The DeadBolt ransomware has been observed targeting ASUSTOR NAS devices while asking for a $1,150 ransom from the users to receive a decryption key.
What happened?
According to researchers, a group of attackers is claiming to abuse a zero-day vulnerability to target ASUSTOR NAS devices. The attacks were first reported on Reddit, and on forums of BleepingComputer and ASUSTOR.
- When encrypting files on an ASUSTOR device, the ransomware renames the files with the .deadbolt file extension.
- The ASUSTOR login screen is replaced with a ransom note asking for 0.03 bitcoins worth $1,150.
- Some ASUSTOR owners believe that a vulnerability in the PLEX media server or EZ Connect is being exploited.
- Multiple reports indicate that the AS6102T, AS6602T, AS5304T, AS5304T, and AS-6210T-4K models are unaffected.
The ransom deal
It seems that the attackers are financially motivated and offer multiple schemes to seek money from the ASUSTOR.
- The DeadBolt operators are selling the details of the alleged zero-day vulnerability if ASUSTOR is ready to pay 7.5 BTC worth $290,000.
- Additionally, the DeadBolt group is offering to sell a master decryption key for all victims and the zero-day details in exchange for 50 BTC.
The victim’s plan
ASUSTOR is planning to release a recovery firmware that users may use to gain access to their NAS devices. They also want you to know that the update cannot recover the encrypted files unless users have backups.
What to do?
To stay protected, researchers suggest changing default ports, such as NAS web access ports of 8000/8001 and remote web access ports of 80 and 443. Users are further recommended to disable EZ Connect, close Plex Ports and disable Plex, make an immediate backup, and finally turn off SSH/Terminal along with SFTP services.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/1198_shutterstock_636688591.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2070_shutterstock_2015645441.jpg)
