New DeadBolt Ransomware Targets QNAP Devices, Asks 50 BTC For Master Key (bleepingcomputer.com)
- Reference: 0158035241
- News link: https://it.slashdot.org/story/22/01/26/0416232/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key
- Source link: https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/
> A new DeadBolt ransomware group is [2]encrypting QNAP NAS devices worldwide using what they claim is a zero-day vulnerability in the device's software . The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a .deadbolt file extension. Instead of creating ransom notes in each folder on the device, the QNAP device's login page is hijacked to display a screen stating, "WARNING: Your files have been locked by DeadBolt." This screen informs the victim that they should pay 0.03 bitcoins (approximately $1,100) to an enclosed Bitcoin address unique to each victim.
>
> After payment is made, the threat actors claim they will make a follow-up transaction to the same address that includes the decryption key. This decryption key can then be entered into the screen to decrypt the device's files. At this time, there is no confirmation that paying a ransom will result in receiving a decryption key or that users will be able to decrypt files. The DeadBolt ransomware gang is offering the full details of the alleged zero-day vulnerability if QNAP pays them 5 Bitcoins worth $184,000. They are also willing to sell QNAP the master decryption key that can decrypt the files for all affected victims and the zero-day info for 50 bitcoins, or approximately $1.85 million.
[1] https://slashdot.org/~ryanw
[2] https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/
Crypto Trash (Score:1, Flamebait)
When are we going to make collective efforts to actually shut down cryptocurrency payments? Their only real value seems to be abuse. It seems a lot harder to run these kinds of scams if crypto doesn't exist
Re: (Score:2)
And how does that happen? It's completely decentralized. There's nobody in control, just "the network". Do we take down the internet? I repeat the question, as again it's decentralized by design and semi-decentralized in practice.
Do we ban the network traffic? Do we ban the buying and selling of crypto, like we banned the buying and selling of drugs?
It's a pandora's box. It's not going away.
Re: (Score:3)
> And how does that happen?
Regulate exchanges, then watch the little real liquidity in the crypto "markets" disappear overnight.
Re: (Score:3)
Yeah make drugs illegal too for good measure...
Re: (Score:2)
That's a shit analogy: i said regulate . Pretty much all exchanges out there operate with little, if any, government oversight. It's a Wild West right now.
No one gives two shits about Bitcoin per se; it is either used as a speculative asset or, in the case of ramsomware creators, to collect online payments without going through formal channels. In either case, the end goal is to convert BTC back, and forth, "real" money.
All it takes is a little regulation to make this house of cards fall apart; just enforcin
Re: (Score:1)
All the speculation gambling is acting as cover for illegal activity, such as ransoms and money laundering. Kind of "Oh, it might have been a perfectly legal legitimate transaction, just another guy/gal trying to gamble on the market". You outlaw using it legally, suddenly illegal activity has no cover to hide behind.
Done with Qnap (Score:5, Interesting)
I bought a Qnap for home - primarily as a regular, plain old boring NAS, but also because it can run containers/VMs, which I hoped to use for miscellaneous crap (eg. the software that configures my Wifi APs, bacula backups, etc).
It's technically fine at being a NAS - it serves files just fine. But my god, it's a horrible mess of different windows (on their "web desktop" OS), different "centers" and "stations" (Container Station, App Center, bla bla). It's incredibly complicated and even simple tasks like "make a share, assign some permissions" seems like a long job across multiple screens. Trying to run a VM isn't impossible at all, but I'm dumping all the things I thought I'd use it for and moving them to a raspberry pi or two - the qnap just makes it all far too difficult (and very "proprietary" feeling).
Franky, the vastness of their shit-show software makes the chances of bugs in it almost an absolute certainty. Anyone that lets one of these onto the Internet needs to donate their brain to medical science.
All of this is not what I buy a NAS for - I buy them to hum away in the corner and not get in my way. This QNAP seems to constantly want to remind me about something, make me do something, pay it some attention or whatever else. When the one I have starts getting grumpy, it's going to the great recycling facility in the sky and getting replaced with something far, far better. I believe there's an open NAS product you can install on these things - maybe I need to spend a weekend doing that...?
The time I found a Qnap in a client's datacentre... well, it was first into the skip - no way in hell I'd trust them to run anything "real". Yet I know that lots of small shops do indeed run their entire office on one (NAS, DHCP, print server, email, web site, databases, you name it). Good luck to those folks, I fear they may have backed the wrong horse.
Re: (Score:2)
My problem was lack of flexibility. If I didn't want raid, I couldn't use any of their tools. I switched to running Debian directly on it from a USB stick.
Re: (Score:2)
I don't disagree with their web interface being cluttered, but I do thing you are being a bit overly dramatic about it. As I posted elsewhere, the real question is: why would you ever expose your NAS directly to the internet?
More, let me point out one *huge* positive for QNAP: security updates. I have an absolutely ancient QNAP device, and they *still* issue regular firmware updates for it. You can't say that about every manufacturer.
Re: (Score:2)
Plex viewing is a big reason, Phone storage backup on the go, among numerous others
The real problem is combining your *data* and your services onto a single appliance that is then exposed to the world.
Re: (Score:2)
so much easier/cheaper to just use a fire stick + kodi than plex...though not quite as pretty
I used plex for years and will never go back
Re: (Score:2)
from scratch, certainly possible.
From my standpoint of Plex working currently with zero maintenance...not so much ;-)
Re: (Score:2)
> Plex viewing is a big reason, Phone storage backup on the go, among numerous others
That would presumably require a bug in Plex, if that was the only exposed service. And those are typically deployed via a container on QNAP as far as I know. No one knows the details obviously, but this seems unlikely. Otherwise we would hear about tens or hundreds of thousands of NAS that had already been affected.
I think the problem here is that the management service for the QNAP NAS must be publicly accessible for remote management.
Re: (Score:2)
It seems like NAS vendors have fallen into the unfortunate trap of chasing checkbox features, not implemented very well, presumably to escape the commodification that would afflict them if they just made boxes with drive cages and HBAs.
It's unfortunate because some NAS designs are actually a fairly pleasing compromise between actually supporting a decent number of disks and not being a screaming rackmount server; but that's a lot less helpful when the software is actively untrustworthy, and often treated
Note to QNAP owners (Score:2)
You would think this wouldn't need to be stated since it should be blatantly obvious a massive security ricks, but... Don't expose your QNAP administrative interface to the Internet.
Re: (Score:3)
All these devices tries to expose services towards the internet. It's annoying.
QNAP, Synology, Plex, Unify, and every mobile app to control IoT is somehow willing to expose service on the internet. Some through upnp, others using tunneling into cloud services and exposed from there.
I run some of these products myself and I've spent time on configuring them NOT to expose anything, even missing out on several features by insisting on it being local network only.
Shouldn't be like this, especially with
Re: (Score:2)
> You would think this wouldn't need to be stated since it should be blatantly obvious a massive security ricks, but... Don't expose your QNAP administrative interface to the Internet.
In theory - sure.
In reality, there's a ton of reasons you'd want remote access into a local device. Two common ones would be NVR and plex/AV streaming...and QNAP offers plenty of services that need similar inbound connections. If you don't configure it correctly...bye bye.
Maybe don't expose your NAS to the internet? (Score:2)
I am at a loss to understand why you would directly expose your NAS to the Internet. Maybe a specific file-sharing service, sure, but the whole NAS, including the administrative login page? Are there actually use-cases for that?
Re: (Score:2)
Configure it from work when the significant other is at home and can't do something on it.
Re: (Score:2)
Get a Raspberry Pi with OpenVPN or sshd and only expose that and the specific ports to the internet instead. These NAS devices aren't exactly cheap by the time you get one with enough power to do what it says on the tin, and have enough storage to be useful, so the RP isn't that much more and comes with other uses.
Re: (Score:2)
I would even point out you can run a VPN on the QNAP itself instead of needing a Raspberry Pi. Installable QNAP app, or create a virtual machine to run it.
Re: (Score:2)
lol, no!
This is what VPNs are for.
Re: (Score:2)
Devices behind firewalls and not directly exposed to the internet are being hit with this ransomware as well. I haven't seen any details as to how the devices are getting exploited, but being that devices behind firewalls are venerable it would have to be some sort of 'man-in-the-middle' attack is my guess. Perhaps QNAP wasn't validating SSL certificates, or not using GPG signatures to validate software and allowing a rootkit to be installed from an auto-update. No matter what it was, it seems like it has t
I'm on the fence about this (Score:2)
The fact that they offer QNAP the information to fix this.... kinda makes this... hell, certainly not good but... let's say one kick in the nads would suffice?
The master key for 50 million is probably a bit on the high side :D.
Re: (Score:1)
They are selling the zero-day to the vendor for 5 BTC (~$200k) or the master key for 50 BTC (~$1.9M). Those actually seem like reasonable values little different than what they'd face from a small player with similar leverage in the conference room.
Re: (Score:2)
OTOH, QNAP could offer 51 bitcoins for their heads (and JUST their heads) delivered on a platter.
Re: (Score:2)
Looking at their website (https://www.qnap.com/en-uk/security-advisories) they don't seem to have a bug bounty in place. If they did, they might have avoided all this.