QNAP NAS devices hit by DeadBolt and ech0raix ransomware

Taiwan-based QNAP Systems is warning consumers and organizations using their network-attached storage (NAS) appliances of a new DeadBolt ransomware campaign.


There also appears to be a new ech0raix/QNAPCrypt campaign in progress, according to various sources, though QNAP is yet to comment on that.

NAS devices are ideal targets

NAS devices are mostly used by consumers and small-to-medium businesses to store, manage and share files and backups. This makes them a tempting target for criminals wielding ransomware and engaging in double extortion schemes.

Since NAS devices are often accessible remotely via the internet, criminals usually leverage software/firmware vulnerabilities or brute-force admin account passwords to gain access to them, pilfer and encrypt the files on them, then ask for a ransom to restore them. Sometimes they are compromised and equipped with cryptominers.

Attackers generally focus on hitting QNAP and Synology NAS devices, but those by other manufacturers (Western Digital, Seagate, Zyxel, etc.) are also occasionally targeted.

DeadBolt and ech0raix strike again

“QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running outdated versions of QTS 4.x,” the company warned on Friday, and promised to provide further information as soon as possible.

QNAP advises all users to update the devices’ QTS or QuTS hero firmware to the latest version, but notes that those users who have been hit by DeadBolt to first take the screenshot of the ransom note to keep the bitcoin address and then upgrade to the latest firmware version.

The built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page, the company explained, and urged users to ask for help if they want to input a received decryption key and can’t find the ransom note after upgrading the firmware.

“DeadBolt offers two different payment schemes: either a victim pays for a decryption key, or the vendor pays for a decryption master key that would theoretically work to decrypt data for all victims. However, as of this writing, we have yet to find evidence that decryption via a master key is possible,” Trend Micro researchers noted earlier this month.

Another interesting this is that DeadBolt creators have automated the decryption key delivery process.

“[They] built a web UI that can decrypt victim data after ransom is paid and a decryption key is provided. The OP_RETURN field of the blockchain transaction automatically provides the decryption key to the victim once the ransomware payment is done. This is a unique process wherein victims do not need to contact the ransomware actors — in fact, there is no way of doing so,” Trend Micro explained.

Simultaneously, user reports and sample submissions on the ID Ransomware platform indicate that criminals using the ech0raix ransomware are again targeting QNAP NAS devices, Bleeping Computer reported, though the attack vector is still unknown.

Risk mitigation advice

As we wait for more information about the ech0raix campaign from QNAP, users should implement security recommendations previously provided by the company and, in general, consider implementing these best practices for enhancing NAS security.

“Out-of-date or unmaintained software is one the primary methods for compromising NAS devices today. This is especially true of third-party applications that can be installed from community stores or from the internet,” says Trend Micro.

“When installing such applications, it is recommended to be incredibly careful from the very beginning. It is also recommended that users stick to the applications that the NAS vendor has provided and verified, to only enable those currently being utilized, and remove those that are not in use.”

Don't miss