flavors) updating and breaking things. Last time I ran an update systemd modified some files that prevented Docker from starting (which kills most of the machine functions). I've had similar bad experience in Arch Linux with systemd (hang at boot, blank screen, no message). I really don't like systemd.

Re:

[CoolXenu]

I'm moving to TrueNAS. I run it on an AMD with 40 GB memory. It doesnt run containers out of the box but it has a similar feature called "jails". It runs VMs. I currrently run two, a Matrix Synapse server (https://420club.ca) and a MSSQL server, both on Ubuntu server OS. The base TrueNAS OS is FreeBSD. I run jails for a Mosquitto MQTT server and a Node Red server. A Zoneminder jail plugin is available but I am still using QVRPro for the time being. There are quite a few "community" jail plugins availabl

Re:

[omnichad]

Move to Synology.

I mean - it has all the apps, but they actually work. The UI is like a dream compared to the QNAP. I actually trust my Synology enough to have ports open on the Internet. Which means I can access files on it from an app on my phone.

Something in the $500 range suits home needs just fine if you don't want to run a VM. Intel Celerons have enough horsepower for video transcoding if you intend to use it as a media server and not just media storage.

The built-in PC backup software is about as

Re:

[WarlockD]

I hate to agree, I have built bigger NAS's and atleast Synology is forward about its obsolescence.

Re:

[CoolXenu]

I've used a number of QNAPs over the years without issue. They're fine when you know what you are doing. For apple types, try Drobo or Synology, those may be more to your taste. Personally, I have moved on to TrueNAS.

Note to QNAP owners

[C_Kode]

You would think this wouldn't need to be stated since it should be blatantly obvious a massive security ricks, but... Don't expose your QNAP administrative interface to the Internet.

Re:Note to QNAP owners

[fuzzyf]

All these devices tries to expose services towards the internet. It's annoying.

QNAP, Synology, Plex, Unify, and every mobile app to control IoT is somehow willing to expose service on the internet. Some through upnp, others using tunneling into cloud services and exposed from there.

I run some of these products myself and I've spent time on configuring them NOT to expose anything, even missing out on several features by insisting on it being local network only.
Shouldn't be like this, especially with these vulnerabilities becoming tediously common.

Re:

[hazem]

I run some of these products myself and I've spent time on configuring them NOT to expose anything, even missing out on several features by insisting on it being local network only.

After turning off all the things like that, I put them on a static IP in my router in a block that doesn't have access to the internet. Like you said, it disables some of those interesting features but I'd personally rather have a separate server/device handle that rather than an all-in-one NAS device.

I've also also been pretty satisfied with using Open Media Vault as a NAS on my local network.

Re:

[phantomfive]

Some through upnp, others using tunneling into cloud services and exposed from there.

I can't believe UPNP is still a thing. I call it the universal hacking portal.

Re:

[torkus]

You would think this wouldn't need to be stated since it should be blatantly obvious a massive security ricks, but... Don't expose your QNAP administrative interface to the Internet.

In theory - sure.

In reality, there's a ton of reasons you'd want remote access into a local device. Two common ones would be NVR and plex/AV streaming...and QNAP offers plenty of services that need similar inbound connections. If you don't configure it correctly...bye bye.

Re:

[nuckfuts]

There is nothing in the article to suggest they break in through the administrative interface. They may well be attacking it through an exposed service on the LAN.

Correction

[nuckfuts]

Oops. I overlooked the line in the article stating "As with all ransomware attacks against QNAP devices, the DeadBolt attacks only affect devices accessible to the Internet".

Maybe don't expose your NAS to the internet?

[bradley13]

I am at a loss to understand why you would directly expose your NAS to the Internet. Maybe a specific file-sharing service, sure, but the whole NAS, including the administrative login page? Are there actually use-cases for that?

Re:

[Calinous]

Configure it from work when the significant other is at home and can't do something on it.

Re:

[Malc]

Get a Raspberry Pi with OpenVPN or sshd and only expose that and the specific ports to the internet instead. These NAS devices aren't exactly cheap by the time you get one with enough power to do what it says on the tin, and have enough storage to be useful, so the RP isn't that much more and comes with other uses.

Re:

[C_Kode]

I would even point out you can run a VPN on the QNAP itself instead of needing a Raspberry Pi. Installable QNAP app, or create a virtual machine to run it.

Re:

[Malc]

Yes, this is true. I guess I prefer to keep my data away from the internet facing services. I am wondering too if there's an advantage to the RP being ARM based when it comes to remote exploits - how many of them rely on the CPU being x86?

Re:

[C_Kode]

lol, no!

This is what VPNs are for.

Re:Maybe don't expose your NAS to the internet?

[ryanw]

Devices behind firewalls and not directly exposed to the internet are being hit with this ransomware as well. I haven't seen any details as to how the devices are getting exploited, but being that devices behind firewalls are venerable it would have to be some sort of 'man-in-the-middle' attack is my guess. Perhaps QNAP wasn't validating SSL certificates, or not using GPG signatures to validate software and allowing a rootkit to be installed from an auto-update. No matter what it was, it seems like it has to be some sort of "pull request" from the devices themselves, so as long as the device is accessible to the internet, and does those types of "pull requests" either checking for updates, or auto-downloading software and extracting it to stage it for update, then ANY device is venerable if that is combined with not validating SSL certificates, and not validating software signatures... But of course, if their private keys get stolen then that's a whole other concern.

Wait it out

[Ksevio]

Judging by the rate of Bitcoin over recent days, QNAP's best bet would be just to stall a few more days until 50 bitcoins is only worth around $2.50 and then pay it off

ReadyNAS NV+

[JDAustin]

My ReadyNAS NV+ is going on 10 years old now and it just hums away (on its 3rd ITX PSU though).

I've thought about migrating to a new NAS, but after reading this...I think nah.

Finally!!!!

[MonkeyProgrammer]

Finally, I understand the primary use case for cryptocurrency -- to support ransomware heists.

Yeah, blockchain!!!

My 251 seems to be safe.

[ohasten]

So far. Not much on it to lose. Just copies od files from my main machine.