DEADBOLT ransomware reappears and attacks QNAP devices – Naked Security

Yes, ransomware is one more thing.

No, not all ransomware attacks go as you would expect.

Most contemporary ransomware attacks involve two groups of criminals: a hard core that creates the malware and handles the extortion payments, and the “members” of a loose clan of “affiliates” who actively penetrate the networks to carry out the attacks.

Once inside, affiliates then wander around the victim’s network, getting the lie from the ground for a while, before abruptly and often devastatingly jamming as many computers as they can, as fast as they can. as they can, usually at the worst possible time. of the day.

Affiliates typically pocket 70% of the blackmail money for all attacks they carry out, while top criminals take an iTunes like 30% of each attack carried out by each affiliate, without ever needing to break in. even in anyone’s computers.

This is how most malware attacks happen.

But regular readers of Naked Security will know that some victims, including home users and small businesses, end up being blackmailed through their NAS, or attached network storage devices.

Plug-and-play network storage

NAS boxes, as they are colloquially known, are pre-configured miniature servers, usually running Linux, that are usually plugged directly into your router and then act as simple and fast file servers for everyone on the network.

No need to buy Windows licenses, configure Active Directory, learn how to manage Linux, install Samba or learn about CIFS and other network file system mysteries.

NAS enclosures are “plug-and-play” and popular network storage systems precisely because of the ease with which you can run them on your local network.

As you can imagine, however, in today’s cloud-centric era, many NAS users end up opening their servers to the internet – often by accident, but sometimes on purpose – with potentially dangerous results.

In particular, if a NAS device is accessible from the public internet and the embedded software, or firmware, on the NAS device contains an exploitable vulnerability, you could be in real trouble.

Crooks could not only get away with your trophy data, without needing to touch any of the laptops or cell phones on your network, but also modify all the data in your NAS box…

…including directly rewriting all your original files with encrypted equivalentsonly crooks know the decryption key.

Simply put, ransomware attackers with direct access to the NAS box on your local network could derail almost your entire digital life and then directly blackmail you, simply by accessing your NAS device and not touching anything else on it. the network.

The infamous DEADBOLT ransomware

This is exactly how the infamous DEADBOLT ransomware scammers operate.

They don’t bother attacking Windows computers, Mac laptops, cell phones, or tablets; they go straight to your main data repository.

(You probably turn off, “sleep” or lock most of your devices at night, but your NAS box probably runs silently 24/7, just like your router.)

By targeting vulnerabilities in the products of famed NAS vendor QNAP, the DEADBOLT gang aims to shut everyone else on your network out of their digital lives, then squeeze you for several thousand dollars to “recover” your data.

After an attack, when you then try to download a file from the NAS box, or configure it through its web interface, you might see something like this:

In a typical DEADBOLT attack, there is no negotiation over email or instant messaging – the scammers are candid and direct, as you can see above.

In fact, you can usually never interact with them using words.

If you have no other way to recover your scrambled files, such as a backup copy that is not stored online, and you are forced to pay to recover your files, scammers expect you simply send them the money in a cryptocoin transaction.

The arrival of your bitcoins in their wallet serves as a “message” to them.

In return, they “pay” you the princely sum of nothing, this “reimbursement” being the total sum of their communication with you.

This “refund” is a payment with a value of $0, submitted simply as a way to include a bitcoin transaction comment.

This comment is encoded as 32 hexadecimal characters, which represent 16 raw bytes, or 128 bits – the length of the AES decryption key you will use to recover your data:

The DEADBOLT variant pictured above even included a built-in taunt to QNAP, offering to sell the company a “one-time decryption key” that would work on any affected device:

Presumably, the scammers above were hoping that QNAP would feel guilty enough to expose its customers to a zero-day vulnerability that it ponied 50 BTC (currently around $1,000,000 [2022-09-07T16:15Z]) to bail everyone out, instead of each victim paying 0.3 BTC (about $6,000 now) individually.

DEADBOLT raises again

QNAP just reported that DEADBOLT is go around againcrooks are now exploiting a vulnerability in a QNAP NAS feature called Camera station.

QNAP has released a fix and naturally urges their customer to make sure they have updated.

What to do?

If you have a QNAP NAS product anywhere on your network and you are using the Camera station software component, you may be at risk.

QNAP tips is:

  • Get the patch. Via your web browser, log in to the QNAP Control Panel on the device and choose Control Panel > System > Firmware update > Live update > Check for update. Also update the applications on your NAS device using Application Center > Install updates > All.
  • Block port forwarding in your router if you don’t need it. This helps prevent traffic from the Internet from “reaching” your router in order to connect and connect to computers and servers on your local network.
  • Disable Universal Plug and Play (uPnP) on your router and in your NAS options if you can. The main function of uPnP is to allow computers on your network to easily locate useful services such as NAS boxes, printers, etc. Unfortunately, uPnP often makes it dangerously easy (even automatic) for applications inside your network to mistakenly open access to users outside your network.
  • Read QNAP’s specific advice on securing remote access to your NAS box if you really need to enable it. Learn how to restrict remote access to only carefully designated users.

About Jon Moses

Check Also

IBM launches fourth-generation LinuxONE servers

IBM has unveiled the next generation of its LinuxONE server, which uses the Telum processor …