Deadbolt Ransomware Returns, Over 1,100 QNAP Devices Infected

Over 1,000 QNAP devices were infected with Deadbolt ransomware in the past week, according to security firm Censys.

In a blog post, Censys said the latest attacks “began with two new infections (a total of 373 infections) on March 16, and over three days, Censys observed 869 newly infected services.”

“By March 19, the number of services infected with Deadbolt had risen to 1,146!” Censys explained, adding that the only differences from the first set of attacks in January are the BTC addresses provided for the ransoms.

Image: Censys

The ransom messages are largely the same and still demand 0.03 BTC, or approximately $1,223, from victims. The group also still shares its same message with QNAP, offering information about the vulnerabilities they used for 5 BTC (about $200,000) or 50 BTC (about $2 million) for a master key that unlocks all victims. concerned.

According to Censys, the majority of affected devices have been identified running QNAP QTS Linux kernel version 5.10.60.

At least one Deadbolt-infected QNAP user has taken to Reddit to mourn the loss of 15 years of family photos and videos.

The new campaign exploits the same known vulnerability

Last week, Taiwan-based QNAP warned users of a local privilege escalation vulnerability, colloquially known as a “dirty pipe”, that would affect the Linux kernel on network-attached storage (NAS) devices. ) QNAP running QTS 5.0.x and QuTS hero. h5.0.x. QNAP said that if exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code.

But in a statement to The recorda QNAP spokesperson said Deadbolt ransomware still targets those who have not updated QTS Hero or QuTS to the recommended version.

“QNAP PSIRT observed a small new DEADBOLT campaign at 3/18 TW. At this time, with the data we have, we tend to believe that the attack exploited the same known vulnerability,” the carrier said. word.

“Users are recommended to check the version of QTS and keep it updated. Regarding some NAS devices attacked by DEADBOLT, the root cause is that QTS is not up to date. This may be due to automatic update not being enabled, network/environmental condition, or other reasons. We urge all users to check their SIN and keep it up to date. »

Deadbolt ransomware emerged in January, infecting nearly 5,000 consumer and small business NAS devices running the QNAP QTS operating system.

The company first urged users to update to the latest version of QTS, the Linux-based operating system developed by the Taiwanese company to run on their devices.

But eventually, QNAP took more drastic measures, offering an automatic and forced update for all customer NAS devices to version, the latest universal firmware released on December 23, 2021.

Security company Emsisoft has released its own version of a Deadbolt decryptor after several victims reported having problems with the decryptor they received in exchange for paying a ransom. Some users even said that they never got a decryptor after paying the ransom, while others said that the decryptor malfunctioned.

Unfortunately, Emsisoft’s decryptor requires users to have already paid the ransom and received decryption keys from Deadbolt ransomware operators.

But at the time, Emsisoft CTO Fabian Wosar noted QNAP users who were affected by Deadbolt and paid the ransom found it difficult to decrypt their data because the forced firmware update issued by QNAP “removed the payload required for decryption.” Last month, users of Asustor Network Attached Storage (NAS) devices also reported several deadbolt attacks.

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked in South Africa, Jordan and Cambodia.

Source link