In May, QNAP warned its customers of ongoing attacks by the DeadBolt ransomware group against NAS appliances. The attacks started in January and the threat actor asks for a ransom of 0.03 Bitcoin for the decryption key. Around January 26, 4,988 services out of 130,000 QNAP NAS devices were infected by DeadBolt, as per a report by

That’s not all

  • Not only QNAP but Asustor—another NAS devices vendor—underwent DeadBolt attacks in February.
  • The next month, the threat actor again shifted to targeting QNAP devices and the number of infections reached 1,146.
  • This was followed by the May incident wherein NAS devices running QTS 4.3.6 and QTS 4.4.1 were affected.

Multi-tiered extortion scheme

  • DeadBolt employs various sophisticated TTPs, including multiple payment options - one for the user and the other for the vendor.
  • However, even if the vendors pay the ransom, they won’t receive a master key to unlock all the files for the victims. 
  • This is the first time a ransomware group has implemented two ransoms in a single attack - making it a unique threat. 
  • The malware operators have created a web UI that decrypts victims’ data once the ransom is paid and a decryption key is provided, unlike other ransomware families that provide hard-to-follow steps.
  • Another novel feature is that the victims don’t need to contact the attackers since the blockchain transaction automatically provides the decryption key. However, this technique has been previously used by the CTB-Locker ransomware actor. 

Trend Micro noted that decryption is not possible for files encrypted by the ransomware since it has not been possible to verify the master key decryption process.

Infections on the rise

  • A report by Censys stated that, until April, a total of 132 ransoms were paid to the threat actor, amounting to $187,665. 
  • Until May 20, DeadBolt had infected around 470 devices across the U.S., Germany, and the U.K.
  • The highest number of infections were observed in March, and it is possible that there could have been more than one infection per device. 
  • Alarmingly, Trend Micro detected 83,000 QNAP and 2,500 Asustor internet-exposed services at risk of infection.

The bottom line

The research found that most victims didn’t pay the ransom, most probably since the ransom costs more than a new NAS device. It seems that DeadBolt’s aim is to infect as many devices as possible to get a substantial payout. The multi-tiered extortion tactic is definitely a unique move on the attacker’s part and researchers suspect that this might be adopted by other groups in the future.

Cyware Publisher