QNAP NAS devices across the globe have been hit by a widespread cyberattack after the DeadBolt ransomware group began to encrypt the network-attached storage devices. QNAP NAS users reported finding their files encrypted, sporting a .deadbolt file extension.
Users were confronted by a screen displaying a “WARNING: Your files have been locked by DeadBolt” message that added “You can make a payment of (exactly) 0.030000 bitcoin to the following address.”
The victims were given a decryption key to retrieve their files as part of a follow-up transaction, although there is no confirmation that paying the ransom will result in the successful decryption of files.
QNAP assured customers that they can access their admin page by navigating to http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi. It also promises that its Product Security Incident Response Team is conducting an investigation.
Users are being told to take their devices offline and place them behind a firewall until a fix has been found. Without access to the Internet, attacks against network-attached storage devices (or any devices connected to a network, for that matter) should be impossible.
DeadBolt is offering to share with QNAP the zero-day vulnerability that allowed the ransomware group to gain access to the devices, at a cost of 5 BTC. This, and the master decryption key, will cost the company 50 BTC.
With no dedicated website or messaging service, the gang stated that the only way to make contact is through Bitcoin payments. However, the group promised to send the zero-day information to QNAP’s firstname.lastname@example.org email address.