New DeadBolt ransomware targets QNAP NAS devices

New malware is targeting targets QNAP NAS devices, it is the DeadBolt ransomware and ask 50 BTC for master key

DeadBolt ransomware is targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the content of the infected systems.

Once encrypted the content of the device, the ransomware appends .deadbolt extension to the name of the excerpted files and deface the login page of the QNAP NAS to display the following message:

“WARNING: Your files have been locked by DeadBolt”

Source DarkFeed Twitter

The hijacked QNAP login screen displays a ransom note demanding the payment of 0.03 BTC ransom (roughly $1017) to receive a decryption key to recover the files.

Operators claim a transparent process for the delivery of the decryption key directly to the Bitcoin blockchain. The decryption key is stored directly in the OP_RETURN field of a transaction made by the operators in response to the payment. Victims can retrieve the key by monitoring the address they have they made the ransom payment.

After payment is made, the threat actors claim they will make a follow-up transaction to the same address that includes the decryption key (composed of 32 characters), which can be retrieved using the following instructions.

At this time there is no confirmation that paying a ransom will allow the victims to decrypt their files.

The ransom note also includes a link titled “important message for QNAP,” which points to a page that offers technical details of the alleged zero-day vulnerability in QNAP NAS devices for 5 BTC (approximately $184,000).

They are also offering for sale the QNAP the master decryption key for 50 BTC which could allow all the victims of this ransomware family to decryp their files.

“Make a bitcoin payment of 50 BTC to bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8,” reads the message, as reported by BleepingComputer.

“You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files. Additionally, we will also send you all details about the zero-day vulnerability to security@qnap.com.”

QNAP continues to be a privileged target for cybercriminals, recently a new wave of Qlocker ransomware was observed targeting QNAP NAS devices worldwide. In December 2021, another wave of ech0raix ransomware attacks started targeting QNAP network-attached storage (NAS) devices.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.