QNAP, a network-attached storage (NAS) company, issued a fresh security alert on Friday, advising consumers to protect their devices against a new wave of DeadBolt ransomware attacks.
Users should update their NAS devices to the newest firmware version and make sure they’re not vulnerable to remote access via the Internet, according to the company.
“A fresh DeadBolt ransomware attack was just discovered by QNAP. The campaign appears to be targeting QNAP NAS equipment running QTS 4.x, according to victim reports so far “Today, QNAP released a statement.
“We are conducting a comprehensive investigation and will offer additional information as soon as feasible.”
This warning comes after the business issued three additional advisories since the start of 2022 [1, 2, 3], all of which advised customers to keep their gadgets up to date and not expose them to Internet access.
Customers are being asked to upgrade their gadgets
All users should update their QTS or QuTS hero operating systems on their NAS devices to the current version immediately, according to the business.
According to QNAP, updating the firmware on a compromised device will allow the built-in Malware Remover tool to quarantine the DeadBolt ransom message that has been known to hijack the login page.
QNAP further recommends contacting QNAP Support if they are unable to locate the ransom note after upgrading the firmware and entering the DeadBolt decryption key.
However, before contacting QNAP customer service, consider restoring the DeadBolt page using the instructions on this support page.
Because other ransomware strains, such as Qlocker and eCh0raix, are targeting QNAP systems, all owners should keep their equipment up to date to protect their data from future assaults.
The ransomware DeadBolt
DeadBolt ransomware hijacks the device’s login page to display a screen claiming, “WARNING: Your files have been locked by DeadBolt,” as seen in prior attacks targeting QNAP NAS devices in late January and affecting hundreds of victims.
When DeadBolt is launched on a hacked NAS device, it encrypts data using AES128 and appends a.deadbolt extension to their names.
It also overwrites the /home/httpd/index.html file, causing users to view the ransom message when attempting to access the encrypted device.
The threat actors create a bitcoin transaction to the same bitcoin address with the decryption key under the OP RETURN output once the victims pay the ransom of 0.03 bitcoins.
Michael Gillespie, a ransomware expert, has produced a free Windows decryptor that can help decrypt files without utilizing the DeadBolt executable.
However, QNAP users who have been infected with this ransomware will still be required to pay the ransom in order to obtain a legitimate decryption key in order to restore their data.
In February, the DeadBolt ransomware targeted ASUSTOR NAS equipment, purportedly exploiting a zero-day vulnerability.