![]() This ransomware uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, making it scalable and easily adaptable to new campaigns and vendors.The DeadBolt ransomware family targets QNAP and Asustor NAS devices.We also used pertinent data to check if any user or vendor paid ransom, and how much the ransomware actors made from these attacks. In this report, we investigate the reasons that the DeadBolt ransomware family is more problematic for its victims than other ransomware families that previously targeted NAS devices. ![]() And the never-before-seen volume of NAS devices that this ransomware family has infected in a short period has led us to an investigation of DeadBolt. NAS devices typically contain sensitive files for both personal users and organizations. But in reality, the locks that the crime group installed are not master-keyed locks, making it impossible for the apartment complex owner to open the locks with one master key. The group then informs the apartment complex owner that they can give the apartment complex owner a master key that would allow the owner to successfully unlock all the apartment doors for his tenants if he pays them a certain amount. Essentially, this means that if vendors pay any of the ransom amounts provided to them, they will not be able to get a master key to unlock all the files on behalf of affected users.Ĭonsider this example to understand this particular DeadBolt tactic: A crime group changes every lock in an entire apartment complex. However, based on our analysis, we did not find any evidence that it’s possible for the options provided to the vendor to work due to the way the files were encrypted. Our report detailed the ransomware families that cybercriminals used to target NAS devices, which include Qlocker, eCh0raix, and even bigger ransomware families such as REvil (aka Sodinokibi).ĭeadBolt is peculiar not only for the scale of its attacks but also for several advanced tactics and techniques that its malicious actors have implemented, such as giving multiple payment options, one for the user and two for the vendor. Earlier in 2022, we discussed the evolving landscape of attacks waged on the internet of things (IoT) and how cybercriminals have added NAS devices in their list of targeted devices. It’s interesting to note that the number of DeadBolt-infected devices is considerably high for a ransomware family that is exclusively targeting NAS devices. Most recently, on May 19,2022, QNAP released a product security update stating that internet-connected QNAP devices were once again been targeted by DeadBolt, this time aiming at NAS devices using QTS 4.3.6 and QTS 4.4.1. In March, DeadBolt attackers once again targeted QNAP devices according to Censys.io, the number of infections reached 1,146 by March 19, 2022. A few weeks later, ASUSTOR, another NAS devices and video surveillance solutions vendor, also experienced DeadBolt ransomware attacks that targeted an unknown number of its devices. 26, 2022, out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection. According to a report from attack surface solutions provider Censys.io, as of Jan. It was first seen targeting QNAP Systems, Inc. The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices. ![]() By Stephen Hilt, Éireann Leverett, Fernando Mercês ![]()
0 Comments
Leave a Reply. |