QNAP users still struggling with Deadbolt ransomware after forced firmware updates

Censys said about 4,000 devices are still infected with Deadbolt ransomware.
Written by Jonathan Greig, Contributor

QNAP Network Attached Storage (NAS) device users are still struggling to address a range of issues connected to the Deadbolt ransomware, which began infecting devices earlier this week

On Tuesday, QNAP NAS users flocked to Reddit and QNAP forums to report ransomware infections. Censys reported that of the 130,000 QNAP NAS devices, 4,988 services "exhibited the telltale signs of this specific piece of ransomware."

On Friday afternoon, Censys updated its report, telling ZDNet that overnight, the number of exposed and ransomware infected devices went down by 1,061 to 3,927. 


A map of the infected devices around the world. 


"Why this went down could be for any number of reasons, we're still investigating to see if we can pinpoint the reasoning behind this," a Censys spokesperson said, theorizing that the decrease could be attributed to a forced update from QNAP. 

On Wednesday, QNAP initially urged users to update to the latest version of QTS, the Linux based operating system developed by the Taiwanese company to run on their devices.

But MalwareBytes said QNAP pushed out an automatic, forced update with the firmware on Thursday containing the latest security updates.

"Later that day, QNAP took more drastic action and force-updated the firmware for all customers' NAS devices to version, the latest universal firmware which has been available since December 23, 2021," MalwareBytes explained.

"As you might expect after a forced update, a number of unexpected side-effects arose... The firmware update removed the ransomware executable and the ransom screen used to initiate decryption, which apparently caused some victims who had paid the ransom to be unable to proceed with decrypting the files after the update."

QNAP responded to the controversy over the forced update on Reddit. A company representative explained why they decided to force the update, noting that it had been urging users to update their systems since January 7.

"In QTS, there was a message in control panel/auto-update that 'QTS/QuTS hero will enable recommended version update soon to protect nas from Deadbolt.' But I think a lot of people did not see that message. We are trying to increase protection against Deadbolt. If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away," the company spokesperson said. 

The message drew several furious responses from people who said the forced update caused a number of downstream issues. Others said it was concerning the company had a backdoor into their systems, while some said the forced update did little to actually address the issues of people who had already been infected with Deadbolt. 

Even with the update, at least one user confirmed getting hit with Deadbolt while using build 20211221 on a tvs-1282t3. QNAP would not confirm or deny that there was another vulnerability being exploited, according to Bleeping Computer

Recorded Future ransomware expert Allan Liska said this kind of speciality ransomware is very hard to defend against and commended QNAP for releasing a detailed guide to securing the appliance earlier this month. 

"It is difficult to defend against because the device is controlled by the manufacturer. Unless you are a company with the resources to enable compensating controls, you are largely at the mercy of the vendor," Liska said. 

"For most IoT devices, this doesn't matter too much. If someone launches a ransomware attack against my lightbulbs, I can just reset and go on with my life. But when those IoT devices hold all of your data, it is a very different matter."

Decryptor issues

Security company Emsisoft released its own version of a decryptor after several victims reported having issues with the decryptor they received after paying a ransom. Some users even said they never got a decryptor after paying the ransom, while others said the decryptor malfunctioned. 

Unfortunately, Emsisoft's decryptor requires users to have already paid the ransom and received the decryption keys from the Deadbolt ransomware operators. 

On Monday, Emsisoft CTO Fabian Wosar said QNAP users who got hit by DeadBolt and paid the ransom are struggling to decrypt their data because of the forced firmware update issued by QNAP "removed the payload that is required for decryption." Wosar urged victims to use their tools instead.

"This will not get you around paying the ransom. Victims will still need to provide the key. It is merely an alternative decryption tool if you can't use the mechanism provided by the threat actors due to QNAP forcing a firmware update," Wosar said. 

Deadbolt's ransom note says victims need to pay 0.03 BTC (equivalent to USD 1,100) to unlock their hacked device and that it "is not a personal attack." They offered to give QNAP a universal decryptor for 50 BTC.

Emsisoft's Brett Callow told ZDNet that the situation was similar to REvil's attack on Kaseya in that, in both cases, the threat actor asked for relatively small payments from individual victims as well as providing the company with an option to settle for a much larger sum on behalf of their affected customers. 

"The strategy makes sense as it increases the likelihood of the attack being monetized. Users who paid the demand experienced problems after QNAP's forced update reportedly removed the ransomware executable making decryption impossible. That's one of the reasons we released the decryptor," Callow said. 

Liska said ransomware groups are notorious for providing poor decryption software and noted that it is not uncommon for incident response teams to take the key given by the ransomware group and ignore the decryption code.

"The reason for Emsisoft to release a decryptor is to make sure victims have something they know will work once they get the key," Liska explained.

Liska also slammed the people behind the attack, questioning their insistence that the attack wasn't "personal."

"It is a personal attack. People often have their digital lives stored on these devices. Whether it is photos, work, the book they have been writing, or the program they have been developing, this stuff is important to them. And the attackers just took that away from them," Liska added. 

"The attacker can dress it up as 'poor vendor security' all they want, but it is just a sign they are shitty people that have no regard for their fellow human beings."

Editorial standards