A new steady stream of attacks against network-attached storage devices from the Taiwan-based vendor is similar to a wave that occurred in Jan.
DeadBolt ransomware has resurfaced in a new wave of attacks on QNAP that begin in mid-Mar. & signals a new targeting of the Taiwan-based network-attached storage (NAS) devices by the new threat, researchers stated.
Researchers from Censys, which provides attack-surface management solutions, explained they observed DeadBolt infections on QNAP gear increase slowly starting Mar. 16, with a total of 373 infections that day. That number that rose to 1,146 devices by Mar. 19, according to a blog post by Censys Senior Security Researcher Mark Ellzey.
NAS Devices
The current attacks go back to Jan, when the company had to put out an unplanned update to its NAS devices, one that not all customers welcomed. The update was meant to clean up after DeadBolt attacks that were greeting customers with the ransomware group’s screen when they logged in, effectively locking them out of the device.
The new wave of attacks basically follow the same pattern as Jan’s wave, but the majority of the victims are running the QNAP QTS Linux kernel version 5.10.60, Ellzey stated. That is a later version than the update (QTS 5.0.0.1891) pushed out to customers in Jan.
Different Versions
Also, “at this time, Censys cannot state whether this is a new attack targeting different versions of the QTS operating system, or if it’s the original exploit targeting unpatched QNAP devices,” he acknowledged.
The new infections do not seem to be targeting a specific organisation or country; they seem to be evenly split between subscribers of various consumer internet service providers, Ellzey added.
QNAP Customers
The attacks act in the same way as the Jan. attacks as far as what the customers experience, & they ask for the same ransom as previous DeadBolt attacks on QNAP devices, Ellzey explained.
“Except for the Bitcoin addresses used to send ransoms to, the attack remains the same: backup files are encrypted, the web administration interface is modified, & victims are greeted with ransom messages,” he wrote.
Bitcoin
The attackers are asking for 0.03 Bitcoin for a decryption key, which is about $1,223 at today’s exchange rate. They are also asking for a ransom from QNAP itself: 5 bitcoin or $203,988, for information related to the vulnerabilities; & 50 bitcoin, or about $2m, for a master key to unlock all affected victims, Ellzey explained.
QNAP is not the only company in DeadBolt’s sights, which 1st came to researchers’ attention due to the Jan. attacks. In mid-Feb., Reddit users began reporting that the ransomware was targeting ASUSTOR ADM devices, according to Censys.
Attack Detection
Censys researchers found the latest wave of QNAP attacks due to the unique way the current DeadBolt ransomware variant communicates with victims, suggests the post.
“Instead of encrypting the entire device, which effectively takes the device offline (& out of the scope of Censys), the ransomware only targets specific backup directories for encryption, & vandalises the web-administration interface with an informational message explaining how to remove the infection,” Ellzey wrote.
Infected Devices
Using a simple search query, Censys “could easily find infected devices exposed on the public internet,” according to the post.
Along with general information about what hosts were infected with DeadBolt, researchers also obtained & tracked every unique Bitcoin wallet address used as a ransom drop, Ellzey concluded.
