Deadbolt ransomware returns, 1,100+ QNAP devices infected

More than 1,000 QNAP devices have been infected with the Deadbolt ransomware in the last week, according to security company Censys.

In a blog post, Censys said the latest attacks “began with two new infections (a total of 373 infections) on March 16th, and over the course of three days, Censys observed 869 newly infected services.”

“By March 19th, the number of Deadbolt-infected services had risen to 1,146!” Censys explained, adding that the only differences from the first round of attacks in January are the BTC addresses provided for ransoms.

2022-03-Screen-Shot-2022-03-22-at-10.29.04-AM-1024x339.png

Image: Censys

The ransom messages are largely the same and still ask for 0.03 BTC, or about $1,223, from victims. The group is also still sharing its same message to QNAP, offering information on the vulnerabilities they used for 5 BTC (about $200,000) or 50 BTC (about $2 million) for a master key that unlocks all of the affected victims. 

A majority of the affected devices were identified running the QNAP QTS Linux kernel version 5.10.60, according to Censys.

At least one QNAP user infected with Deadbolt took to Reddit to lament about the loss of 15 years worth of family photos and videos.

New campaign exploits same known vulnerability

Last week, Taiwan-based QNAP warned users about a local privilege escalation vulnerability, known colloquially as "dirty pipe," that was reported to affect the Linux kernel on QNAP network-attached storage (NAS) devices running QTS 5.0.x and QuTS hero h5.0.x. QNAP said that if exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code.

But in a statement to The Record, a QNAP spokesperson said the Deadbolt ransomware was still targeting those who did not update the QTS or QuTS hero to the recommended version.

“QNAP PSIRT have observed a small new campaign of DEADBOLT at 3/18 TW time. At this moment, with the data we have, we tend to think that the attack exploited the same known vulnerability,” the spokesperson said. 

“It is recommended for users checking the QTS version and keeping it up-to-date. Regarding some NAS devices attacked by DEADBOLT, the root cause is QTS not up to date. It could be caused by not enabling Auto Update, the networking/environment condition or other reasons. We urge all users to check their NAS and keep them up-to-date.”

The Deadbolt ransomware emerged in January, infecting nearly 5,000 NAS devices for consumers and small businesses running the QNAP QTS operating system.

The company first urged users to update to the latest version of QTS, the Linux based operating system developed by the Taiwanese company to run on their devices.

But eventually QNAP took more drastic actions, pushing out an automatic, forced update for all customers' NAS devices to version 5.0.0.1891, the latest universal firmware that was released on December 23, 2021.

Security company Emsisoft released its own version of a Deadbolt decryptor after several victims reported having issues with the decryptor they received in exchange for paying a ransom. Some users even said they never got a decryptor after paying the ransom, while others said the decryptor malfunctioned.

Unfortunately, Emsisoft's decryptor requires users to have already paid the ransom and received the decryption keys from the operators of the Deadbolt ransomware.

But at the time, Emsisoft CTO Fabian Wosar said QNAP users who got hit by Deadbolt and paid the ransom struggled to decrypt their data because the forced firmware update issued by QNAP "removed the payload that is required for decryption." Last month, users of Asustor Network Attached Storage (NAS) devices also reported several Deadbolt attacks.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.