You are here: / / / / Data recovery after Ransomware DeadBolt

Data recovery after Ransomware DeadBolt

25. March, 2022

Recover Script für Ransomware DeadBolt

Back in January, the ransomware DeadBolt caused a considerable wave of infections among QNAP, Asustor and TerraMaster users. The ransomware, which specialises in backup media, mainly targets private individuals and small businesses.

DeadBolt used a vulnerability to make the files on the NAS drives inaccessible using a customised AES128 encryption. The ransom demanded for the encrypted files was 0.03 bitcoins (about 1,200 euros). Firmware updates helped to stop DeadBolt.

New wave of attacks on QNAP users

The current wave of attacks is very similar to the one in January. DeadBolt attacks QNAP network storage and overwrites the original files with the encrypted version, which reduces the chance of recovery.

It is still unclear whether the current wave uses new attack paths or is only targeting unpatched systems. We strongly recommend installing available updates immediately to close known exploits, use strong passwords and change default ports and accesses.

The criminals behind the ransomware are once again demanding the same ransom amount of 0.03 Bitcoins and are continuing to try to extort QNAP as well: They are demanding 5 Bitcoin for information about the exploited vulnerability and 50 Bitcoin for a master key to restore all encrypted data.

Recover script and instructions for QNAP and Asustor

Two Austrian security researchers have written a script that can help QNAP and Asustor users get at least some of their data back. “By matching the size and file extension of the original and the non-deleted files, some of the information can be recovered,” said the researchers, who had already written a recover script for the ransomware Qlocker: “Note, however, that in most cases you can only recover a small part of your files!”

In one test case, 10% of the encrypted files could be recovered and an additional 30% that had not been encrypted could be found.

Download zip-file (description: DeadBolt Recover Manual, q-recover script: DeadBold Recover Script)

Worth reading:
Ransomware Qlocker: How to restore your data (for the most part)

Sources:
https://censys.io/deadbolt-ransomware-is-back/

Security tips conveniently in your inbox: Subscribe to IKARUS News now
Account Management

Account management: The underestimated risk of forgotten user accounts

Bedrohung

Threat Modelling: Guidelines for creating practical threat models

Indicators of Attack

IoC and IoA: definition, examples, benefits

Gefahren durch vertrauenswürdige Services

Living off Trusted Sites: cyber attackers abuse legal services

Threat Intelligence

Effective integration of threat intelligence with cyber defence

SQL Injection

SQL Injection: Attacks by malicious code in website requests

SMTP Smuggling

IKARUS mail.security detects SMTP smuggling

Cyber-Risiken in der Ferienzeit

Cyber risks in the holiday season

passkey

Passkeys as a secure alternative to passwords

Dynamische Cybersicherheit

5 top IT security strategies for dynamic cyber security

NIS2

NIS2 Directive successfully implemented

Harmony Mobile by Check Point

Harmony Mobile new in the IKARUS portfolio

EU Machinery Regulation

EU Machinery Regulation 2023

Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest
NIS2

Cyber Security Schecks 2023: Funding for NIS2-affected SMEs

Infostealer

Recognise, understand and defend against info stealers

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500

SUPPORT HOTLINE

Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download

MORE INFORMATION

Webshop
Legal notice
GTC
EULA
Privacy Policy
Manufacturing at No. 1 of cyberattacks in 2021RobotDORACybersecurity for financial service provider: DORA on the way