QNAP, a Taiwanese manufacturer of network-attached storage (NAS) devices, has issued a warning to all customers to ensure they are running the latest software and to reconfigure their systems to improve resilience to ransomware attacks.
A campaign has been identified involving a new ransomware variant called Deadbolt, which is being used in attacks on QNAP NAS devices that are exposed to the Internet. The campaign has only recently started, but several users of QNAP NAS devices have reported being attacked in the past few days.
After gaining access to vulnerable NAS devices, the attackers encrypt files to prevent access and demand a ransom payment in Bitcoin. The ransom note is displayed on the device’s login page and encrypted files are given the .deadbolt extension. Victims are told they need to pay a 0.03 BTC payment (around $1,300) to obtain the key to decrypt their files.
The attackers claim to be exploiting a zero-day vulnerability in QNAP NAS devices, although that has not yet been verified, and are purportedly offering information on the zero-day vulnerability for 5 BTC (around $183,460). It is also unclear whether the attackers are able to provide valid keys to decrypt infected devices. Some victims claim to have paid the ransom but were provided with decryption keys that did not work.
In the QNAP alert, all users of NAS devices and routers have been advised to ensure they are running the latest version of the software, and to ensure their NAS devices are not exposed to the Internet. If the attackers are exploiting a zero-day vulnerability, updating to the latest software version is unlikely to prevent attacks; however, it is possible to prevent attacks by ensuring the devices are not exposed to the Internet.
Users can check to see if the devices are exposed to the Internet by opening the Security Counselor. If the devices are exposed to the Internet the dashboard will display the message, “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP.”
If the message is displayed, administrators should disable the port forwarding function of the router. In the management interface, administrators should check the Virtual Server, NAT, or port forwarding settings, and disable the port forwarding setting of the NAS management service port. The default setting uses port 8080 and 443.
The UPnP function of the QNAP NAS should then be disabled by going to the myQNAPcloud on the QTS menu, clicking the “Auto Router Configuration”, and unselecting “Enable UPnP Port forwarding”.
Victims of Deadbolt ransomware attacks are able to bypass the ransom note and access their admin page by using either the http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi URLs.