[GermanGeman]QNAP users are currently victims of the DeadBolt ransomware – I didn't have it in the blog, but within a week there were probably over 3,600 victims. The NAS manufacturer is now resorting to drastic measures and is trying to forcibly update the firmware of affected devices. However, this leads to malfunctions on some devices (iSCSI devices no longer work).
Advertising
Attacks on QNAP systems
Within the last two weeks owners of QNAP NAS drives have become victims of various ransomware families. The advice was to make sure that the devices are not accessible via the Internet and that the firmware and the QNAP software used are up to date. The colleagues at Bleeping Computer also warned about a new wave of attacks in the article New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key.
The files of the encrypted devices are given the .deadbolt extension. The ransomware also replaces the regular HTML login page with a message asking for 0.03 Bitcoins worth about $1,100 to obtain a decryption key and recover data. The threat actor claims to use a zero-day vulnerability to hack QNAP devices and encrypt files with DeadBolt ransomware.
QNAP force updates after ransomware infections
In the post QNAP force-installs update after DeadBolt ransomware hits 3,600 devices, Bleeping Computer reports that QNAP is taking to more drastic steps after 3,600 QNAP units were encrypted by the DeadBolt ransomware (see also this tweet). QNAP is forcing a firmware update for all customer NAS units to version 5.0.0.1891, which is the latest firmware released on December 23, 2021.
QNAP owners and IT administrators told BleepingComputer that QNAP forced this firmware update on the devices even when automatic updates were disabled. This is not without merit, as QNAP already states in the release notes that support for USB printers has been removed by the firmware. In addition, the description of the firmware changes lists some known issues.
And there is collateral damage. However, some owners noticed that iSCSI connections to the devices stopped working after the update. On reddit.com there is a post QNAP ISCSI Failed after update (FIX) where a user warns about problems.
Just thought I would give everyone a heads-up. A couple of our QNAPS lost ISCSI connection last night. After a day of tinkering and pulling our hair out we finally found it was because of the update.
It has not done it for all of the QNAPs we manage but we finally found the resolution.
In "Storage & Snapshots > ISCSI & Fiber Channel" right-click on your Alias (IQN) select "Modify > Network Portal" and select the adapter you utilize for ISCSI.
All fixed. I hope this helps someone.
All his iSCSI connections stopped working after the upgrade. However, this could be fixed via the settings as described above by reassigning the adapter. In response to numerous complaints about QNAP forcing a firmware update, a QNAP support representative replied that it was a decision to protect users from the current DeadBolt ransomware attacks.
Advertising
"Qnap must let us know how and why they did this. People have so many different configurations on their machines, that may or may not function well on new updates. That Qnap needs to explain why the forced update was necessary and how they did it."
We are trying to increase protection against deadbolt. If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away.
Back in the time of Qlocker, many people got infected after we had patched the vulnerability. In fact, that whole outbreak was after the patch was released. But many people don't apply a security patch on the same day or even the same week it is released. And that makes it much harder to stop a ransomware campaign. We will work on patches/security enhancements against deadbolt and we hope they get applied right away.
I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of deadbolt and our desire to stop this attack as soon as possible that we did this.
In summary: One tries to increase the protection against DeadBolt. Qlocker infections would also have left their mark on the users. Currently, it is not clear to me how the firmware update from December 2021 is supposed to help. Anyone affected by this forced update?
