QNAP warns NAS users of DeadBolt ransomware, urges customers to update

QNAP released a warning this week about a ransomware strain targeting all NAS instances exposed to the internet.
Written by Jonathan Greig, Contributor

Taiwanese network-attached storage giant QNAP urged its customers to update their systems this week after the DeadBolt ransomware was discovered targeting all NAS instances exposed to the internet.

"QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version," the company said in a statement. 

Attached to the statement is a detailed guide for customers, noting that if you go to the Security Counselor on your QNAP NAS and see "The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP" on the dashboard, you are at high risk. 

"If your NAS is exposed to the Internet, please follow the instructions below to ensure NAS security: Go to the management interface of your router, check the Virtual Server, NAT or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 443 by default)," the company said. 

"Go to myQNAPcloud on the QTS menu, click the "Auto Router Configuration", and unselect "Enable UPnP Port forwarding."

Two days ago, dozens of people took to QNAP message boards and Reddit to say they logged on only to find the Deadbolt ransomware screen. People reported losing decades of photos, videos and irreplaceable files. Even an MIT professor was hit. 

One user on Reddit said they were saved because they had a folder titled "Absolutely Worthless" at the top of their directory full of data. The ransomware started with that folder, giving them time to pull the plug before it encrypted anything of value. 

The ransom note demands .03 of Bitcoin for the decryption key and says, "You have been targeted because of the inadequate security provided by your vendor (QNAP)." At least one user on Reddit reported paying the ransom and not getting the decryption key. 

QNAP message board

On the QNAP message board, someone shared a message from the Deadbolt ransomware group that was allegedly sent to QNAP. 

"All you affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage," the group said.  

The group demanded a Bitcoin payment of 5 BTC in exchange for details about an alleged zero day used to launch the attack or 50 BTC for a universal decryption master key and information about the zero day. 

"There is no way to contact us. These are our only offers," the alleged message says. 

QNAP did not respond to requests for comment about whether a zero day was used during the attack. 

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said QNAP NAS devices have been a frequent target of ransomware groups, including by the QLocker ransomware in April 2021 and January 2021, as well as the ech0raix ransomware in December 2020. QNAP has also been hit by malware in the past. 

"The latest activity -- which has been attributed to the Deadbolt ransomware -- is reportedly unsophisticated and relies on targeting unpatched devices. Mitigation for this attack -- and other similar ransomware variants -- can be achieved simply by ensuring devices are not internet facing and are routinely patched with the most regular updates," Morgan explained. 

Vulcan Cyber's Mike Parkin questioned why an organization would have a NAS system exposed on the internet in the first place, noting that while there may be some business cases for making mass storage available to outsiders, there is no reason to have administrative functions available through an unencrypted, unauthenticated, connection. 

"Cases like this highlight how important it is to be sure systems are deployed and maintained to industry best practices. Network scanning and vulnerability management tools can work together to identify risky configurations after the fact, but it's always best to make sure systems are deployed securely in the first place," Parkin said. 

Editorial standards