Conti, DeadBolt Ransomwares Target Delta, QNAP

QNAP had to push out an unexpected (and not entirely welcome) NAS device update, and Delta Electronics’ network has been crippled.

Two Taiwanese companies were affected by separate ransomware incidents this week, forcing one to scramble to restore crippled systems and another to push out an emergency update to mitigate attacks on its customers.

Delta Electronics, an electronics company that provides products for Apple, Tesla, HP and Dell, disclosed Friday that “non-critical systems” were attacked by “overseas hackers” – an attack that’s been attributed to the Conti Group.

Meanwhile, Taiwanese storage and networking equipment provider QNAP Systems forced out an update to its customers’ network attached storage (NAS) devices after warning them earlier this week that the DeadBolt ransomware was in offensive mode against them.

Infosec Insiders Newsletter

“DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom,” the company said in a statement.

More Disruptive Attacks

Indeed, ransomware, the volumes of which hit record highs in 2021, shows no signs of slowing in 2022. In fact, attackers appear to be taking aim at companies in a way that can cause even more disruption by creating a ripple effect across their ecosystem of customers and technology partners, hitting numerous industries at once and forcing victims to respond quickly, observed one security professional.

“Cybercriminals continue to target organizations that provide a service or product to larger organizations with the expectation that they cannot suffer downtime due to a ransomware attack and will be inclined to pay up faster,” James McQuiggan, security awareness advocate at security firm KnowBe4, said in an email to Threatpost.

Indeed, Conti’s attack on Delta Electronics – which occurred last Friday – has the potential to affect the high-profile customers to whom it supplies products in the United States if it’s not contained.

Delta officials said in their statement that the company reacted quickly to the attack, which has had “no significant impact on operations.” Delta is working with Trend Micro and Microsoft as well as the appropriate authorities to investigate the attack and restore the systems affected, according to reports.

However, the Taiwanese news outlet CTWANT painted a far more dire picture, claiming that attackers – identified as the Conti Group – encrypted more than 1,500 servers and more than 12,000 of the company’s 65,000 computers and is demanding a ransom of $15 million to decrypt the data.

Further, a report in Recorded Future’s The Record said that the company still has not restored most of its systems, using an alternative web server to communicate with customers while its official website remains offline for “system maintenance,” according to a message on its homepage.

Targeted Assault on QNAP NAS

While Delta grapples with the aftermath of the Conti attack, fellow Taiwanese company QNAP had to do a clean-up of its own after customers this week began reporting on QNAP message boards and Twitter that the DeadBolt ransomware screen was coming up when they logged into their QNAP NAS devices.

“I just got hacked,” tweeted one of the victims, MIT research scientist and podcast host Lex Fridman on Thursday. “Ransomware named DeadBolt found an exploit in @QNAP_nas storage devices, encrypting all files.”

As of Friday morning, a search on Censys showed that DeadBolt had already encrypted 3,687 of the NAS devices. The ransomware reportedly adds the .deadbolt extension to file names to lock customers out.

The ransomware also replaces the device’s regular HTML login page with a ransom note demanding 0.03 bitcoins, or about $1,100, to receive a decryption key and recover data.

Indeed, Fridman said attackers were asking $1,000 from individuals or $1.8 million from QNAP for a decryption key. “I have 50tb of data there, none of it essential or sensitive, but it hurts a lot,” he tweeted. “Time for a fresh start.”

Ransomware-Inspired Update

QNAP responded to the reports first by asking all of its NAS customers to immediately update their QNAP NAS devices to the latest version of the firmware, version 5.0.0.1891, released on Dec. 23. However, overnight on Thursday, the company began forcing the update out to all affected QNAP NAS devices.

Though the company appeared to have its customers’ best interests in mind with the move, not all of them were happy by the unexpected update.

“You do realize that for those who have deployed QNAPs in production environments, when you as a vendor force an update that your customer ISN’T EXPECTING, it can cause an outage at potentially bad times,” grumbled one user called EvilMastermindG on a Reddit QNAP message board. “Worse, an update can break or remove functionality that the customer was relying on.”

Rather than force its hand, QNAP should have exercised transparency and told customers exactly what security vulnerabilities were present in the devices, regardless of how it might reflect on the company, the user said.

“What you SHOULD do as a company is to effectively communicate specifically what the security vulnerabilities are, even if they’re stupid enough to make you guys look bad, and then let them make their own decisions as far as mitigation,” EvilMastermindG said.

Those potential mitigation tactics include opening the Security Counselor on QNAP NAS devices and checking to see if they are exposed to the internet, which means they’re “at high risk” of attack by threat actors, according to QNAP.

The company also said that customers with exposed NAS devices can disable both the Port Forwarding function of the router as well as the Universal Plug and Play function of the device to protect the devices against attack.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles