Network-attached storage (NAS) devices made by QNAP are being targeted in new attack campaigns involving DeadBolt and eCh0raix ransomware.
For more than half a year, QNAP NAS devices have been targeted in several DeadBolt ransomware campaigns in which the attackers hijack a vulnerable device’s login page to display a ransom note, and also encrypt the files on the device, appending the .deadbolt extension to them.
In January 2022, the attackers were demanding from their victims a 0.03 bitcoin payment in exchange for the decryption key.
Furthermore, they were asking for a 5 bitcoin payment in exchange for information on a zero-day in QNAP’s NAS devices that they were allegedly exploiting for initial access, and 50 bitcoin for a master key for the ransomware and full details on the vulnerability.
Following the January wave of DeadBolt attacks, security researchers observed a new campaign in March, one month after the ransomware was seen targeting NAS appliances made by Asustor. Another series of DeadBolt attacks on QNAP appliances was seen in May.
Last week, QNAP published an advisory to warn of a new DeadBolt ransomware campaign that has been targeting NAS devices running outdated versions of QTS 4.x.
QNAP said it was still investigating the attack and did not provide additional information, but the company urged users to update QTS or QuTS hero to the latest available version.
“If your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then, upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page,” QNAP told users.
Users who received a decryption key from the attackers and cannot locate the ransom note after the firmware upgrade are advised to contact QNAP Support for assistance.
According to BleepingComputer, DeadBolt is not the only ransomware family targeting internet-accessible and improperly protected QNAP devices at the moment, as many users have been complaining of eCh0raix ransomware attacks as well.
“QNAP devices are very attractive to cyber criminals whose strategy is to ask a large number of victims for a small amount of money (as opposed to few victims being asked for large amounts). The ~$900 asked for as ransom is at a level where many operators of the devices will choose to pay rather than get their IT or security teams involved (and potentially face internal consequences for not having properly onboarded and secured the devices),” Bud Broomhead, CEO at IoT cyber hygiene firm Viakoo, said in an emailed comment.
Related: QNAP Patches Critical Vulnerability in Network Surveillance Products
Related: QNAP Says Recently Patched Flaw Exploited in Qlocker Ransomware Attacks