Researchers have observed a spike in cyberattacks by Deadbolt ransomware on NAS devices around the globe. With these attacks, it is extorting not just the end customers but the NAS vendors, such as QNAP.
What is happening?
According to a report by Group-IB, the ransomware has been targeting QNAP NAS devices since the beginning of this year.
There has been a 674% surge in Deadbolt attacks between June and September.
The majority of infections have been observed in the U.S. (2,472), Germany (1,778), and Italy (1,383).
The ransomware has mostly targeted NAS devices used in schools, homes, and small and medium businesses.
The ransomware operators demand a ransom of around 0.03 and 0.05 Bitcoin (approx. $1,000 or less) from the targeted end users to provide the decryption key to unlock their data.
For around 10 Bitcoins (around $192,000), they claim to provide the technical details to the NAS vendor regarding the zero-day vulnerability (CVE-2022-27593), which is abused to target the QNAP NAS devices.
Moreover, they promise to provide the master key to decrypt all the files encrypted for all their victims after a payment of 50 Bitcoins (around $959,000).
A few days ago, the Dutch National Police carried out a targeted operation against the Deadbolt ransomware, obtaining 155 decryption keys.
Here’s what happened
According to the police, the ransomware group encrypted over 20,000 QNAP and Asustor devices in its campaign since January 2022. This included more than 1,000 victims in the Netherlands.
During the operation, the police paid the ransom amount, which resulted in the automated generation of 155 decryption keys. By taking advantage of network congestion, they canceled the translation and withdrew payments.
Unlike many ransomware groups, Deadbolt uses an automated mechanism to generate the decryption keys upon payment of ransom. Although this process is flawed (that helped Dutch police recover decryption keys without actually paying the ransom), the rise in Deadbolt ransomware attacks looks unstoppable.