QNAP: Act Now to Mitigate DeadBolt Ransomware

A leading maker of network-attached storage (NAS) devices is urging customers to upgrade to the latest software version and reconfigure their systems in order to thwart a new ransomware campaign.

Taiwan vendor QNAP released a statement yesterday in response to the mounting threat from a new variant known as “DeadBolt.”

It advised customers to ensure their devices are not exposed to the internet, by opening the Security Counselor and checking if the dashboard displays the following message: “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP.”

If it does, organizations should check the Virtual Server, NAT or port forwarding settings, and disable the port forwarding setting of the NAS management service port – which, by default, means port 8080 and 443.

Next, they should disable UPnP by going to “myQNAPcloud” on the QTS menu, clicking “Auto Router Configuration,” and de-selecting “Enable UPnP port forwarding,” the vendor explained.

“DeadBolt has been widely targeting all NAS exposed to the internet without any protection and encrypting users’ data for Bitcoin ransom,” it warned.

“QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version.”

The threat actors behind DeadBolt are purportedly claiming to leverage a zero-day exploit in their attacks, which would presumably work even on updated QTS versions. However, disconnecting from the internet would keep organizations safe.

“Organizations right now should have critical insight into the use of SSH and Telnet into their QNAP devices as well as connections on port 8080 and 443 emanating from their QNAPs and historic levels of UPnP traffic,” advised Armis cyber risk officer, Andy Norton.

“There are threads surfacing on some of the support forums, where the decryption key did not work after payment, but it is also possible to remove DeadBolt using other utilities on the QNAP device.”

A report out yesterday warned that vulnerability exploits are an increasingly popular initial access vector for ransomware gangs, with the number of bugs associated with such attacks jumping 29% year-on-year in 2021.

This is far from the first time QNAP customers have been targeted by ransomware. Over the past year, AgeLocker and eCh0raix variants prompted warnings from the vendor.

What’s Hot on Infosecurity Magazine?