The DeadBolt ransomware family targets QNAP and Asustor network-attached storage (NAS) devices by deploying a tiered system for both vendors and their victims, and offering multiple cryptocurrency payment options.
These factors make DeadBolt different from other NAS ransomware families and could be more problematic for its victims, according to an analysis by Trend Micro this week.
The ransomware uses a configuration file that will dynamically choose specific settings based on the vendor it targets, making it scalable and easily adaptable to new campaigns and vendors, researchers say.
Payment schemes allow either the victim to pay for a decryption key or the seller to pay for a master decryption key. This master key would theoretically work to decrypt the data of all victims; however, the report notes that less than 10% of DeadBolt victims actually paid the ransom.
“Even though the vendor master decryption key did not work in DeadBolt’s campaigns, the concept of ransoming both victim and vendors is an attractive approach,” according to the report. “It is possible that this approach will be used in future attacks, especially since this tactic requires little effort from a ransomware group.”
Fernando Mercês, Senior Threat Researcher at Trend Micro, points out that the actors have also created a functional and well-designed web application to manage ransom payments.
“They also know QNAP and Asustor internals,” he says. “Overall, it’s an impressive piece of work from a technical point of view.”
Mercês adds that ransomware actors typically target NAS devices due to a combination of factors: low security, high availability, high data value, modern hardware, and a common operating system (Linux).
“It’s like targeting Internet-connected Linux servers with all sorts of apps installed and no professional security in place,” he says. “In addition, these servers contain data of great value to the user. Sounds like the perfect target for ransomware.”
For organizations to protect against attacks targeting Internet-connected NAS devices, he says, they could use a VPN service, though setup might require some technical skill.
“Suppose there is no other way but to expose the NAS on the Internet,” he says. “In this case, I would recommend using strong passwords, 2FA, disabling/uninstalling all unused services and apps, and setting up a firewall in front of it to only allow the ports you want access. This can be done in a router, for example.”
Mercês notes that while this may not seem effective, it’s interesting to see criminals trying to pressure sellers to “fix the problem” for their customers.
“I think the criminals thought the sellers would be worried about their image in front of their customers and maybe pay to get free decryptors for each of them,” he says. “It might be interesting if customers started pushing suppliers to pay on their behalf, but that hasn’t happened.”
In May, QNAP warned that its NAS devices were being actively attacked by DeadBolt ransomware, and in January, a report by attack surface solution provider Censys.io noted that out of 130,000 QNAP NAS devices that were potential targets , 4,988 services showed signs of a DeadBolt. infection.
Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out that the DeadBolt ransomware operation is attractive for several reasons, including the fact that victims don’t need to contact threat actors at any time. .
“With most ransomware groups, victims have to negotiate with threat actors, who are often in different time zones,” she says. “These interactions can add a significant amount of time to the recovery process and a level of uncertainty as the outcome could depend on the success of the interaction.”
However, she notes that from a technical standpoint, DeadBolt ransomware attacks are different from ransomware attacks that target many corporate devices, as initial access is gained by exploiting vulnerabilities in connected unpatched NAS devices. to internet.
“There’s no social engineering or lateral movement techniques needed to achieve their goals,” Hoffman says. “Threat actors don’t need a lot of time, tools, or money to carry out these opportunistic attacks.”