DeadBolt ransomware Support Topic - QNAP ASUSTOR devices (.deadbolt extension)

After a while, the webui page was replaced by hijacked page again!

I ssh to the nas and attached with the output of "ps"

Would be interested in seeing the file located here if anyone has it:

/mnt/HDA_ROOT/[random number]

For example /mnt/HDA_ROOT/27855

We just got attacked last night at 12am GMT+8, it started encrypting the files this morning around 10. Any way to stop the encryption, we cannot pay the amount. please help

Not sure if this file has any personal details so I have sent you a PM. I am currently pulling an all nighter backing up, nuking and redeploying this system. If you or anyone else wants any additional files, please let me know asap! 

Additionally, I can give at least one datapoint that the crypto payment DID in fact result in a valid decryption code and the decryption script appears to have worked. I had to collaborate with some crypto gurus to figure out how to pull it up. It was DEFINITELY not straightforward. We waited quite some time waiting for a second "transaction" to be posted in Coinbase, but it was more of a reply/response which had to be found using a bitcoin "explorer"? I'm running on about hour 20 with no sleep so I may be a bit loopy lol. I can try to get additional information on the process if this is helpful. 

Would be interested in seeing the file located here if anyone has it:

 

/mnt/HDA_ROOT/[random number]

 

For example /mnt/HDA_ROOT/27855

Edited by IamBComeDeath, 26 January 2022 - 03:36 AM.

 

Not sure if this file has any personal details so I have sent you a PM. I am currently pulling an all nighter backing up, nuking and redeploying this system. If you or anyone else wants any additional files, please let me know asap! 

 

Additionally, I can give at least one datapoint that the crypto payment DID in fact result in a valid decryption code and the decryption script appears to have worked. I had to collaborate with some crypto gurus to figure out how to pull it up. It was DEFINITELY not straightforward. We waited quite some time waiting for a second "transaction" to be posted in Coinbase, but it was more of a reply/response which had to be found using a bitcoin "explorer"? I'm running on about hour 20 with no sleep so I may be a bit loopy lol. I can try to get additional information on the process if this is helpful. 

Would be interested in seeing the file located here if anyone has it:

 

/mnt/HDA_ROOT/[random number]

 

For example /mnt/HDA_ROOT/27855

 

 

Tell me what was your payment address to see how the transaction looks like

Edited by not_apexxxxx, 26 January 2022 - 04:17 AM.

I got hit too 

170K files (440GB) encrypted. My 'real-time' OneDrive sync is also corrupted (all files on OneDrive also encrypted).

I do luckily have a second .pdff backup that's only 2 days old which I'm currently in process of restoring to a secondary QNAP and I do seem to be able to access the restored files 

Part of the issue from what I understand is that the default TCP/443 port was exposed to the internet? After I hard reset my QNAP and restore the backup, would it be enough to change the default admin port to something else? I do require remote access through QFile for several people to upload/download files to this server.

In General, I paid and decryption went, cant post image

decryption in progress (processed 68560 files)

I had a client targeted yesterday. Took the device offline, hard reset the Qnap using the pin hole. Then updated the firmware to the new 5.0. TS-251 btw.

Following I had to delete all deadbolt files and restore from an offsite backup.

It was not difficult, though time consuming, to remove their messaging and get back to the web admin.

Closed all ports, and would turn off upnp (but good security practices led me to have disabled it already).

They were lucky, three hours later and we were restoring their data.

I got Hacked too yesterday and my files (most of them encypted 2Tb)... I saved what I can, copying the non encrypted ones into an External HDD.
And my last backup is from 3 months ago
I used to think that having the QNAP is having a backup as it's copying all information on the 2nd HDD using the raid1 but support told me "Not at all"... I should also link the NAS using a USB to an external HDD to backup what is this architecture! 

do you think we will have a Decryption tool? 

Edited by nadim23, 26 January 2022 - 09:03 AM.

A 2nd usb hdd only would help in 90% of the crypto viruses, which come from the end user pcs. This infected Qnap itself, which would have access to the usb. While I haven't read any datapoints that said usb was encrypted, and personally I believe my clients second hard drive escaped unscathed, the usb couldn't be considered "safe",

My client's system is about 5TB of data, 2.5TB of mostly medium size files. Second drive was large video from drone footage. The online backup was either corrupted or silently failed 6 months ago. The only truly safe way is offsite cold storage. I bought 2x identical 8TB usb drives last night. Both will be set up with identical backup configs once the Qnap has been nuked and restored. One will be always connected, one in a safe offsite. then every week they will be swapped on Friday night.

I got Hacked too yesterday and my files (most of them encypted 2Tb)... I saved what I can, copying the non encrypted ones into an External HDD.
And my last backup is from 3 months ago
I used to think that having the QNAP is having a backup as it's copying all information on the 2nd HDD using the raid1 but support told me "Not at all"... I should also link the NAS using a USB to an external HDD to backup what is this architecture! 

 

do you think we will have a Decryption tool? 

Edited by IamBComeDeath, 26 January 2022 - 10:07 AM.

Additionally, I can give at least one datapoint that the crypto payment DID in fact result in a valid decryption code and the decryption script appears to have worked. I had to collaborate with some crypto gurus to figure out how to pull it up. It was DEFINITELY not straightforward. We waited quite some time waiting for a second "transaction" to be posted in Coinbase, but it was more of a reply/response which had to be found using a bitcoin "explorer"?

In General, I paid and decryption went, cant post image

decryption in progress (processed 68560 files)

Guys, would you please paste the bitcoin address where you paid the ransom to? I will most likely need to do that, but I would rather see how that second transaction with decryption key looks like beforehand. Great thanks in advance.


 

So it hit us too today.

The filename in /mnt/HDA_ROOT/ is 5700*

Looks like most of the files are encrypted, backup is corrupted. So it seems the only way is to pay the 0.0300 btc. Any advice how to pay this? And any confirmation that this works?

Can anyone who paid and received a decryption key, PM me a few encrypted files and their key? Also, the index.html from your device.

Edited by Demonslay335, 26 January 2022 - 12:14 PM.

Can anyone who paid and received a decryption key, PM me a few encrypted files and their key? Also, the index.html from your device.

My customer was hit yesterday morning, it seems that it took at least a few hours to encrypt the whole device. By the time I arrived the whole thing was encrypted. I had been working on it from around 3:00 PM EST to 6-7:00PM EST, then around 8:00PM I got the ransom message. I looked through the whole device and couldn't find one before hand. Anyways, I have some encrypted files and I will certainly send them over to you once I am done here at my customer site.

They have decided to pay the ransom, so once I do that, hopefully it will begin to decrypt, either way, I will make sure to grab some more files for you to look at before and after. Hope it helps someone else, my customer unfortunately can not wait and all the snapshots & encryption on the QNAP drives are all affected. Nothing that I thought would help mitigate a issue like this was useful in protecting my customer. Never again QNAP, never again.

Bonjour,

nous avons été attaqués hier à 17h 00 heure paris par deadbolt. Tous les fichiers sont verrouillés. Avez vous des pistes pour Qnap 

Edited by 4dingenierie, 26 January 2022 - 12:33 PM.