The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Deadbolt Ransomware

Sep 29, 2022 2:22:49 PM / by PolySwarm Tech Team

Deadbolt_Twitter

Executive Summary

Sophos recently reported on Deadbolt ransomware, a malware family targeting QNAP devices. QNAP released an advisory on the affected products. 

Key Takeaways

  • Deadbolt ransomware, first reported in early 2021, targets QNAP NAS devices.
  • A recent variant of Deadbolt ransomware exploits CVE-2022-27593.
  • Deadbolt threat actors use a unique ransom method, sending the victim the decryption key via a Bitcoin transaction if the ransom is paid.

What is Deadbolt ?

Deadbolt ransomware, which exploits CVE-2022-27593, was recently observed targeting QNAP NAS devices. The first reports on Deadbolt were released in early 2021. In an advisory, QNAP stated a new DeadBolt campaign was discovered on September 3rd, targeting QNAP NAS devices that are running Photo Station and exposed to the internet. CVE-2022-27593 involves an externally controlled reference that resolves to a resource outside of the intended control sphere, allowing threat actors to modify system files and launch ransomware attacks.

According to Trend Micro, Deadbolt is a 64-bit ELF file compiled using Go. Deadbolt must be run manually by the threat actor. It uses AES-128-CBC for encryption. Trend Micro noted it is possible to have more than one infection per device if the device has multiple ports open.

The threat actors behind Deadbolt employ a unique ransom method. The ransom note is displayed on the infected device’s web interface. It instructs the victim to pay a ransom to the specified Bitcoin address. Once payment is complete, the threat actors send a zero-value transaction to the victim with the AES decryption key included in the transaction details. Deadbolt also taunts the vendor with a ransom amount that, if paid, would allegedly count as a ransom payment for all affected victims.

QNAP provided the following recommendations for securing QNAP NAS devices:

  • Disable the router’s port forwarding function.
  • Use myQNAPcloud to enable secure remote access.
  • Keep the NAS firmware up to date.
  • Keep NAS applications up to date.
  • Use strong passwords for all user accounts.
  • Regularly backup data. 

IOCs
PolySwarm has multiple samples of Deadbolt.
444e537f86cbeeea5a4fcf94c485cc9d286de0ccd91718362cecf415bf362bcf

81f8d58931c4ecf7f0d1b02ed3f9ad0a57a0c88fb959c3c18c147b209d352ff1

184747ba1f080561ceea7f0b96dd0a8c1de2b7b2bdc2fea39954949d29aeaca9

1ac1f9f9c519c7e141dcb1aa8157feca7943fd85db3d0a31f01e0fb44d239890

0a07c056fec72668d3f05863f103987cc1aaec92e72148bf16db6cfd58308617


You can use the following CLI command to search for all Deadbolt  samples in our portal:

$ polyswarm link list -f Deadbolt


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, QNAP, Deadbolt

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More