DeadBolt ransomware Support Topic - QNAP ASUSTOR devices (.deadbolt extension)

 

Additionally, I can give at least one datapoint that the crypto payment DID in fact result in a valid decryption code and the decryption script appears to have worked. I had to collaborate with some crypto gurus to figure out how to pull it up. It was DEFINITELY not straightforward. We waited quite some time waiting for a second "transaction" to be posted in Coinbase, but it was more of a reply/response which had to be found using a bitcoin "explorer"?

In General, I paid and decryption went, cant post image

decryption in progress (processed 68560 files)

 

Guys, would you please paste the bitcoin address where you paid the ransom to? I will most likely need to do that, but I would rather see how that second transaction with decryption key looks like beforehand. Great thanks in advance.


 

 

I paid with www.binance.com, you need to be attentive to the fields of the withdrawal amount and the amount of the receipt. The amount received should be 0.03, in total I paid including the fee 0.0305 btc

https://www.blockchain.com/ru/btc/address/bc1qj5vz6sc7n90ylq393h9khsa8essryylj65fvdm

Click on the top "Hash" and look at the end of the page. (This code i use to decrypt my files) PS. sorry for my English

Index 2

Can anyone who paid and received a decryption key, PM me a few encrypted files and their key? Also, the index.html from your device.

Now i dont have index.html file but have key and encrypted files. I can send it tomorrow if u need

Yesterday at around 17:00, I noticed that the icon of Qsync had become red. At 19:30, I tried to login in QNAP with Chrome, and then saw the Deadbolt warning. By then I didn't understand what happened. After googled, I thought it was eCh0raix Ransomware and started to find way how to deal with it. I had powered off the NAS while reading the discussion and QNAP solutions about eCh0raix.  

I tried to power on the NAS, firstly updated the firmware from Qfinder, and then a little bit surprised to being successfully login NAS.

But I didn't find any encrypted file after quickly browsing a few directories. 

I followed QNAP's suggestions to enhance NAS security. However, when it was needed to sign off and login again, the Deadbolt warning showed up again, and blocked the login. And there were a series strange numbers after my NAS IP address. It looked like:

https://192.168.xx.xxx/?0.8785715476102108/

I powered off the NAS once again, and powered on it after a few minutes.  I could login the NAS when Qfinder had found it.

I checked the directories, but still didn't find any encrypted files or photos. However, when I check the progresses which are running,  I did see a progress with a name "7zip...." appearing and disappearing in the list.  I thought it might be the encryption Trojan of Deadbolt. 

With fear, I powered the NAS. 

I tried to put all pieces into a picture. The followings are my analysis and guess:

• No doubt, my NAS has been attacked by Deadbolt.
• My files have not yet been encrypted... why?  maybe the encryption Trojan still need more time to crack the default admin password, or start the encryption process?
• At the beginning of restart, I still can login NAS. Only if I sign off and login again, will the Deadbolt warning page show up. And the IP address will be attached with strange numbers. 
• My guess is:  after restarting the NAS, before the first login,  the encryption Trojan has not yet been activated.  But it will be activated after I logged in the NAS.
• Question is:  if there any way to detect the Deadbolt Trojan and clean it up?

Today I powered on the NAS and login it. I purchased new license of McAfee and tried to scan the whole space. However, there was nothing be found. 

Now I keep the NAS being powered off.  Should I wait QNAP or anybody to find solution to clean up the Deadbolt Trojan?

Hope my sharing is helpful for diagnosing the problem and figuring out a solution. 

 

Can anyone who paid and received a decryption key, PM me a few encrypted files and their key? Also, the index.html from your device.

Now i dont have index.html file but have key and encrypted files. I can send it tomorrow if u need

 

Yes please. After looking at a few encrypted files on ID Ransomware, I may not need the index.html, but I just wanted to be sure of something with the file format.

I'm not familiar with QNAP SSH much, but does anyone see something similar to this command in the command history of the device?

/MNT/HDA_ROOT/<random> -e <config> /share

They have decided to pay the ransom, so once I do that, hopefully it will begin to decrypt, either way, I will make sure to grab some more files for you to look at before and after. Hope it helps someone else, my customer unfortunately can not wait and all the snapshots & encryption on the QNAP drives are all affected. Nothing that I thought would help mitigate a issue like this was useful in protecting my customer. Never again QNAP, never again.

It would be very useful to see actual confirmation that payment restores file access.

Can anyone who has paid ransom and recovered files explain the next steps?  I am ready to make the payment but don't want to do it until I understand what will actually happen after I get the key.

- once you start the decryption process does everything get restored back to normal, or do you need to do anything else to ensure it's clean after files are restored?  

- I currently don't see the ransomware page when going to admin panel so how do I do the encryption without it?

TIA

Can anyone who paid and received a decryption key, PM me a few encrypted files and their key? Also, the index.html from your device.

The index.html file is located at /home/httpd/index.html. The original should have been renamed to a .bak extension.

Can anyone who has paid ransom and recovered files explain the next steps?  I am ready to make the payment but don't want to do it until I understand what will actually happen after I get the key.

 

- once you start the decryption process does everything get restored back to normal, or do you need to do anything else to ensure it's clean after files are restored?  

- I currently don't see the ransomware page when going to admin panel so how do I do the encryption without it?

 

TIA

1 - yes its all back to normal, but i disable internet on qnap by firewall rule and start copy files to safe plase then i will do factory reset to be on the safe side

2 try to reboot

First post updated with what we know about the ransomware so far.

Hi all,

at least in my case I'm able to login over the web interface if I use the exact full adress, that is http://YOUR_QNAP_IP/8080/cgi-bin/index.cgi

This bypasses the deadbolt landing page.

The website is confusing as hell, I had my crypto buddies find it for me. I had to re read this a few times to find the right page but actually shows how to do it. The key part I missed was, search for the address you paid TO (from the ransom note), then "Click on the top "Hash"" and search for the OP_RETURN

 

In General, I paid and decryption went, cant post image

decryption in progress (processed 68560 files)

Additionally, I can give at least one datapoint that the crypto payment DID in fact result in a valid decryption code and the decryption script appears to have worked. I had to collaborate with some crypto gurus to figure out how to pull it up. It was DEFINITELY not straightforward. We waited quite some time waiting for a second "transaction" to be posted in Coinbase, but it was more of a reply/response which had to be found using a bitcoin "explorer"?

 

Guys, would you please paste the bitcoin address where you paid the ransom to? I will most likely need to do that, but I would rather see how that second transaction with decryption key looks like beforehand. Great thanks in advance.


 

 

I paid with www.binance.com, you need to be attentive to the fields of the withdrawal amount and the amount of the receipt. The amount received should be 0.03, in total I paid including the fee 0.0305 btc

https://www.blockchain.com/ru/btc/address/bc1qj5vz6sc7n90ylq393h9khsa8essryylj65fvdm

Click on the top "Hash" and look at the end of the page. (This code i use to decrypt my files) PS. sorry for my English

Index 2

@IAmComeDeath

Would you mind sending me a few encrypted files to analyze?

@all

Anyone have these files on their device? Seeing them referenced in the malware, but unsure what they are yet.

res/unlock_cgi.sh
res/qnap_persist.sh

Complete noob here so sorry...

My NAS starts up with the Deadbolt message. I removed the ethernet cable from the back of the device yesterday when I noticed it. I restarted the NAS and was able to log in to the admin account. But when I tried to reconnect, I once again got the deadbolt message. I got scared and turned it off. Today, I turned it back on and was able to log into the admin account again and saw that about 9285 files were encrypted to .deadbolt. It happened very quickly from 10:52AM to 12:28PM yesterday. I saw something about malware in the logs...

Warning 2022-01-25 12:56:17 admin 127.0.0.1 Malware Remover Malware Removal [Malware Remover] Removed the detected malware: MR2104

Our IT team removed an executable named 199904, if we pay the ransom and receive a key do you think the key will still work with this file removed?  Thanks in advance for any help!