Back in January, the ransomware DeadBolt caused a considerable wave of infections among QNAP, Asustor and TerraMaster users. The ransomware, which specialises in backup media, mainly targets private individuals and small businesses.
DeadBolt used a vulnerability to make the files on the NAS drives inaccessible using a customised AES128 encryption. The ransom demanded for the encrypted files was 0.03 bitcoins (about 1,200 euros). Firmware updates helped to stop DeadBolt.
New wave of attacks on QNAP users
The current wave of attacks is very similar to the one in January. DeadBolt attacks QNAP network storage and overwrites the original files with the encrypted version, which reduces the chance of recovery.
It is still unclear whether the current wave uses new attack paths or is only targeting unpatched systems. We strongly recommend installing available updates immediately to close known exploits, use strong passwords and change default ports and accesses.
The criminals behind the ransomware are once again demanding the same ransom amount of 0.03 Bitcoins and are continuing to try to extort QNAP as well: They are demanding 5 Bitcoin for information about the exploited vulnerability and 50 Bitcoin for a master key to restore all encrypted data.
Recover script and instructions for QNAP and Asustor
Two Austrian security researchers have written a script that can help QNAP and Asustor users get at least some of their data back. “By matching the size and file extension of the original and the non-deleted files, some of the information can be recovered,” said the researchers, who had already written a recover script for the ransomware Qlocker: “Note, however, that in most cases you can only recover a small part of your files!”
In one test case, 10% of the encrypted files could be recovered and an additional 30% that had not been encrypted could be found.
Download zip-file (description: DeadBolt Recover Manual, q-recover script: DeadBold Recover Script)