Multilevel Extortion: DeadBolt Ransomware Targets Internet-Facing NAS Devices

The innovative DeadBolt ransomware targets NAS devices that have a multitiered payment and extortion scheme as well as a flexible configuration and takes a heavily automated approach.

The DeadBolt ransomware family is targeting QNAP and Asustor network-attached storage (NAS) devices by deploying a multitiered scheme aimed at both the vendors and their victims and offering multiple cryptocurrency payment options.

These factors make DeadBolt different from other NAS ransomware families and could be more problematic for its victims, according to an analysis from Trend Micro this week.

The ransomware uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.

The payment schemes allow either the victim to pay for a decryption key, or for the vendor to pay for a decryption master key. This master key would theoretically work to decrypt data for all victims; however, the report notes less than 10% of DeadBolt victims actually paid the ransom.

“Even though the vendor master decryption key did not work in DeadBolt’s campaigns, the concept of holding both the victim and the vendor’s ransom is an interesting approach,” according to the report. “It’s possible that this approach will be used in future attacks, especially since this tactic requires a low amount of effort on the part of a ransomware group.”

Fernando Mercês, the senior threat researcher at Trend Micro, points out that the actors also created a functional, nicely designed Web app to deal with ransom payments.

“They also know about the internals of QNAP and Asustor,” he says. “Overall, it’s an impressive job from a technical standpoint.”

Mercês adds that ransomware actors in general are targeting NAS devices due to a combination of factors: low security, high availability, the high value of data, modern hardware, and common OS (Linux).

“It’s like targeting Internet-facing Linux servers with all kinds of applications installed and no professional security in place,” he says. “Additionally, these servers contain high-value data for the user. It sounds like the perfect target for ransomware.”

For organizations to protect against attacks targeting internet-facing NAS devices, he says, they could use a VPN service, although the configuration may require a few technical skills.

“Suppose there’s no other way other than exposing the NAS on the Internet,” he says. “In that case, I’d recommend using strong passwords, 2FA, disabling/uninstalling all unused services and apps, and configuring a firewall in front of it to only allow the ports you want to access. This can be done in a router, for example.”

Mercês notes that while it doesn’t seem effective, it’s interesting to see criminals trying to put some pressure on vendors to “fix the problem” for their customers.

“I think criminals thought the vendors would be worried about their image in front of their customers and maybe pay to get free decryptors for all of them,” he says. “It could be interesting if customers started pushing vendors to pay on their behalf, but that didn’t happen.”

In May, QNAP warned its NAS devices to be under active attack by DeadBolt ransomware, and in January, a report from attack surface solutions provider noted that out of 130,000 QNAP NAS devices were potential targets, 4,988 services showed signs of a DeadBolt infection.

Nicole Hoffman, the senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out that the DeadBolt ransomware operation is interesting for several reasons, including the fact that victims do not need to contact the threat actors at any time.

“With most ransomware groups, victims need to negotiate with the threat actors, who are often in different time zones,” she says. “These interactions can add a significant amount of time to the recovery process and a level of uncertainty because the outcome could rely on the success of the interaction.”

However, she notes that from a technical perspective, DeadBolt ransomware attacks are different from ransomware attacks that target many enterprise devices, as initial access is gained by exploiting vulnerabilities in unpatched Internet-facing NAS devices.

“There are no social engineering or lateral movement techniques required to carry out their objectives,” Hoffman says. “The threat actors do not need a lot of time, tools, or money to carry out these opportunistic attacks.” Read more:

You can also read this: Conti Leaks Reveal Ransomware Gang’s Interest in Firmware-based Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *