DeadBolt ransomware takes another shot at QNAP storage

Keep boxes updated and protected to avoid a NAS-ty shock

QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

The previous attacks occurred in January, March, and May.

Taiwan-based QNAP recommended enterprises whose NAS system have "already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then, upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page."

They should contact QNAP Assistance if they want to input a decryption key given by the attackers but are unable to find the ransom note after upgrading the firmware.

The cybercriminals behind DeadBolt primarily target NAS devices. QNAP systems are the main targets, though in February the group attacked NAS devices from Asustor, a subsidiary of systems maker Asus, said analysts with cybersecurity firm Trend Micro.

QNAP and its customers are examples of a growing interest by cybercriminals in NAS, Trend Micro wrote in a January report. Businesses are relying more on the Internet of Things (IoT) for constant connectivity, workflow continuity and access to data, the analysts said.

"Cybercriminals have taken notice of this dependence and now regularly update their known tools and routines to include network-attached storage (NAS) devices to their list of targets, knowing full well that users rely on these devices for storing and backing up files in both modern homes and businesses," they wrote. "More importantly, cybercriminals are aware that these tools hold valuable information and have only minimal security measures."

Of the 778 of known exploited vulnerabilities listed by the US government's Cybersecurity and Infrastructure Security Agency, eight are related to NAS devices and 10 involve QNAP.

The lowest-hanging fruit

Bud Broomhead, CEO of cybersecurity vendor Viakoo, told The Register NAS drives from QNAP and other vendors are often managed outside of a company's IT teams, making them attractive targets.

Criminals zero in on NAS drives for a range of reasons, including not being properly set up for security or managed by IT – so applying security patches tends to be slow – and being essentially invisible to corporate IT and security teams, so they aren't getting audited or seen when they fall out of compliance.

"QNAP devices are very attractive to cybercriminals whose strategy is to ask a large number of victims for a small amount of money, as opposed to few victims being asked for large amounts," Broomhead said, adding that the low amount "asked for as ransom is at a level where many operators of the devices will choose to pay rather than get their IT or security teams involved."

In addition, "ransomware is starting to shift towards data theft, as the cyber criminals can gain from both being paid the ransom as well as sale of the data. Threats against NAS devices will increase along with the shift to extending ransomware into data theft," he said.

"Any NAS device is a big target for ransomware since it is used to store a significant amount of business-critical data," Scott Bledsoe, CEO of encryption vendor Theon Technology, told The Register. "Given the large number of QNAP NAS devices that are currently deployed, the Deadbolt ransomware can be used to target a wide variety of organizations for profit by the attackers."

Censys, an attack surface management firm, said that in the January attack, 4,988 of 130,000 potential online QNAP NAS devices showed signs of being infected by DeadBolt, with the number reaching 1,146 in the March outbreak. Trend Micro analysts, in a report earlier this month, said the number of DeadBolt-infected devices seemed high.

DeadBolt is different from other NAS-focused ransomware not only the number of targeted victims, but also in some of its techniques, including offering multiple payment options – one for the user to restore their scrambled documents, and two for QNAP. That is to say, the manufacturer could in theory pay the ransom to unlock people's files using a master key, though it appears from the code and the encryption method that such a key wouldn't work anyway.

"Based on our analysis, we did not find any evidence that it's possible for the options provided to the vendor to work due to the way the files were encrypted," Trend opined, adding that the attackers use AES-128 to encrypt the data.

"Essentially, this means that if vendors pay any of the ransom amounts provided to them, they will not be able to get a master key to unlock all the files on behalf of affected users."

DeadBolt attackers demand individual victims pay .03 bitcoin, or about $1,160, for a key to decrypt their files. Vendors get two options, with one for information about the exploit used to infect the devices, and other for the aforementioned impractical master key. The ransom for the exploit info starts at five bitcoins, or about $193,000. The master decryption key costs 50 bitcoins, or more than $1 million.

Another unusual feature is how the DeadBolt slingers take payment. Most ransomware families involve complex steps victims must take to get their data returned. However, DeadBolt comes with a web UI that can decrypt the data once the ransom is paid. The blockchain transaction automatically sends the decryption key to the victim after payment.

"This is a unique process wherein victims do not need to contact the ransomware actors," Team Trend Micro wrote. "In fact, there is no way of doing so."

The heavily automated approach used by DeadBolt is something other ransomware gangs can learn from, they wrote.

"There is a lot of attention on ransomware families that focus on big-game hunting and one-off payments, but it's also important to keep in mind that ransomware families that focus on spray-and-pray types of attacks such as DeadBolt can also leave a lot of damage to end users and vendors," the team said.

To protect themselves, organization need to keep NAS devices updated and disconnected from the public internet at least – if it must be remotely accessible, use a secure VPN – use strong passwords and two-factor authentication, secure connections and ports, and shut down unused and out-of-date services. ®

Broader topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Cyberattack shuts down unemployment, labor websites across the US
    Software maker GSI took systems offline, affecting thousands of people in as many as 40 states

    A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.

    Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

    In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading

Biting the hand that feeds IT © 1998–2022