DeadBolt ransomware dares another attack on QNAP storage • The Register

QNAP is warning users of another wave of DeadBolt ransomware attacks on its network-attached storage (NAS) devices – and urging customers to update their devices’ QTS or QuTS Hero operating systems to the latest versions.

The latest outbreak — detailed in a Friday guide — is at least the DeadBolt gang’s fourth campaign against the provider’s users this year. According to QNAP officials, this particular pass encrypts files on NAS devices running outdated versions of Linux-based QTS 4.x, which are believed to have some sort of exploitable vulnerability.

The previous attacks occurred in January, March and May.

Taiwan-based QNAP recommended companies whose NAS system “has already been compromised to take the ransom note screenshot to keep the Bitcoin address, then upgrade to the latest firmware version and use the built-in malware remover application.” Automatically quarantine the ransom note, thereby hijacking the login page.”

They should contact QNAP Help if they want to enter a decryption key provided by the attackers but cannot find the ransom note after updating the firmware.

The cyber criminals behind DeadBolt mainly target NAS devices. QNAP systems are the main targets, although the group attacked NAS devices owned by Asustor, a subsidiary of system maker Asus, in February, analysts at cybersecurity firm Trend Micro said.

QNAP and its customers are examples of growing cybercriminal interest in NAS, Trend Micro wrote in a January report. Organizations rely more on the Internet of Things (IoT) for constant connectivity, workflow continuity and access to data, analysts say.

“Cyber ​​criminals have taken note of this dependency and are now regularly updating their known tools and routines to include NAS (network-attached storage) devices in their target list, knowing full well that users rely on these devices to store files on both and secure modern homes and businesses,” they wrote. “More importantly, cybercriminals are aware that these tools contain valuable information and have minimal security measures.”

Of the 778 known exploited vulnerabilities listed by the US government’s Cybersecurity and Infrastructure Security Agency, eight relate to NAS devices and ten to QNAP.

The lowest hanging fruit

Bud Broomhead, CEO of cybersecurity provider Viakoo said The registry NAS drives from QNAP and other vendors are often managed outside of a company’s IT teams, making them attractive targets.

Criminals target NAS drives for a number of reasons, including not being properly set up for security or managed by IT – hence applying security patches is typically slow – and for the corporate IT and security teams are essentially invisible, so they are not scrutinized or seen when they are no longer compliant.

“QNAP devices are very attractive to cybercriminals whose strategy is to solicit a large number of victims for a small amount of money versus a few victims who are asked for large amounts,” Broomhead said, adding that the small Amount “ransomed is at a level that many device operators will pay instead of involving their IT or security teams.”

Furthermore, “ransomware is gradually shifting towards data theft as the cybercriminals can profit from both paying the ransom and selling the data. ” he said.

“Any NAS device is a big target for ransomware because it’s used to store a significant amount of business-critical data,” said Scott Bledsoe, CEO of encryption provider Theon Technology The registry. “Given the large number of QNAP NAS devices currently deployed, Deadbolt ransomware can be used to target a variety of organizations to monetize the attackers.”

Censys, an attack surface management firm, said that in January’s attack, 4,988 out of 130,000 potential QNAP NAS online devices showed signs of DeadBolt infection, with the number reaching 1,146 in March. Analysts at Trend Micro said in a report earlier this month that the number of devices infected with DeadBolt appears to be high.

DeadBolt differs from other NAS-focused ransomware not only in the number of victims it targets, but also in some of its techniques, including offering multiple payment options – one for the user to recover their encrypted documents and two for QNAP. That means the manufacturer could theoretically pay the ransom to unlock people’s files with a master key, even though the code and encryption method make it clear that such a key wouldn’t work anyway.

“Based on our analysis, we found no evidence that it’s possible for the options offered to the provider to work due to the way the files were encrypted,” Trend said, adding that the attackers used AES-128 use to encrypt the data.

“Essentially, this means that if vendors pay any of the ransom amounts provided to them, they cannot obtain a master key to unlock all files on behalf of affected users.”

DeadBolt attackers require individual victims to pay 0.03 bitcoin, or about $1,160, for a key to decrypt their files. Providers are given two options, one for information about the exploit used to infect the devices and another for the impractical master key mentioned above. The ransom for the exploit info starts at five bitcoins, or about $193,000. The master decryption key costs 50 bitcoins or more than $1 million.

Another unusual feature is how the DeadBolt slingers take payment. Most ransomware families involve complex steps that victims must take to get their data back. However, DeadBolt has a web UI that can decrypt the data once the ransom is paid. The blockchain transaction automatically sends the decryption key to the victim after payment.

“This is a unique process that doesn’t require victims to contact ransomware actors,” wrote Team Trend Micro. “In fact, there is no way to do that.”

DeadBolt’s highly automated approach is something other ransomware gangs can learn from, they wrote.

“A lot of attention is paid to ransomware families that focus on big game hunting and one-off payments, but it’s also important to keep in mind that ransomware families that focus on spray-and-pray attacks like DeadBolt can do the same to end users and do a lot of harm to vendors,” the team said.

To protect themselves, companies need to keep NAS devices up to date and at the very least disconnect from the public internet – if it needs to be accessible remotely, use a secure VPN – use strong passwords and two-factor authentication, secure connections and Use ports and shut down unused and obsolete services. ®

About Willie Ash

Check Also

China-Sponsored Gallium Upgrades Using Sneaky PingPull RAT • The Register

The Gallium Group, believed to be a Chinese state-sponsored team, is going to war with …