QNAP urges users to update after new Deadbolt ransomware attacks discovered

Data-storage hardware vendor QNAP urged users Thursday to immediately patch network attached storage (NAS) devices after several were infected recently with the Deadbolt ransomware. 

QNAP said its Product Security Incident Response Team found that the new attacks “targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series.” QTS is software that allows NAS users to manage the devices, share files and perform other tasks.

“QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet,” QNAP said.

There has been significant debate among QNAP NAS users about whether even updated versions of the system are still vulnerable to the ransomware, which emerged in January. It is unclear where members of the Deadbolt ransomware group are based.

A spokesperson for QNAP told The Record that the infected devices seem to be limited to QTS versions 4.3.3 to 4.4.1.

“We recommend users update their QTS up-to-date so that the risk could be much lower,” the spokesperson said.

The company declined to answer questions about how many infections were recently discovered but said they have not seen any Deadbolt infections involving systems that were updated. 

The spokesperson added that some users may lose their ransom note after rebooting their NAS devices.

"We advise users to take the screenshot before they wanted to reboot or upgrade their NAS," the spokesperson said.

In January, dozens of people turned to QNAP message boards and Reddit to say they logged on only to find the Deadbolt ransomware screen. People reported losing decades of photos, videos and irreplaceable files.

Other companies' devices also have been attacked: Users of Asustor's NAS hardware were also warned in February of potential Deadbolt ransomware infections after dozens of people took to Reddit and other message boards to complain of attacks. 

Bitcoin requests and decryption keys

Security company Censys reported that of the total 130,000 QNAP NAS devices sold, 4,988 services "exhibited the telltale signs of this specific piece of ransomware."

The Taiwanese NAS giant initially urged users to disconnect their instances from the internet and update their systems.

Previously, the ransom note demanded 0.03 bitcoin for the decryption key and said, "You have been targeted because of the inadequate security provided by your vendor (QNAP)." At least one user on Reddit reported paying the ransom and not getting the decryption key. 

The group also sent out a message directly to QNAP in January claiming all affected customers were "targeted using a zero-day vulnerability.” 

“We offer you two options to mitigate this (and future) damage," the group said, demanding a payment of 5 bitcoin in exchange for details about the alleged zero day used to launch the attack, or 50 bitcoin for a universal decryption master key and information about the zero day. 

"There is no way to contact us. These are our only offers," the January message reportedly said. 

Censys managed to track the Bitcoin wallet transactions associated with an infection and figured out that of the previous batch of victims, 132 paid ransoms totaling about $188,000. The company also created a dashboard to track the number of victims around the world.


The Censys map as of May 23.

Most of the most recent infections are taking place in the United States, Germany and the United Kingdom.

QNAP faced some backlash from its users after eventually releasing a forced firmware update that caused a range of issues for those considering paying the ransom. 

Others said it was concerning that the company had a backdoor into its systems, while some said the forced update did little to actually address the issues of people who had already been infected with Deadbolt. 

Even with the QTS update, at least one user confirmed getting hit with Deadbolt while using build 20211221 on a tvs-1282t3. QNAP would not confirm or deny that there was another vulnerability being exploited, according to Bleeping Computer

Security company Emsisoft released its own version of a decryptor after several victims reported having issues with the one they received after paying a ransom. Some users even said they never got a decryptor after paying the ransom, while others said the decryptor malfunctioned. 

Emsisoft's decryptor requires users to have already paid the ransom and received the decryption keys from the Deadbolt ransomware operators.

Emsisoft CTO Fabian Wosar said QNAP users who got hit by Deadbolt and paid the ransom are struggling to decrypt their data because of the forced firmware update issued by QNAP "removed the payload that is required for decryption." Wosar urged victims to use their tools instead.

"This will not get you around paying the ransom. Victims will still need to provide the key. It is merely an alternative decryption tool if you can't use the mechanism provided by the threat actors due to QNAP forcing a firmware update," Wosar said. 

After a brief respite, Censys said more than 1,000 QNAP devices were infected with the Deadbolt ransomware in March

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, told The Record that QNAP NAS devices have been a frequent target of ransomware groups, including by the QLocker and ech0raix ransomware.

"Much of this activity surrounds the use of Universal Plug and Play (UPnP) protocol, which allows apps and other devices on your network to open and close ports automatically to connect with each other. UPnP is used for a variety of purposes, including gaming and streaming content, with the protocol allowing convenience of quickly connecting devices to a network, but at a security cost," Morgan explained.

"QNAP have clarified that in the wake of attacks targeting their NAS devices, UPnP should be disabled. Port forwarding, which also assists users in direct communication requests, should also be disabled. Other sensible steps for this attack -- and other similar ransomware variants -- can be achieved simply by ensuring devices are not internet facing and are routinely patched with the most regular updates."

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.