QNAP devices hit by DeadBolt ransomware again

QNAP devices have been hit by DeadBolt ransomware for at least the second time in less than six months.

In January, QNAP warned users that a new ransomware strain was widely targeting its network-attached storage (NAS) devices using an alleged zero-day vulnerability. DeadBolt was encrypting users' data and demanding bitcoin payments in ongoing attacks on QNAP devices. Now, it's back for more.

The Taiwanese hardware vendor issued a statement Thursday that confirmed an investigation was underway regarding a new series of attacks. Once again, DeadBolt ransomware targeted NAS devices, which is particularly dangerous due to the devices' constant internet access.

In Thursday's security advisory, QNAP urged customers to take immediate actions to secure the hardware.

"According to the investigation by the QNAP Product Security Incident Response Team ... the affected models were mainly TS-x51 series and TS-x53 series," the advisory said. "QNAP urges all NAS users to check and update QTS [QNAP's NAS OS] to the latest version as soon as possible, and avoid exposing their NAS to the Internet."

It's unclear if DeadBolt ransomware actors were exploiting specific vulnerabilities. The QNAP advisory made no mention of any vulnerabilities or CVEs. QNAP did not respond to SearchSecurity's request for comment at press time.

UPDATE 5/20: A QNAP spokesperson sent the following statement to SearchSecurity: "Currently, there is no evidence showing DeadBolt exploited a vulnerability with a specific CVE ID. The observed infected devices are from 4.3.3 to 4.4.1. We recommend users update their QTS up-to-date so that the risk could be mitigated."

The spokesperson also said that in the recent DeadBolt attacks, some victims have lost their ransom notes after rebooting their NAs devices. "We advise users to take the screenshot before they wanted to reboot or upgrade their NAS," the spokesperson said.

Palo Alto Networks' Unit 42 addressed the newest wave of DeadBolt attacks on Twitter Monday and estimated they began on May 13. While the vendor believed the same ransomware master key from the previous QNAP attacks was used, it also noted differences.

"Unit 42 is observing a new wave of attacks of the Deadbolt #ransomware targeting QNAP NAS devices involving a new lock screen with updated JavaScript. Cortex Xpanse discovered ~3000 instances of infected devices," Unit 42 said in a tweet.

In March, security vendor Censys discovered that more than 1,000 QNAP QTS devices had been infected by DeadBolt ransomware. While it is unclear if this was an entirely new attack or fallout from January, Censys did uncover similarities. The ransom demand for individual victims remained unchanged at around $1,000, and the ransom for QNAP, which would have given the vendor the master encryption key, clocked in at more than $2 million.

"At this time, Censys cannot state whether this is a new attack targeting different versions of the QTS operating system, or if it's the original exploit targeting unpatched QNAP devices," Censys wrote in a blog.

In a FAQ post updated on March 28, QNAP said it believed the attack was related to January, though it doesn't appear entirely clear.

The latest attacks on QNAP devices highlight an ongoing patching problem, if that many exposed instances remained, which represents the urgency to update following the latest attack.

A recent joint cybersecurity advisory from U.S. and other government agencies warned enterprises of the most common mistakes and security weaknesses that allow attackers to gain initial access inside a network. They included misconfigured services that are exposed to the public internet, as well as open ports and out-of-date software.

QNAP recommended that users disable port forwarding to stop exposing NAS devices to the internet.

DeadBolt activity first surfaced in January during the attack against QNAP, which appears to be the only reported target.