DeadBolt ransomware has resurfaced in a new wave of attacks on QNAP that begin in mid-March and signals a new targeting of the Taiwan-based network-attached storage (NAS) devices by the fledgling threat, researchers said.
Researchers from Censys, which provides attack-surface management solutions, said they observed DeadBolt infections on QNAP gear ramp up slowly starting March 16, with a total of 373 infections that day. That number that rose to 1,146 devices by March 19, according to a blog post by Censys senior security researcher Mark Ellzey.
The current attacks harken back to January, when the company had to push out an unplanned update to its NAS devices, one that not all customers welcomed. The update was meant to clean up after DeadBolt attacks that were greeting customers with the ransomware group’s screen when they logged in, effectively locking them out of the device.
The new wave of attacks ostensibly follow the same pattern as January’s wave, but the majority of the victims are running the QNAP QTS Linux kernel version 5.10.60, Ellzey said. That’s a later version than the update (QTS 5.0.0.1891) pushed out to customers in January.
That said, “at this time, Censys cannot state whether this is a new attack targeting different versions of the QTS operating system, or if it’s the original exploit targeting unpatched QNAP devices,” he acknowledged.
Moreover, the new infections do not seem to be targeting a specific organization or country; they seem to be evenly split between subscribers of various consumer internet service providers, Ellzey added.
Déjà Vu for QNAP Customers
The attacks behave the same as the January attacks as far as what the customers experience — and they ask for the same ransom as previous DeadBolt attacks on QNAP devices, Ellzey said.
“Except for the [Bitcoin] addresses used to send ransoms to, the attack remains the same: backup files are encrypted, the web administration interface is modified, and victims are greeted with [ransom] messages,” he wrote in the post.
The attackers are asking for 0.03 Bitcoin for a decryption key, which is about $1,223 at today’s exchange rate. They’re also asking for a ransom from QNAP itself: 5 bitcoin or $203,988, for information related to the vulnerabilities; and 50 bitcoin, or about $2 million, for a master key to unlock all affected victims, Ellzey said.
QNAP is not the only company in the crosshairs of DeadBolt, which first came to researchers’ attention due to the January attacks. In mid-February, Reddit users began reporting that the ransomware was targeting ASUSTOR ADM devices, according to Censys.
Attack Detection
Censys researchers picked up on the latest wave of QNAP attacks due to the unique way the current DeadBolt ransomware variant communicates with victims, according to the post.
“Instead of encrypting the entire device, which effectively takes the device offline (and out of the purview of Censys), the ransomware only targets specific backup directories for encryption, and vandalizes the web-administration interface with an informational message explaining how to remove the infection,” Ellzey wrote.
Therefore, using a simple search query, Censys “could easily find infected devices exposed on the public internet,” according to the post.
Along with general information about what hosts were infected with DeadBolt, researchers also obtained and tracked every unique Bitcoin wallet address used as a ransom drop, Ellzey added.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.
