Hacking

Deadbolt Ransomware targets Asustor and QNap NAS Devices

Deadbolt ransomware operators are targeting Asustor NAS (network-attached storage) appliances.

Storage solutions provider Asustor is warning its customers of a wave of Deadbolt ransomware attacks targeting its NAS devices.

Since January, DeadBolt ransomware operators are targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the content of the infected systems.

Once encrypted the content of the device, the ransomware appends .deadboltextension to the name of the excerpted files and deface the login page of the QNAP NAS to display the following message:

“WARNING: Your files have been locked by DeadBolt”

Source DarkFeed Twitter

The hijacked QNAP login screen displays a ransom note demanding the payment of 0.03 BTC ransom (roughly $1017) to receive a decryption key to recover the files.

At the end of January, QNAP forced the firmware update for its Network Attached Storage (NAS) devices to protect its customers against the DeadBolt ransomware.

In response to the recent attack, Asustor is urging its customers to secure their NAS devices by implementing best practices, including changing default settings, backing up the content of the devices, disabling EZ Connect, and turning off Terminal/SSH and SFTP services.

“In response to Deadbolt ransomware attacks affecting ASUSTOR devices, myasustor.com DDNS service will be disabled as the issue is investigated.” reads the advisory published by the vendor. “For your protection, we recommend the following measures:

  • Change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443.
  • Disable EZ Connect for remote access.
  • Make an immediate backup.
  • Turn off Terminal/SSH and SFTP services.”

The vendor also recommends customers who have had their appliance compromised by the Deadbolt ransomware to follow the steps below.

1. Unplug the Ethernet network cable
2. Safely shut down your NAS by pressing and holding the power button for three seconds.
3. Do not initialize your NAS as this will erase your data.
4. Fill out the form listed below. Our technicians will contact you as soon as possible.

https://docs.google.com/forms/d/e/1FAIpQLScOwZCEitHGhiAeqNAbCPysxZS43bHOqGUK-bGX_mTfW_lG3A/viewform

The New Zeeland CERT published an advisory to warn of attacks on some internet-facing Asustor models, including AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, and AS1104T.

“Vulnerabilities in QNAP and Asustor Network Attached Storage (NAS) devices are being actively exploited to deploy ransomware. The encrypted files have a ‘.deadbolt’ extension.” reads the advisory.

“Asustor devices that are internet exposed and running ADM operating systems including, but not limited to, the following models: AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, AS1104T”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Deadbolt ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.