DeadBolt ransomware attacks Qnap NAS devices and demands 50 BTC for master key
Security researchers and Qnap engineers have warned about the emergence of a new DeadBolt ransomware that attacks Qnap NAS. According to the hackers themselves, the DeadBolt malware encrypts devices using a 0-day vulnerability.
Bliepende rekenaar reports that the attacks began on January 25, when owners of Qnap devices began to discover that their files were encrypted and their file names were suffixed with .deadbolt. The media source is aware of at least 15 victims of the new malware. Instead of a ransom note, which is usually placed in every folder on the device, the message of the hackers is placed right on the login page, as shown below.
The victim is informed that it is necessary to transfer 0.03 bitcoin (approximately $1,100) to a specific bitcoin address that is unique to each victim. After the payment, the attackers inform that they will make a return transaction to the same address, which will include a key to decrypt the data.
Journalists emphasize that at present there is no evidence that the payment of the ransom will generally lead to the receipt of the key, and users will be able to decrypt their files.
Interestingly, the ransom note has a separate link titled “Important message for Qnap”, which, when clicked, displays a message to the developers. The authors of the DeadBolt malware write that they are ready to disclose all details of the zero-day vulnerability they exploit if the company pays them 5 bitcoins (approximately $184,000). They also report that they are ready to sell a master key that will help decrypt the files of all victims, and information about 0-day for 50 bitcoins, dit wil sê, for almost 1.85 million US dollars.
Ransomware operators argue that they can only be contacted through bitcoin payments.
Qnap developers have already confirmed information about DeadBolt attacks. The company warns users:
Let me remind you that we wrote that The FBI linked the Diavol ransomware to the authors of the TrickBot malware, and also that Khonsari ransomware attacks Minecraft servers.