Deadbolt, a ransomware variant that attacked QNAP storage in January, is back and infecting more of the drives, researchers revealed this week.
Deadbolt is a ransomware variant first identified in January. It targets network-attached storage (NAS) devices from QNAP, which run the company's own Linux distribution called QTS.
Rather than encrypting the whole drive, Deadbolt concentrates on encrypting backup drives and then hacks the device's web interface to deliver a ransomware message.
Infections peaked on January 26, according to cyber security company Censys, affecting almost 5,000 of the 130,000 QNAP devices in use. QNAP force updated its firmware in January to stop the infections.
This update reportedly caused side effects including broken iSCSI connections. It also removed the hacked interface, which stopped hacked users who had paid the ransom from decrypting the files. However, Censys said that it reduced the number of infected devices at the time to under 300.
The ransomware resurged on QNAP devices this month. Censys saw new infections beginning on March 16, when the number of infected devices stood at 373. Within three days, the number of infected devices had grown to 1,146.
While the attackers are using a different Bitcoin address for the latest ransom demand, the rest of the attack remains the same, Censys said. They are demanding 0.03 bitcoins (currently worth around $1,280).
RELATED RESOURCE
Identity is key to stopping these five cyber security attacks
Many attacks begin with the same weakness: user accounts
The attackers promise to deliver a decryption key in exchange for the ransom payment. They also make a separate offer to QNAP via the hacked web interface, offering it full details of the technical exploit that enabled the attack for five bitcoins ($213,300) or a master decryption key for 50 bitcoins ($2.13m).
This attack is unusual, in that aside from the hacked web interface, the attackers only communicate with the victims via bitcoin payments. They return the encryption key from a ransom payment in the OPRETURN field of a Bitcoin transaction.
QNAP drives have suffered attacks before, including infection by Dovecat crypto-mining malware and QSnatch, legacy malware which stopped administrators from applying security patches.
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Can cyber group takedowns last?ITPro Podcast Threat groups can recover from website takeovers or rebrand for new activity – but each successful sting provides researchers with valuable data
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
