Conti, DeadBolt Ransomwares Target Delta, QNAP

QNAP had to push out an unexpected (and not entirely welcome) NAS device update, and Delta Electronics’ network has been crippled.

Two Taiwanese companies were affected by separate ransomware incidents this week, forcing one to scramble to restore crippled systems and another to push out an emergency update to mitigate attacks on its customers.

Delta Electronics, an electronics company that provides products for Apple, Tesla, HP and Dell, disclosed Friday that “non-critical systems” were attacked by “overseas hackers” – an attack that’s been attributed to the Conti Group.

Meanwhile, Taiwanese storage and networking equipment provider QNAP Systems forced out an update to its customers’ network attached storage (NAS) devices after warning them earlier this week that the DeadBolt ransomware was in offensive mode against them.

Infosec Insiders Newsletter

“DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom,” the company said in a statement.

More Disruptive Attacks

Indeed, ransomware, the volumes of which hit record highs in 2021, shows no signs of slowing in 2022. In fact, attackers appear to be taking aim at companies in a way that can cause even more disruption by creating a ripple effect across their ecosystem of customers and technology partners, hitting numerous industries at once and forcing victims to respond quickly, observed one security professional.

“Cybercriminals continue to target organizations that provide a service or product to larger organizations with the expectation that they cannot suffer downtime due to a ransomware attack and will be inclined to pay up faster,” James McQuiggan, security awareness advocate at security firm KnowBe4, said in an email to Threatpost.

Indeed, Conti’s attack on Delta Electronics – which occurred last Friday – has the potential to affect the high-profile customers to whom it supplies products in the United States if it’s not contained.

Delta officials said in their statement that the company reacted quickly to the attack, which has had “no significant impact on operations.” Delta is working with Trend Micro and Microsoft as well as the appropriate authorities to investigate the attack and restore the systems affected, according to reports.

However, the Taiwanese news outlet CTWANT painted a far more dire picture, claiming that attackers – identified as the Conti Group – encrypted more than 1,500 servers and more than 12,000 of the company’s 65,000 computers and is demanding a ransom of $15 million to decrypt the data.

Further, a report in Recorded Future’s The Record said that the company still has not restored most of its systems, using an alternative web server to communicate with customers while its official website remains offline for “system maintenance,” according to a message on its homepage.

Targeted Assault on QNAP NAS

While Delta grapples with the aftermath of the Conti attack, fellow Taiwanese company QNAP had to do a clean-up of its own after customers this week began reporting on QNAP message boards and Twitter that the DeadBolt ransomware screen was coming up when they logged into their QNAP NAS devices.

“I just got hacked,” tweeted one of the victims, MIT research scientist and podcast host Lex Fridman on Thursday. “Ransomware named DeadBolt found an exploit in @QNAP_nas storage devices, encrypting all files.”

As of Friday morning, a search on Censys showed that DeadBolt had already encrypted 3,687 of the NAS devices. The ransomware reportedly adds the .deadbolt extension to file names to lock customers out.

The ransomware also replaces the device’s regular HTML login page with a ransom note demanding 0.03 bitcoins, or about $1,100, to receive a decryption key and recover data.

Indeed, Fridman said attackers were asking $1,000 from individuals or $1.8 million from QNAP for a decryption key. “I have 50tb of data there, none of it essential or sensitive, but it hurts a lot,” he tweeted. “Time for a fresh start.”

Ransomware-Inspired Update

QNAP responded to the reports first by asking all of its NAS customers to immediately update their QNAP NAS devices to the latest version of the firmware, version 5.0.0.1891, released on Dec. 23. However, overnight on Thursday, the company began forcing the update out to all affected QNAP NAS devices.

Though the company appeared to have its customers’ best interests in mind with the move, not all of them were happy by the unexpected update.

“You do realize that for those who have deployed QNAPs in production environments, when you as a vendor force an update that your customer ISN’T EXPECTING, it can cause an outage at potentially bad times,” grumbled one user called EvilMastermindG on a Reddit QNAP message board. “Worse, an update can break or remove functionality that the customer was relying on.”

Rather than force its hand, QNAP should have exercised transparency and told customers exactly what security vulnerabilities were present in the devices, regardless of how it might reflect on the company, the user said.

“What you SHOULD do as a company is to effectively communicate specifically what the security vulnerabilities are, even if they’re stupid enough to make you guys look bad, and then let them make their own decisions as far as mitigation,” EvilMastermindG said.

Those potential mitigation tactics include opening the Security Counselor on QNAP NAS devices and checking to see if they are exposed to the internet, which means they’re “at high risk” of attack by threat actors, according to QNAP.

The company also said that customers with exposed NAS devices can disable both the Port Forwarding function of the router as well as the Universal Plug and Play function of the device to protect the devices against attack.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles

Discussion

  • Chris Ingram on

    The end of the article says it all... Never enable Universal Plug and Play! UPnP has been a security nightmare since it’s introduction. Disabling UPnP is the first thing we do when configuring a new device. It sure would be nice if vendors shipped all products with UPnP Disabled. As far as I can tell, this is still rare. Even better, do away with UPnP all together. Just my 2 cent’s. Please stay CyberAware
  • Andrew Moore on

    I had two level protection with password validation via sms to my phone. My files have however been deadbolted. How can it therefore be, as QNAP is claiming, that only users with no protection were targeted. I thought I had protection. It also shows that the attack was made via QNAP and not looking for indifvidual users who were not protected.
  • ogkush on

    Please allow me to explain: exploits don´t need passwords/2FA. It's all about vulnerability's of the code running in your operating system. The issue of all router's/NAS since the beginning, it relies on some OS, mostly linux (because it´s free), but nobody cares for system updates, normally linux get's updated daily or at least weekly, but vendors, don´t want to spend money creating and sharing sys updates. So by default most IoT are very dangerous for life! If you want to save offline and watch you can use NAS (without internet access), if you want to save and access online use things like onedrive, google drive, because they really care about security and spend a lot of money. So grab some bundle instead of buying and paying for always crippled devices that only update when they are on fire from social media. (sorry, English is not my 1th language)
  • ogkush on

    I would like to share a story: In the past, a group of guys found out that they could hack a router, they may possible that users of that router could get some advance functions (i think the name was tomato). What vendors worldwide made? .. make new routers with a patch against that. What they failed to see, is that was a start of a new distro for routers, something just like windows or ubuntu and others. They failed to sponsor bright minds, thus failed to create a ROUTER AUTHORITY for cheap brands. Open-source needs sponsors, because talking is cheap, coding is hard.

Leave A Reply to ogkush Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.