The Taiwanese manufacturer of network drives (NAS) QNAP has warned its users about the need to protect their devices from new attacks by extortionate software DeadBolt. The company recommended updating the NAS to the latest version of the software and disabling remote access to them via the Internet.
Attackers attack mainly TS-x51 and TS-x53 series devices running QTS 4.3.6 and QTS 4.4.1.
QNAP recommends that users whose network drives are accessible via the Internet disable the port forwarding function on routers and disable the UPnP function in the QNAP NAS.
Users who need access to the NAS without direct Internet access are advised to enable the VPN function on routers (where possible), as well as use the myQNAPcloud Link service and the VPN server on QNAP devices provided by the QVPN Service application, or the QuWAN SD-WAN solution.
The DeadBolt ransomware attacks on the QNAP NAS were first recorded at the end of January 2022. The malware hacked the authorization page of the device and displayed a message on it that the files were blocked by DeadBolt.
After deployment on the device , the ransomware encrypts files using the AES128 algorithm and adds an extension to their names .deadbolt. DeadBolt also replaces the file /home/httpd/index.html therefore, during access to a compromised device, a message about encrypted files is displayed to the user.
When the victim pays the ransom, hackers create a bitcoin transaction to the same bitcoin address containing the key to recover files.
Information security expert Michael Gillespie has created a free tool for recovering encrypted files on Windows computers, but it does not work on QNAP devices.