Data recovery after Ransomware DeadBolt

25. March, 2022

Recover Script für Ransomware DeadBolt

Back in January, the ransomware DeadBolt caused a considerable wave of infections among QNAP, Asustor and TerraMaster users. The ransomware, which specialises in backup media, mainly targets private individuals and small businesses.

DeadBolt used a vulnerability to make the files on the NAS drives inaccessible using a customised AES128 encryption. The ransom demanded for the encrypted files was 0.03 bitcoins (about 1,200 euros). Firmware updates helped to stop DeadBolt.

New wave of attacks on QNAP users

The current wave of attacks is very similar to the one in January. DeadBolt attacks QNAP network storage and overwrites the original files with the encrypted version, which reduces the chance of recovery.

It is still unclear whether the current wave uses new attack paths or is only targeting unpatched systems. We strongly recommend installing available updates immediately to close known exploits, use strong passwords and change default ports and accesses.

The criminals behind the ransomware are once again demanding the same ransom amount of 0.03 Bitcoins and are continuing to try to extort QNAP as well: They are demanding 5 Bitcoin for information about the exploited vulnerability and 50 Bitcoin for a master key to restore all encrypted data.

Recover script and instructions for QNAP and Asustor

Two Austrian security researchers have written a script that can help QNAP and Asustor users get at least some of their data back. “By matching the size and file extension of the original and the non-deleted files, some of the information can be recovered,” said the researchers, who had already written a recover script for the ransomware Qlocker: “Note, however, that in most cases you can only recover a small part of your files!”

In one test case, 10% of the encrypted files could be recovered and an additional 30% that had not been encrypted could be found.

Download zip-file (description: DeadBolt Recover Manual, q-recover script: DeadBold Recover Script)

Worth reading:
Ransomware Qlocker: How to restore your data (for the most part)


Account Management
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling
Cyber-Risiken in der Ferienzeit
Dynamische Cybersicherheit
Harmony Mobile by Check Point
EU Machinery Regulation
Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest


IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500


Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download