The DeadBolt ransomware family targets QNAP and Asustor Network-Attached Storage (NAS) devices by implementing a multi-layered scheme targeting both the vendors and their victims, and offering multiple cryptocurrency payment options.
These factors make DeadBolt different from other NAS ransomware families and, according to a Trend Micro . analysis this week.
The ransomware uses a configuration file that dynamically chooses specific settings based on the vendor it targets, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.
The payment schemes allow the victim to pay for a decryption key or the merchant can pay for a decryption master key. This master key would theoretically work to decrypt data for all victims; however, the report notes that less than 10% of DeadBolt victims actually paid the ransom.
“While the vendor’s master decryption key didn’t work in DeadBolt’s campaigns, the concept of paying both victim and vendors a ransom is an interesting approach,” the report said. “It is possible that this approach will be used in future attacks, especially since this tactic requires little effort from a ransomware group.”
Fernando Mercês, senior threat researcher at Trend Micro, points out that the actors also created a functional, beautifully designed web app to handle ransom payments.
“They also know about the internal parts of QNAP and Asustor,” he says. “All in all, it’s an impressive job from a technical point of view.”
Mercês adds that ransomware actors generally target NAS devices due to a combination of factors: low security, high availability, high data value, modern hardware and common operating system (Linux).
“It’s like targeting Internet-facing Linux servers with all kinds of applications installed and without professional security,” he says. “Moreover, these servers contain valuable data for the user. It sounds like the perfect target for ransomware.”
To protect organizations from attacks against Internet-facing NAS devices, he says, they could use a VPN service, although the configuration may require some technical skills.
“Suppose there is no other way than to expose the NAS to the Internet,” he says. “In that case, I recommend using strong passwords, 2FA, disabling/uninstalling all unused services and apps, and configuring a firewall for them to allow only the ports you want access to. This can be done in a router, for example.”
Mercês notes that while it seems ineffective, it’s interesting to see criminals trying to pressure suppliers to “fix the problem” for their customers.
“I think criminals thought the vendors would worry about their image in front of their customers and maybe pay to get free decryptors for all of them,” he says. “It could be interesting if customers start pushing merchants to pay on their behalf, but that hasn’t happened.”
In May, QNAP warned
its NAS devices are under active attack by DeadBolt ransomware, and a report from the attack surface solutions provider in January censys.io noted that of QNAP’s 130,000 NAS devices that were potential targets, 4,988 services showed signs of DeadBolt infection.
Nicole Hoffman, senior cyberthreat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out that the DeadBolt ransomware operation is interesting for several reasons, including the fact that victims do not need to contact at any time. the threat actors .
“Most ransomware groups require victims to negotiate with the threat actors, who are often in different time zones,” she says. “These interactions can add a significant amount of time to the recovery process and add a degree of uncertainty, as the outcome may depend on the success of the interaction.”
She notes, however, that DeadBolt ransomware attacks are technically different from ransomware attacks targeting many enterprise devices, in that the first access is gained by exploiting vulnerabilities in unpatched Internet-facing NAS devices.
“No social engineering or lateral movement techniques are needed to achieve their goals,” Hoffman says. “Threat actors do not need a lot of time, tools or money to carry out these opportunistic attacks.”