Sophos recently reported on Deadbolt ransomware, a malware family targeting QNAP devices. QNAP released an advisory on the affected products.
- Deadbolt ransomware, first reported in early 2021, targets QNAP NAS devices.
- A recent variant of Deadbolt ransomware exploits CVE-2022-27593.
- Deadbolt threat actors use a unique ransom method, sending the victim the decryption key via a Bitcoin transaction if the ransom is paid.
What is Deadbolt ?
Deadbolt ransomware, which exploits CVE-2022-27593, was recently observed targeting QNAP NAS devices. The first reports on Deadbolt were released in early 2021. In an advisory, QNAP stated a new DeadBolt campaign was discovered on September 3rd, targeting QNAP NAS devices that are running Photo Station and exposed to the internet. CVE-2022-27593 involves an externally controlled reference that resolves to a resource outside of the intended control sphere, allowing threat actors to modify system files and launch ransomware attacks.
According to Trend Micro, Deadbolt is a 64-bit ELF file compiled using Go. Deadbolt must be run manually by the threat actor. It uses AES-128-CBC for encryption. Trend Micro noted it is possible to have more than one infection per device if the device has multiple ports open.
The threat actors behind Deadbolt employ a unique ransom method. The ransom note is displayed on the infected device’s web interface. It instructs the victim to pay a ransom to the specified Bitcoin address. Once payment is complete, the threat actors send a zero-value transaction to the victim with the AES decryption key included in the transaction details. Deadbolt also taunts the vendor with a ransom amount that, if paid, would allegedly count as a ransom payment for all affected victims.
QNAP provided the following recommendations for securing QNAP NAS devices:
- Disable the router’s port forwarding function.
- Use myQNAPcloud to enable secure remote access.
- Keep the NAS firmware up to date.
- Keep NAS applications up to date.
- Use strong passwords for all user accounts.
- Regularly backup data.
PolySwarm has multiple samples of Deadbolt.
You can use the following CLI command to search for all Deadbolt samples in our portal:
$ polyswarm link list -f Deadbolt
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports