New malware is targeting targets QNAP NAS devices, it is the DeadBolt ransomware and ask 50 BTC for master key
DeadBolt ransomware is targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the content of the infected systems.
Once encrypted the content of the device, the ransomware appends .deadbolt extension to the name of the excerpted files and deface the login page of the QNAP NAS to display the following message:
“WARNING: Your files have been locked by DeadBolt”
The hijacked QNAP login screen displays a ransom note demanding the payment of 0.03 BTC ransom (roughly $1017) to receive a decryption key to recover the files.
Operators claim a transparent process for the delivery of the decryption key directly to the Bitcoin blockchain. The decryption key is stored directly in the OP_RETURN field of a transaction made by the operators in response to the payment. Victims can retrieve the key by monitoring the address they have they made the ransom payment.
After payment is made, the threat actors claim they will make a follow-up transaction to the same address that includes the decryption key (composed of 32 characters), which can be retrieved using the following instructions.
At this time there is no confirmation that paying a ransom will allow the victims to decrypt their files.
QNAP continues to be a privileged target for cybercriminals, recently a new wave of Qlocker ransomware was observed targeting QNAP NAS devices worldwide. In December 2021, another wave of ech0raix ransomware attacks started targeting QNAP network-attached storage (NAS) devices.
The ransom note also includes a link titled “important message for QNAP,” which points to a page that offers technical details of the alleged zero-day vulnerability in QNAP NAS devices for 5 BTC (approximately $184,000).
They are also offering for sale the QNAP the master decryption key for 50 BTC which could allow all the victims of this ransomware family to decryp their files.
“Make a bitcoin payment of 50 BTC to bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8,” reads the message, as reported by BleepingComputer.
“You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files. Additionally, we will also send you all details about the zero-day vulnerability to email@example.com.”
(SecurityAffairs – hacking, REvil ransomware)