DeadBolt Ransomware

DeadBolt Ransomware Description

A ransomware campaign carried out by new threat actors calling themselves DeadBolt is targeting the NAS (Network-Attached Storage) devices manufactured by QNAP. The attackers claim to have discovered a zero-day vulnerability in the devices and are exploiting it to deliver a ransomware threat. The attacks were first noticed on January 25, 2022. Affected users noticed that their files stored on QNAP devices had become inaccessible and now had '.deadbolt' appended to their names as a new file extension. 

Instead of delivering text files with a ransom note to the compromised devices, the DeadBolt cybercriminals opted for a different method to deliver their instructions. The attackers hijack the login page of the QNAP device and substitute it with a new screen containing their ransom-demanding message. The stated ransom is set at 0.03 BTC (Bitcoin) worth approximately $1,100 at the current exchange rate of the cryptocurrency. Another peculiarity displayed by the DeadBolt group is the way communication with the victims is supposed to take place. Unlike the majority of ransomware operators who rely on an email address or a dedicated TOR website to act as a communication channel, DeadBolt exchanges information solely through Bitcoin transactions made to the unique wallet address provided to each victim. Indeed, after transferring the ransom to the address, victims also are supposed to wait for the hackers to make a transaction. Its details are supposed to carry the decryption key that could unlock the affected files by being entered into the login screen of the compromised device. 

DeadBolt also makes several offers to QNAP directly. For the price of 5 BTC, the cybercriminals are willing to share details about the zero-day vulnerability with the company. If QNAP is willing to pay 50 BTC (around $1.85 million), the hackers also will provide the master decryption key that they claim will be able to unlock the files of all impacted users. 

QNAP has stated that it is investigating the attack. For now, the company has provided ways for users to bypass the DeadBolt's login screen and restore access to its admin page via the http://nas_ip:8080/cgi-bin/index.cgi and https://nas_ip/cgi-bin/index.cgi URLs. Users are strongly encouraged to disconnect their devices from the Internet and enable firewall protection. QNAP also has provided a page with steps on how users can protect their data and NAS devices.