Data recovery after Ransomware DeadBolt

25. March, 2022

Recover Script für Ransomware DeadBolt

Back in January, the ransomware DeadBolt caused a considerable wave of infections among QNAP, Asustor and TerraMaster users. The ransomware, which specialises in backup media, mainly targets private individuals and small businesses.

DeadBolt used a vulnerability to make the files on the NAS drives inaccessible using a customised AES128 encryption. The ransom demanded for the encrypted files was 0.03 bitcoins (about 1,200 euros). Firmware updates helped to stop DeadBolt.

New wave of attacks on QNAP users

The current wave of attacks is very similar to the one in January. DeadBolt attacks QNAP network storage and overwrites the original files with the encrypted version, which reduces the chance of recovery.

It is still unclear whether the current wave uses new attack paths or is only targeting unpatched systems. We strongly recommend installing available updates immediately to close known exploits, use strong passwords and change default ports and accesses.

The criminals behind the ransomware are once again demanding the same ransom amount of 0.03 Bitcoins and are continuing to try to extort QNAP as well: They are demanding 5 Bitcoin for information about the exploited vulnerability and 50 Bitcoin for a master key to restore all encrypted data.

Recover script and instructions for QNAP and Asustor

Two Austrian security researchers have written a script that can help QNAP and Asustor users get at least some of their data back. “By matching the size and file extension of the original and the non-deleted files, some of the information can be recovered,” said the researchers, who had already written a recover script for the ransomware Qlocker: “Note, however, that in most cases you can only recover a small part of your files!”

In one test case, 10% of the encrypted files could be recovered and an additional 30% that had not been encrypted could be found.

Download zip-file (description: DeadBolt Recover Manual, q-recover script: DeadBold Recover Script)

Worth reading:
Ransomware Qlocker: How to restore your data (for the most part)

Sources:
https://censys.io/deadbolt-ransomware-is-back/

smart home
DORA
Robot
MANDIANT
Ransomware
identidy theft
child computer
online threats
USB Security
IoT
log4j JNDI Attack
Ransomware
VPN

5+1 tips for a secure VPN

shred

Securely erasing data

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500

SUPPORT HOTLINE

Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download