IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

QNAP users angry after NAS drives are updated to combat DeadBolt ransomware

Concerns mount over the powers the NAS manufacturer has over users' products as users report non-consensual forced security updates

QNAP customers have expressed anger towards the company after it forced a security update on large numbers of its users' network-attached storage (NAS) drives.

The NAS manufacturer announced on Wednesday that DeadBolt ransomware was "widely targeting" QNAP drives and locking out users until they paid a fee in Bitcoin. Numerous users began reporting that they had fallen victim to the ransomware campaign earlier this week after losing access to files.

A query sent to internet-facing device scanner Censys revealed 3,687 devices have already been encrypted by DeadBolt. In response, QNAP took the controversial step to force-update every users' firmware to the latest version on Thursday.

"We are trying to increase protection against DeadBolt," said an official QNAP support spokesperson in response to one complaint. "If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away.

"Back in the time of Qlocker, many people got infected after we had patched the vulnerability. In fact, that whole outbreak was after the patch was released. But many people don't apply a security patch on the same day or even the same week it is released. And that makes it much harder to stop a ransomware campaign. We will work on patches/security enhancements against DeadBolt and we hope they get applied right away.

"I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of DeadBolt and our desire to stop this attack as soon as possible that we did this."

QNAP's actions have been met with anger from the community. Some say users' NAS drives, many of which often have finely tuned and individualised configurations that break with certain updates, are just as vulnerable now as they were to DeadBolt if they didn't update to the latest, most secure firmware version.

"You may have had good intentions, but what you did was wrong," said one user in direct response. "You should have rolled out notifications for an emergency update or patch and let users decide.

"If users decide against the update and then get owned by Deadbolt, that is on them. By forcing the update, anyone who has lost data, as a result, is no better off than if Deadbolt had owned them, but worse you have opened QNAP up to legal liability for that loss."

Other users expressed concern over QNAP's ability to force a change on the hardware they own, without first asking permission. Users raised questions around what other powers QNAP has over users' NAS drives, and what the company can do with data stored on them.

For many, the only indication that an update was going to be applied was one short 'beep'. When users investigated what was happening, they found their drive in the middle of rebooting after downloading an update.

Despite the concern, many reports tell of positive experiences with the update, but given that NAS drives are notoriously laborious to update safely without compromising the intricate configurations users create for their individual environments, other users reported deliberately avoiding the update which was ultimately forced on them.

Timeline of .deadbolt attacks

On 10 January 2022, IT Pro reported QNAP's original security statement that it was aware of cyber attackers targeting its NAS drives with ransomware, urging users to update their firmware as soon as possible.

No details of the ransomware strain were reported at the time, nor was the scope of the attackers' targeting, but full details on how to secure drives from outside attacks were provided by the manufacturer.

On Tuesday 25 January 2022, individual and business users started reporting successful DeadBolt attacks with their files being replaced with DeadBolt versions of themselves. Among the victims was high-profile podcast host and MIT research scientist Lex Fridman, who provided screenshots of the messages displayed to users and ransom payments.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Users were asked for 0.3 Bitcoin (roughly £8,100) as a ransom demand. A separate message was also sent to QNAP itself, demanding a payment of 5 Bitcoin (roughly £136,500) for details of the supposed zero-day vulnerability used to exploit the NAS drives, or a total of 50 Bitcoin (roughly £1.3 million) for the universal decryptor and zero-day details.

"It makes me nauseous to say this, but this is real," said another user. "My first client just got hit. Files in File Station will have a .deadbolt extension on them. This client had a secure password, and 2 factor authentication set up. I have just reported this directly. I was expecting to have a nice week this week. I guess that won't be the case for me."

On Wednesday 26 January, QNAP release an official security statement urging users to update their devices and "fight ransomware together". The following day, reports started emerging of forced security updates.

A NASty trend

The targeting of QNAP's NAS drives is the latest episode in a recent trend of cyber attackers targeting internet-facing storage devices. In June 2021, Western Digital customers were similarly targeted with data-wiping malware.

Affected devices hadn't received security updates since 2015, at the time of the attack, with some users reporting total factory resets of their devices and others losing terabytes of data, IT Pro reported.

In response, Western Digital made the unorthodox recommendation to users that they simply unplug their storage devices to prevent from further malware attacks.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

QNAP NAS drives targeted by DeadBolt ransomware for the third time this year
ransomware

QNAP NAS drives targeted by DeadBolt ransomware for the third time this year

20 May 2022
Qnap TS-1264U-RP review: Space to spare
network attached storage (NAS)

Qnap TS-1264U-RP review: Space to spare

4 May 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
QNAP ransomware victims dealt double blow as firmware update hampers decryption
network attached storage (NAS)

QNAP ransomware victims dealt double blow as firmware update hampers decryption

1 Feb 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022