A new ransomware operation, named DeadBolt, has been encrypting internet-exposed QNAP NAS devices around the world. So far, the ransomware has targeted 3,600 devices.

What has happened?

DeadBolt operators are abusing a zero-day vulnerability to infect QNAP devices and encrypt files using the ransomware.
  • A security researcher and Curated Intel member discovered that DeadBolt has already encrypted thousands of QNAP devices with the most affected countries being the U.S., France, Taiwan, Italy, and the U.K.
  • The operators replace the regular HTML login page with their ransom note that demands 0.03 bitcoins (worth around $1,100) to receive a decryption key and restore data.
  • Attackers further offer the master decryption key to decrypt all impacted QNAP devices for 5 bitcoins (around $185,000) and to provide info on the alleged zero-day for 50 bitcoins (around $1.85 million).

QNAP urges for urgent patching

Just after the ransomware attack, QNAP warned its customers to protect their NAS devices against DeadBolt by updating the QTS software version and disabling port forwarding and UPnP.
  • The firm took stricter action and force-updated the firmware of NAS devices to recent version, the latest universal firmware available on 23 December 2021.
  • QNAP forced the recent firmware update on devices with automatic updates disabled too. The update included various security fixes with most of them related to Samba.

The forced firmware update removed the ransomware executable and ransom screen from the victims’ machines. 


Ransomware operators waste no time in abusing any zero-day flaw they find on exposed devices. Most of the time, the fix comes late, which is exactly what boosted the DeadBolt ransomware attack spree. Thus, admins should make sure that every device inside a company network is updated and not publicly exposed.

Cyware Publisher