Deadbolt Ransomware targets Asustor and QNap NAS Devices

Pierluigi Paganini February 24, 2022

Deadbolt ransomware operators are targeting Asustor NAS (network-attached storage) appliances.

Storage solutions provider Asustor is warning its customers of a wave of Deadbolt ransomware attacks targeting its NAS devices.

Since January, DeadBolt ransomware operators are targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the content of the infected systems.

Once encrypted the content of the device, the ransomware appends .deadboltextension to the name of the excerpted files and deface the login page of the QNAP NAS to display the following message:

“WARNING: Your files have been locked by DeadBolt”

deadbolt ransomware
Source DarkFeed Twitter

The hijacked QNAP login screen displays a ransom note demanding the payment of 0.03 BTC ransom (roughly $1017) to receive a decryption key to recover the files.

At the end of January, QNAP forced the firmware update for its Network Attached Storage (NAS) devices to protect its customers against the DeadBolt ransomware.

In response to the recent attack, Asustor is urging its customers to secure their NAS devices by implementing best practices, including changing default settings, backing up the content of the devices, disabling EZ Connect, and turning off Terminal/SSH and SFTP services.

“In response to Deadbolt ransomware attacks affecting ASUSTOR devices, myasustor.com DDNS service will be disabled as the issue is investigated.” reads the advisory published by the vendor. “For your protection, we recommend the following measures:

  • Change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443.
  • Disable EZ Connect for remote access.
  • Make an immediate backup.
  • Turn off Terminal/SSH and SFTP services.”

The vendor also recommends customers who have had their appliance compromised by the Deadbolt ransomware to follow the steps below.

1. Unplug the Ethernet network cable
2. Safely shut down your NAS by pressing and holding the power button for three seconds.
3. Do not initialize your NAS as this will erase your data.
4. Fill out the form listed below. Our technicians will contact you as soon as possible.

https://docs.google.com/forms/d/e/1FAIpQLScOwZCEitHGhiAeqNAbCPysxZS43bHOqGUK-bGX_mTfW_lG3A/viewform

The New Zeeland CERT published an advisory to warn of attacks on some internet-facing Asustor models, including AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, and AS1104T.

“Vulnerabilities in QNAP and Asustor Network Attached Storage (NAS) devices are being actively exploited to deploy ransomware. The encrypted files have a ‘.deadbolt’ extension.” reads the advisory.

“Asustor devices that are internet exposed and running ADM operating systems including, but not limited to, the following models: AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, AS1104T”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Deadbolt ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment