The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Deadbolt Ransomware

Sep 29, 2022 2:22:49 PM / by PolySwarm Tech Team


Executive Summary

Sophos recently reported on Deadbolt ransomware, a malware family targeting QNAP devices. QNAP released an advisory on the affected products. 

Key Takeaways

  • Deadbolt ransomware, first reported in early 2021, targets QNAP NAS devices.
  • A recent variant of Deadbolt ransomware exploits CVE-2022-27593.
  • Deadbolt threat actors use a unique ransom method, sending the victim the decryption key via a Bitcoin transaction if the ransom is paid.

What is Deadbolt ?

Deadbolt ransomware, which exploits CVE-2022-27593, was recently observed targeting QNAP NAS devices. The first reports on Deadbolt were released in early 2021. In an advisory, QNAP stated a new DeadBolt campaign was discovered on September 3rd, targeting QNAP NAS devices that are running Photo Station and exposed to the internet. CVE-2022-27593 involves an externally controlled reference that resolves to a resource outside of the intended control sphere, allowing threat actors to modify system files and launch ransomware attacks.

According to Trend Micro, Deadbolt is a 64-bit ELF file compiled using Go. Deadbolt must be run manually by the threat actor. It uses AES-128-CBC for encryption. Trend Micro noted it is possible to have more than one infection per device if the device has multiple ports open.

The threat actors behind Deadbolt employ a unique ransom method. The ransom note is displayed on the infected device’s web interface. It instructs the victim to pay a ransom to the specified Bitcoin address. Once payment is complete, the threat actors send a zero-value transaction to the victim with the AES decryption key included in the transaction details. Deadbolt also taunts the vendor with a ransom amount that, if paid, would allegedly count as a ransom payment for all affected victims.

QNAP provided the following recommendations for securing QNAP NAS devices:

  • Disable the router’s port forwarding function.
  • Use myQNAPcloud to enable secure remote access.
  • Keep the NAS firmware up to date.
  • Keep NAS applications up to date.
  • Use strong passwords for all user accounts.
  • Regularly backup data. 

PolySwarm has multiple samples of Deadbolt.





You can use the following CLI command to search for all Deadbolt  samples in our portal:

$ polyswarm link list -f Deadbolt

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, QNAP, Deadbolt

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts