Security Experts:

Connect with us

Hi, what are you looking for?



QNAP Appliances Targeted in New DeadBolt, eCh0raix Ransomware Campaigns

Network-attached storage (NAS) devices made by QNAP are being targeted in new attack campaigns involving DeadBolt and eCh0raix ransomware.

Network-attached storage (NAS) devices made by QNAP are being targeted in new attack campaigns involving DeadBolt and eCh0raix ransomware.

For more than half a year, QNAP NAS devices have been targeted in several DeadBolt ransomware campaigns in which the attackers hijack a vulnerable device’s login page to display a ransom note, and also encrypt the files on the device, appending the .deadbolt extension to them.

In January 2022, the attackers were demanding from their victims a 0.03 bitcoin payment in exchange for the decryption key.

Furthermore, they were asking for a 5 bitcoin payment in exchange for information on a zero-day in QNAP’s NAS devices that they were allegedly exploiting for initial access, and 50 bitcoin for a master key for the ransomware and full details on the vulnerability.

Following the January wave of DeadBolt attacks, security researchers observed a new campaign in March, one month after the ransomware was seen targeting NAS appliances made by Asustor. Another series of DeadBolt attacks on QNAP appliances was seen in May.

Last week, QNAP published an advisory to warn of a new DeadBolt ransomware campaign that has been targeting NAS devices running outdated versions of QTS 4.x.

QNAP said it was still investigating the attack and did not provide additional information, but the company urged users to update QTS or QuTS hero to the latest available version.

“If your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then, upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page,” QNAP told users.

Users who received a decryption key from the attackers and cannot locate the ransom note after the firmware upgrade are advised to contact QNAP Support for assistance.

According to BleepingComputer, DeadBolt is not the only ransomware family targeting internet-accessible and improperly protected QNAP devices at the moment, as many users have been complaining of eCh0raix ransomware attacks as well.

“QNAP devices are very attractive to cyber criminals whose strategy is to ask a large number of victims for a small amount of money (as opposed to few victims being asked for large amounts). The ~$900 asked for as ransom is at a level where many operators of the devices will choose to pay rather than get their IT or security teams involved (and potentially face internal consequences for not having properly onboarded and secured the devices),” Bud Broomhead, CEO at IoT cyber hygiene firm Viakoo, said in an emailed comment.

Related: QNAP Patches Critical Vulnerability in Network Surveillance Products

Related: QNAP Says Recently Patched Flaw Exploited in Qlocker Ransomware Attacks

Related: QNAP Extends Security Updates for Some EOL Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...