The DeadBolt ransomware family targets QNAP and Asustor network-added storage (NAS) devices by deploying a multi-level scheme targeted at both the vendors and their victims, and offering multiple cryptocurrency payment options.
These factors differentiate DeadBolt from other families of NAS ransomware and could be more problematic for its victims, according to a report. Trend Micro analysis this week.
The ransomware uses a configuration file that will dynamically select specific settings based on the vendor it is targeting, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.
The payment schemes allow either the victim to pay for a decryption key, or for the seller to pay for a decryption key. This key would theoretically work to decrypt data for all victims; however, the report notes less than 10% of DeadBolt victims actually paid the ransom.
“Although the vendor’s master-decrypted key did not work in DeadBolt’s campaigns, the concept of redeeming the victim and the vendors is an interesting approach,” according to the report. “It is possible that this approach will be used in future attacks, especially since this tactic requires low effort from a group of ransomware.”
Fernando Mercês, a senior threat researcher at Trend Micro, points out that the actors have also created a functional, beautifully designed online app to deal with ransom payments.
“They also know about the interiors of QNAP and Asustor,” he says. “Overall, it’s an impressive job from a technical standpoint.”
Mercês adds that ransomware actors generally target NAS devices due to a combination of factors: low security, high availability, the high value of data, modern hardware and a common OS (Linux).
“It’s like targeting online Linux servers with all sorts of applications installed and no professional security in place,” he says. “Additionally, these servers contain valuable data for the user. It sounds like the perfect target for ransomware.”
For organizations to protect against attacks targeting Internet NAS devices, he says, they could use a VPN service, although the configuration may require some technical skills.
“Assuming there is no other way than to expose the NAS on the Internet,” he says. “In that case, I would recommend using strong passwords, 2FA, disabling / uninstalling all unused services and apps, and setting up a firewall in front of it to allow only the ports you want to access. This can be done in a router, for example.”
Mercês notes that while it may not seem effective, it is interesting to see criminals trying to put some pressure on sellers to “solve the problem” for their customers.
“I think criminals thought the sellers would worry about their image in front of their customers and maybe pay to get free decoders for everyone,” he says. “It might be interesting if customers started pushing sellers to pay on their behalf, but that didn’t happen.”
In may QNAP warned
its NAS devices are under active attack by DeadBolt ransomware, and in January, a report by surface attack solution provider Censys.io noted that out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of DeadBolt infection.
Nicole Hoffman, a senior cyber-threat spy analyst at Digital Shadows, a provider of digital risk protection solutions, stresses that the operation of ransomware DeadBolt is interesting for several reasons, including the fact that victims do not need to contact the threat actors at any time. .
“With most ransomware groups, victims have to negotiate with the threat actors, who are often in different time zones,” she says. “These interactions can add significant time to the recovery and level of uncertainty because the outcome could depend on the success of the interaction.”
However, she notes that from a technical perspective, DeadBolt ransomware attacks are different from ransomware attacks, which target many enterprise devices because initial access is gained by exploiting vulnerabilities in unbranded Internet NAS devices.
“There are no social engineering or side-movement techniques needed to accomplish their goals,” Hoffman says. “The threat actors don’t need a lot of time, tools or money to make these opportunistic attacks.”