Home Science & Technology DeadBolt affects QNAP NAS devices with a zero-day error, what to do?

DeadBolt affects QNAP NAS devices with a zero-day error, what to do?


A few days ago – in the middle of the Labor Day weekend (as marked in the US) – Taiwanese company QNAP Systems warned of the latest round of DeadBolt ransomware attacks targeting users of its QNAP network attached storage (NAS). ) devices.

“QNAP detected a new DeadBolt ransomware campaign on the morning of September 3, 2022 (GMT+8). The company appears to be targeting QNAP NAS devices that run Photo Station and connect to the internet,” the company’s security advisory said.

Protect your QNAP NAS device

QNAS has not shared details about the exploited zero-day vulnerability, and they have not yet assigned it a CVE number.

We only know that it affects the Photo Station app, which is used to manage and share photos stored on QNAP NAS devices and can be used remotely on devices connected to the Internet.

“The QNAP Product Security Incident Response Team (QNAP PSIRT) evaluated and released a patched Photo Station app for the current version within 12 hours,” the company said in a statement. saidand urged users to:

  • Update Photo Station to the latest available version or switch to QuMagie, a similar photo storage management program
  • Remove their QNAP NAS from the Internet

“We recommend that users use the myQNAPcloud Link function provided by QNAP or enable VPN service. It can effectively harden the NAS and reduce the chance of an attack,” added QNAP.

Additional recommendations for improving the security of your own QNAP NAS devices have been provided in advisory and on QNAP Product safety page.

Attacked NAS devices

Matt, Ech0raix, QSnatchAgeLocker… DeadBolt is just one of the ransomware variants targeting QNAP (and other manufacturers) NAS devices.

NAS devices are most commonly used by consumers and small and medium-sized businesses to store, manage, and share files and backups. Unfortunately, the fact that they often remain open to the internet makes them a hot target for ransomware groups.

What can users do if their files have been encrypted by DeadBolt?

Not much, really: either pay the ransom and hope you get a working decryption key, or accept the fact that you’ll never be able to open those files again.

In previous cases of DeadBolt infection, QNAP advised users to first take a screenshot of the ransom message to save the Bitcoin address, and then update the firmware to the latest version. DeadBolt’s decryption engine used to do this stop workingbut security firm Emsisoft created a DeadBolt decryptor so that users are not left hanging.

The interesting thing about the gang behind the DeadBolt malware is that they try to extort both victims and QNAP. The former ask to pay a smaller amount for the decryption key, while the latter give it two options: pay to get details about the zero-day vulnerability and/or pay to get “a universal master decryption key (and instructions) that can be used to unlock all your customers’ files.”

But Trend Micro researchers said earlier this year that the second option would not work.

“Consider this example to understand this particular DeadBolt tactic: A criminal group changes every lock in an entire apartment complex. The group then informs the owner of the apartment complex that they can give the owner of the apartment complex a master key that will allow the owner to successfully unlock all the apartment doors for his tenants if he pays them a certain amount. But in reality, the locks installed by the criminal group are not pickaxes, which makes it impossible for the owners of the residential complex to open the locks with one pickaxe,” they said.

We’ve asked QNAP for more information on this particular campaign, and we’ll update this article if they decide to share.

Previous articleWhat would it take to find life on Venus?
Next articleWestcore Enters North Carolina Industrial Market – Commercial Real Estate Executive