A prolific ransomware group targeting network-attached storage (NAS) devices this year monetizes its efforts by extorting both vendors and their end customers, according to a new report.
Group-IB’s study, Deadbolt ransomware: nothing but NASty, is based on its analysis of a sample of the malware, which first appeared at the start of the year.
In an ongoing campaign, it has targeted NAS devices from Taiwanese vendor QNAP belonging to SMBs, schools, individual home users and others using zero-day vulnerabilities as an initial access/attack vector.
Group-IB claimed the threat actors operate globally without discrimination, demanding between 0.03 and 0.05 bitcoin (less than $1000) from end users for a decryption key.
However, unusually for ransomware, the group also seeks to extort the NAS vendors themselves.
“For a ransom of 10 BTC ($192,000), the threat actors promised the NAS vendor, QNAP, that they would share all the technical details relating to the zero-day vulnerability that they manipulated, and for 50 BTC ($959,000) they offered to include the master key to decrypt the files belonging to the vendor’s clients who had fallen victim to the campaign,” the report explained.
It doesn’t appear as if these efforts to target QNAP have succeeded thus far. A report from last month claimed that Deadbolt infections surged 674% between June and September.
A majority of these infections were found in the US, with 2472 hosts showing signs of Deadbolt, followed by Germany (1778), and Italy (1383).
However, there has been some success in the fight against Deadbolt. Last Friday, Dutch cyber police managed to obtain more than 150 decryption keys for the ransomware by tricking its operators.
The cops paid via bitcoin, received the keys and then promptly withdrew their payment, leaving them with working decryption keys for 150 victims.
Unlike most ransomware variants today, Deadbolt does not steal data for double extortion purposes – nor do the operators interact with their victims. Once a payment is made to the group, the victim automatically receives the decryption key in the transaction details, Group-IB explained.