A ransomware gang known as DeadBolt has begun to target Network-Attached Storage or NAS devices manufactured by QNAP, the Taiwanese corporation specializing in NAS devices used for file sharing, virtualization, storage, and surveillance apps. Specifically, Deadbolt is using a zero-day vulnerability in the devices. The attacks were first discovered in late January 2022. As a result of the attacks, users’ files stored on QNAP devices are rendered inaccessible. Those files are appended with the telltale ‘.deadbolt’ extension, which is the basis for the ransomware’s name.
The DeadBolt Ransomware gang does not use a traditional ransom note, opting instead to hijack the login page for the QNAP device. When victims attempt to log in, they are greeted with a new screen displaying the DeadBolt’s ransom demand. The ransom was set at 0.03 Bitcoin or approximately $1,100 as of early 2022. The DeadBolt hackers do not leave an email in the ransom note. They choose to communicate solely through Bitcoin transactions made to a unique wallet address provided to each of their victims.
Should a victim make the mistake of actually paying the ransom, which we never recommend, they are expected to wait for the hackers to make a subsequent transaction. The details of that transaction are supposed to include the decryption key that should unlock the affected files. The victims then should enter the provided decryption key into the login screen of the compromised device.
DeadBolt has also attempted to do business directly with QNAP. In fact, the hackers have previously offered to share details about the zero-day vulnerability with QNAP for 5 BTC. Additionally, for the price of 50 BTC, or approximately $1.85 million as of early 2022, the hackers claimed they would provide a master decryption key to QNAP that allegedly should unlock the files of all affected users.
How Do I Survive a DeadBolt Ransomware Attack?
QNAP can potentially restore victims’ file access by providing a way for users to bypass the DeadBolt’s login screen via the given web addresses: http://nas_ip:8080/cgi-bin/index.cgi and https://nas_ip/cgi-bin/index.cgi. Additionally, victims should scan their devices with a reputable malware remediation tool to detect and remove the sinister DeadBolt Ransomware.