DeadBolt is hitting QNAP NAS devices via zero-day bug, what to do?

A few days ago – and smack in the middle of the weekend preceding Labor Day (as celebrated in the U.S.) – Taiwan-based QNAP Systems has warned about the latest round of DeadBolt ransomware attacks targeting users of its QNAP network-attached storage (NAS) devices.

“QNAP detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). The campaign appears to target QNAP NAS devices running Photo Station with internet exposure,” the company said in a security advisory.

Protect your QNAP NAS device

QNAS did not share any details about the exploited zero-day vulnerability and they have yet to assign a CVE number to it.

We only know that it affects the Photo Station application, which is used for managing and sharing photos stored on QNAP NAS devices, and can be exploited remotely on internet-connected devices.

“QNAP Product Security Incident Response Team (QNAP PSIRT) had made the assessment and released the patched Photo Station app for the current version within 12 hours,” the company said, and urged users to:

• Update Photo Station to the latest available version or switch to using QuMagie, a similar app for managing photo storage
• Remove their QNAP NAS from the internet

“We recommend users to make use of the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. This can effectively harden the NAS and decrease the chance of being attacked,” QNAP added.

Additional recommendations for improving the security of one’s QNAP NAS devices have been provided in the advisory and on QNAP’s Product Security page.

NAS devices under attack

Checkmate, Ech0raix, QSnatch, AgeLocker… DeadBolt is just one of the ransomware variants targeting QNAP (and other maufacturers’) NAS devices.

NAS devices are most often used by consumers and small-to-medium businesses to store, manage and share files and backups. Unfortunately, the fact that they are often left exposed to the internet makes them a juicy target for ransomware gangs.

What can users do if their files have been encrypted by DeadBolt?

Not much, really: either pay the ransom and hope to get a working decryption key, or resign themselves to never be able to open those files again.

In previous instances of DeadBolt infections, QNAP advised users to first take the screenshot of the ransom note to keep the bitcoin address and then upgrade to the latest firmware version. Such action has previously made the DeadBolt’s decryption mechanism stop working, but security firm Emsisoft created a DeadBolt decryptor so that users are not left hanging.

The interesting thing about the gang behind the DeadBolt malware is that they try to extort both the victims and QNAP. The former are asked to pay a smaller sum to get the decryption key, while the latter is given two options: pay to get the details about the zero-day vulnerability and/or pay to receive “a universal decryption master key (and instructions) that can be used to unlock all your clients their files.”

But Trend Micro researchers said earier this year that the second option wouldn’t work.

“Consider this example to understand this particular DeadBolt tactic: A crime group changes every lock in an entire apartment complex. The group then informs the apartment complex owner that they can give the apartment complex owner a master key that would allow the owner to successfully unlock all the apartment doors for his tenants if he pays them a certain amount. But in reality, the locks that the crime group installed are not master-keyed locks, making it impossible for the apartment complex owner to open the locks with one master key,” they noted.

We’ve asked QNAP for more information they might have about this particular campaign, and we’ll update this article if they decide to share.

UPDATE (September 6, 2022, 02:10 p.m. ET):

A QNAP representative has confirmed for Help Net Security that, despite what some users may have said, the security update does not decrypt files (or remove the ransomware).

They also said that users whose files have been encrypted by the ransomware should contact the company’s Technical Support for assistence and that, in addition to investigating, they also try to rescue the data for users. “In very rare cases, the data can be recovered, but [data recovery] is not guaranteed,” they added.