QNAP users angry after NAS drives are updated to combat DeadBolt ransomware

QNAP customers have expressed anger towards the company after it forced a security update on large numbers of its users' network-attached storage (NAS) drives.

The NAS manufacturer announced on Wednesday that DeadBolt ransomware was "widely targeting" QNAP drives and locking out users until they paid a fee in Bitcoin. Numerous users began reporting that they had fallen victim to the ransomware campaign earlier this week after losing access to files.

A query sent to internet-facing device scanner Censys revealed 3,687 devices have already been encrypted by DeadBolt. In response, QNAP took the controversial step to force-update every users' firmware to the latest version on Thursday.

"We are trying to increase protection against DeadBolt," said an official QNAP support spokesperson in response to one complaint. "If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away.

"Back in the time of Qlocker, many people got infected after we had patched the vulnerability. In fact, that whole outbreak was after the patch was released. But many people don't apply a security patch on the same day or even the same week it is released. And that makes it much harder to stop a ransomware campaign. We will work on patches/security enhancements against DeadBolt and we hope they get applied right away.

"I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of DeadBolt and our desire to stop this attack as soon as possible that we did this."

QNAP's actions have been met with anger from the community. Some say users' NAS drives, many of which often have finely tuned and individualised configurations that break with certain updates, are just as vulnerable now as they were to DeadBolt if they didn't update to the latest, most secure firmware version.

"You may have had good intentions, but what you did was wrong," said one user in direct response. "You should have rolled out notifications for an emergency update or patch and let users decide.

"If users decide against the update and then get owned by Deadbolt, that is on them. By forcing the update, anyone who has lost data, as a result, is no better off than if Deadbolt had owned them, but worse you have opened QNAP up to legal liability for that loss."

Other users expressed concern over QNAP's ability to force a change on the hardware they own, without first asking permission. Users raised questions around what other powers QNAP has over users' NAS drives, and what the company can do with data stored on them.

For many, the only indication that an update was going to be applied was one short 'beep'. When users investigated what was happening, they found their drive in the middle of rebooting after downloading an update.

Despite the concern, many reports tell of positive experiences with the update, but given that NAS drives are notoriously laborious to update safely without compromising the intricate configurations users create for their individual environments, other users reported deliberately avoiding the update which was ultimately forced on them.

Timeline of .deadbolt attacks

On 10 January 2022, IT Pro reported QNAP's original security statement that it was aware of cyber attackers targeting its NAS drives with ransomware, urging users to update their firmware as soon as possible.

No details of the ransomware strain were reported at the time, nor was the scope of the attackers' targeting, but full details on how to secure drives from outside attacks were provided by the manufacturer.

On Tuesday 25 January 2022, individual and business users started reporting successful DeadBolt attacks with their files being replaced with DeadBolt versions of themselves. Among the victims was high-profile podcast host and MIT research scientist Lex Fridman, who provided screenshots of the messages displayed to users and ransom payments.

Users were asked for 0.3 Bitcoin (roughly £8,100) as a ransom demand. A separate message was also sent to QNAP itself, demanding a payment of 5 Bitcoin (roughly £136,500) for details of the supposed zero-day vulnerability used to exploit the NAS drives, or a total of 50 Bitcoin (roughly £1.3 million) for the universal decryptor and zero-day details.

"It makes me nauseous to say this, but this is real," said another user. "My first client just got hit. Files in File Station will have a .deadbolt extension on them. This client had a secure password, and 2 factor authentication set up. I have just reported this directly. I was expecting to have a nice week this week. I guess that won't be the case for me."

On Wednesday 26 January, QNAP release an official security statement urging users to update their devices and "fight ransomware together". The following day, reports started emerging of forced security updates.

A NASty trend

The targeting of QNAP's NAS drives is the latest episode in a recent trend of cyber attackers targeting internet-facing storage devices. In June 2021, Western Digital customers were similarly targeted with data-wiping malware.

Affected devices hadn't received security updates since 2015, at the time of the attack, with some users reporting total factory resets of their devices and others losing terabytes of data, IT Pro reported.

In response, Western Digital made the unorthodox recommendation to users that they simply unplug their storage devices to prevent from further malware attacks.