QNAP warned its customers about the ongoing DeadBolt ransomware attacks that encrypt NAS devices directly exposed to the internet by exploiting a zero-day vulnerability in Photo Station.
About the attack
Once the device is encrypted, the ransomware adds an extension to the name of the excerpted files and scours the QNAP NAS login page to display a warning message.
- The hijacked QNAP login screen displays a ransom note demanding the payment of roughly $1,277 to receive a decryption key to recover the files.
- The ransom note furthermore includes a link, which points to a page that offers technical details of the alleged zero-day vulnerability in QNAP NAS devices for approximately $212,000.
- The operators are moreover offering for sale the QNAP master decryption key for 50 BTC, which could allow all the victims of this ransomware family to decrypt their files.
- The security flaw has already been patched, however, the attacks continue. The Taiwanese vendor confirmed the attacks were widespread, with a rise in the submission of ID ransomware samples.
QNAP releases security updates
QNAP released Photo Station security updates 12 hours after DeadBolt began using the zero-day vulnerability in attacks.
- The security updates released are: QTS 5.0.1 requires Photo Station 6.1.2 or later, QTS 5.0.0/4.5.x requires Photo Station 6.0.22 or later, QTS 4.3.6 requires Photo Station 5.7.18 or later, QTS 4.3.3 requires Photo Station 5.4.15 or later, and QTS 4.2.6 requires Photo Station 5.2.14 or later.
Past attacks
The DeadBolt ransomware gang has been targeting NAS devices since January, leveraging zero-day vulnerabilities on internet-exposed NAS devices. The threat actors carried out extended attacks on QNAP devices in May and June.
What to do?
The company strongly advises users not to directly expose their QNAP NAS to the internet and rather place it behind a firewall. Users are furthermore advised to use QNAP's myQNAPcloud Link feature or enable the VPN service to effectively fortify the devices and reduce the likelihood of being attacked.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_157356602.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/c0ab_shutterstock_2162349557.jpg)
