After QNAP warned of ransomware attacks on its in-house NAS systems at the beginning of January and shortly thereafter closed security gaps in the NAS operating systems QTS and QuTS hero as well as apps that allowed the execution of arbitrary code, attacks on QNAP NAS have been appearing since yesterday, who encrypt them.
DeadBolt is said to use 0-day gap
The ransomware called DeadBolt attacks QNAP NAS systems that can be accessed via the Internet – similar to the ransomware Qlocker in recent years and again earlier this year. QNAP had therefore already called for the deactivation of port forwarding and UPNP in order not to make the NAS accessible from the outside. It is not yet known whether the latest updates for QTS and QuTS hero have already closed the vulnerability that has now been exploited, but since the attackers say it is a zero-day vulnerability, it cannot be assumed.
Decryption for 0.03 Bitcoin
In any case, the hacker group demands five Bitcoins from QNAP – the equivalent of almost 170,000 dollors – in order to disclose details of the security gap so that it can be closed.
On the other hand, users whose files on the NAS have been encrypted by the ransomware are being asked for 0.03 Bitcoin, which corresponds to around 1,000 dollors at the current exchange rate. As soon as the payment has been received, the attackers want to disclose the key for decrypting the data via a transaction to the user.
50 bitcoin for master key
They also offer QNAP the master key, with which all affected NAS systems can be decrypted again – but require 50 Bitcoin, i.e. around 1.7 million dollors. In addition, all details of the security gap will be disclosed.
QNAP issues warning
QNAP has reacted to the attacks recorded since yesterday with a warning and recommends all users not only to update to the latest software versions, but also to explicitly deactivate port forwarding and UPNP so that the NAS system cannot be accessed via the Internet can be attacked.