Asustor network storage devices are being hit by a nasty ransomware attack

DeadBolt ransomware has resurfaced in a new wave of attacks on QNAP that brainstorm in mid-March and signals a new targeting of the Taiwan-based network-fastened storage (NAS) devices by the fledgling threat, researchers said.

Researchers from Censys, which provides attack-surface management solutions, said they observed DeadBolt infections on QNAP gear ramp up slowly starting March sixteen, with a total of 373 infections that mean solar day. That number that rose to i,146 devices by March xix, according to a blog mail by Censys senior security researcher Marking Ellzey.

The electric current attacks harken back to Jan, when the company had to push out an unplanned update to its NAS devices, one that not all customers welcomed. The update was meant to make clean upwardly after DeadBolt attacks that were greeting customers with the ransomware group’s screen when they logged in, effectively locking them out of the device.

The new wave of attacks ostensibly follow the same blueprint as January’s wave, simply the majority of the victims are running the QNAP QTS Linux kernel version 5.ten.60, Ellzey said. That’southward a later version than the update (QTS v.0.0.1891) pushed out to customers in January.

That said, “at this time, Censys cannot country whether this is a new attack targeting different versions of the QTS operating system, or if it’due south the original exploit targeting unpatched QNAP devices,” he acknowledged.

Moreover, the new infections do not seem to be targeting a specific system or land; they seem to exist evenly split between subscribers of various consumer internet service providers, Ellzey added.

Déjà Vu for QNAP Customers

The attacks carry the same as the Jan attacks as far as what the customers experience — and they inquire for the same ransom every bit previous DeadBolt attacks on QNAP devices, Ellzey said.

“Except for the [Bitcoin] addresses used to ship ransoms to, the attack remains the aforementioned: backup files are encrypted, the web administration interface is modified, and victims are greeted with [ransom] messages,” he wrote in the mail.

The attackers are request for 0.03 Bitcoin for a decryption fundamental, which is about $1,223 at today’due south exchange charge per unit. They’re also asking for a ransom from QNAP itself: 5 bitcoin or $203,988, for information related to the vulnerabilities; and l bitcoin, or about $2 million, for a chief key to unlock all affected victims, Ellzey said.

QNAP is not the only company in the crosshairs of DeadBolt, which outset came to researchers’ attention due to the Jan attacks. In mid-Feb, Reddit users began reporting that the ransomware was targeting ASUSTOR ADM devices, according to Censys.

Attack Detection

Censys researchers picked upward on the latest moving ridge of QNAP attacks due to the unique fashion the current DeadBolt ransomware variant communicates with victims, according to the post.

“Instead of encrypting the entire device, which effectively takes the device offline (and out of the purview of Censys), the ransomware only targets specific fill-in directories for encryption, and vandalizes the web-administration interface with an informational message explaining how to remove the infection,” Ellzey wrote.

Therefore, using a uncomplicated search query, Censys “could hands find infected devices exposed on the public internet,” according to the postal service.

Forth with general data about what hosts were infected with DeadBolt, researchers also obtained and tracked every unique Bitcoin wallet address used as a bribe drop, Ellzey added.

Moving to the cloud? Discover emerging cloud-security threats along with solid communication for how to defend your avails with our


Free downloadable eBook


, “Deject Security: The Forecast for 2022.”

Nosotros explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.