A new wave of DeadBolt Ransomware attacks hit QNAP NAS devices

Internet search engine Censys reported a new wave of DeadBolt ransomware attacks targeting QNAP NAS devices.

Internet search engine Censys reported that QNAP devices were targeted in a new wave of DeadBolt ransomware attacks.

Since January, DeadBolt ransomware operators are targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the content of the infected systems.

Once encrypted the content of the device, the ransomware appends .deadboltextension to the name of the excerpted files and deface the login page of the QNAP NAS to display the following message:

“WARNING: Your files have been locked by DeadBolt”

The hijacked QNAP login screen displays a ransom note demanding the payment of 0.03 BTC ransom (roughly $1277) to receive a decryption key to recover the files.

The ransom note also includes a link titled “important message for QNAP,” which points to a page that offers technical details of the alleged zero-day vulnerability in QNAP NAS devices for 5 BTC (approximately $212,000).

Ransomware operators are also offering for sale the QNAP the master decryption key for 50 BTC which could allow all the victims of this ransomware family to decrypt their files.

At the end of January, QNAP forced the firmware update for its Network Attached Storage (NAS) devices to protect its customers against the DeadBolt ransomware.

In February, storage solutions provider Asustor warned its customers of a wave of Deadbolt ransomware attacks targeting its NAS devices.

Now Censys reported that the number of QNAP devices infected with DeadBolt peaked in January. On January 26, around 5,000 of the 130,000 QNAP NAS devices exposed online were infected by ransomware.

“At its peak on January 26th, 2022, Censys observed 4,988 Deadbolt-infected services out of the 130,000 QNAP devices currently on the internet. If every victim had paid the ransom, this attack would have netted the hackers about $4,484,700.” reads the post published by Censys.”Fortunately, QNAP jumped into action with a forced firmware update that allegedly fixed the issue (which had its own set of problems), and for the next few months, the infections declined to less than 300 devices. It was looking like this problem was behind us.”

After QNAP forced the firmware security update, the number of infections dropped to less than 300 in March.

Unfortunately, the number of infections raised again over the past few days, and querying the Censys Internet search engine, we can determine that currently there are 1308 infected QNAP NAS devices.

However, there has been a surge in QNAP device infections over the past days. In a blog post published on Monday, Censys said there had been 1,146 hacked devices on March 19. At the time of writing, on March 22, that number had gone up to nearly 1,500.

“At this time, Censys cannot state whether this is a new attack targeting different versions of the QTS operating system, or if it’s the original exploit targeting unpatched QNAP devices” continues Censys.

“A majority of these devices were identified running the QNAP QTS Linux kernel version 5.10.60. The new infections do not seem to be targeting a specific organization or country, infections seem to be evenly split between various consumer internet service providers.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP)

[adrotate banner=”5″]

[adrotate banner=”13″]