QNAP Warns NAS Users About New DeadBolt Ransomware Campaign


QNAP has published an advisory about a new stream of DeadBolt ransomware attacks targetting its network-attached storage (NAS) devices worldwide. The company advises customers to immediately update their devices to the latest versions of QTS or QuTS hero operating systems.

The latest DeadBolt ransomware campaign follows the previous attacks reported back in January, March, and May this year. The recent wave of DeadBolt attacks uses AES128 to encrypt files on NAS devices running the QNAP QTS Linux kernel version 4.x. Once encrypted, the attackers demand the individual victim to pay a 0.03 bitcoin for a decryption key.

Meanwhile, the DeadBolt ransomware gang offers multiple payment options for vendors. They must pay a ransom of five bitcoins to get details about the exploit used to target the NAS device. Additionally, vendors can access the master decryption key for 50 bitcoins.

“If your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then, upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page,” QNAP explained in its security advisory.

According to QNAP, some customers might be unable to find the ransom note in order to input the decryption key shared by the threat actors. The company encourages users to contact its support team for technical assistance.

QNAP asks users to update their NAS devices

The company didn’t mention which ransomware groups were involved in the ongoing attacks. However, a Trend Micro report published in January suggests that cybercriminals have become increasingly interested in NAS devices over the past few years.

QNAP urges IT admins to keep their NAS updated or block internet access to protect their organizations. Alternatively, customers can prevent malware infections by using modern authentication mechanisms, such as strong passwords and two-factor authentication. It is also recommended to secure connections and ports exposed to the internet.