Ransomware group, Deadbolt, is targeting QNAP NAS devices. Here's what you need to know.
Background
In January 2022, a security researcher at Censys discovered that a new ransomware group, Deadbolt ransomware, had been targeting internet-connected QNAP Network Attached Storage (NAS) devices in an attempt to encrypt them.
Quick facts: what you need to know now
- After an initial flurry of activity in January against thousands of machines, there was far less activity in February. However, Deadbolt re-engaged with QNAP NAS servers in March and attacks are on the rise again.
- The majority of the devices identified by Censys were running the QNAP QTS Linux kernel version 5.10.60.
- QNAP forced an update for all NAS customers using the known targeted version and have been urging them to secure their devices.
Next Steps for QNAP NAS Customers:
- Do not expose the QNAP NAS device to the Internet.
- Consider alternative file hosting capabilities such as Microsoft OneDrive or Google Drive.
- If the NAS is required, configure myQNAPcloud Link to access files more securely.
- Check this article periodically over the next few weeks as we will keep it updated as more information becomes available.
Resources
- Censys Blog Post: https://censys.io/deadbolt-ransomware-is-back/
- Malwarebytes Lab:
- https://blog.malwarebytes.com/ransomware/2022/01/qnap-update-stops-deadbolt-ransomware-annoys-some-users-starts-debate/
- QNAP: https://www.qnap.com/en/security-news/2022/take-immediate-actions-to-stop-your-nas-from-exposing-to-the-internet-and-update-qts-to-the-latest-available-version-fight-against-ransomware-together
If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!