Elain Brown Tech 06.17.2022 09:Jun AM EDT

QNAP Issues a New Update Following Another DeadBolt Ransomware Campaign

QNAP has suffered another DeadBolt ransomware attack. Today, June 17, QNAP released a blog post addressed to all of its users.

The company is encouraging its users to check that their network attached storage (NAS) devices have the most recent firmware version installed to secure their data and ensure that they are not vulnerable to remote access over the internet.

On Friday, QNAP reminded customers of the need to maintain device security in the face of a fresh wave of attacks that are spreading the DeadBolt ransomware.

QNAP's DeadBolt Ransomware

QNAP has just lately discovered a new campaign of the DeadBolt ransomware. At least according to the victim reports that have been collected so far, the attack appears to target QNAP NAS machines that are running QTS 4.x.

The organization has claimed that they are conducting a comprehensive investigation into the matter and will offer additional details as soon as they are available. Since the beginning of 2022, the company has already put out several other warnings, all of which told people to keep their devices up-to-date and not let them connect to the internet.

According to Bleeping Computer, when DeadBolt is executed on a NAS device that has been compromised, it utilizes AES128 to encrypt files and adds the extension ".deadbolt" to the names of the encrypted files. Also, it changes the file at /home/httpd/index.html so that the ransom letter is shown when the victim opens the encrypted device.

The threat actors behind the malware force its victims to pay through the cryptocurrency bitcoin. After the victims have paid the 0.03 bitcoin ransom, the threat actors will create a bitcoin transaction to the same bitcoin address that will contain the decryption key within the OP RETURN output of the transaction.

In January, QNAP issued a warning to its clients regarding the DeadBolt exploit, recommending they immediately update the QTS operating system to the most recent version and minimize the exposure their devices had to the outside world.

In February, it was discovered that the Deadbolt ransomware had also been targeting NAS devices that were manufactured by Asustor.

According to a March report from SecurityWeek, back then, the threat actors behind the malware would provide a master key that could be used to recover the files of the victims in exchange for a payment of 50 bitcoins. The malware's operators are also hoping to obtain information related to the vulnerabilities they have exploited from QNAP in exchange for 5 bitcoins.

QNAP's Recommendation

In order to ensure the safety of your network-attached storage (NAS), the company highly recommends that users immediately update QTS or QuTS hero to the most recent version.

QNAP also recommends the same process to those users who have already been attacked by the malware. The company stated, "Upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page."

According to QNAP, to update the QTS or QuTS hero:

First, connect as an administrator to QTS or QuTS hero through a web browser using any one of the following URLs:
- https://nas_ip:8080/cgi-bin/index.cgi
- https://nas_ip/cgi-bin/index.cgi

Second, to update the firmware, navigate to Control Panel > System > Update Firmware.

Lastly, click the "Check for Update" button located under Live Update.

Users can also update by going to the website of QNAP. Users only need to head over to Support, then click Download Center, and carry out a manual update for their particular device.