QNAP ransomware victims dealt double blow as firmware update hampers decryption

Computer virus transfer into a desktop PC by internet LAN line
(Image credit: Shutterstock)

QNAP users affected by the DeadBolt ransomware incident last week have been dealt another blow as users report being unable to decrypt their files after paying the ransom because the company's controversial forced update removed the ransomware's binary.

Now available to download, Emisoft’s decryptor works only for victims who have paid the ransom but were unable to acquire an official decryptor from the ransomware operators before their network-attached storage (NAS) drive updated. The forced security update QNAP issued last week isolated the DeadBolt binary, making it inaccessible to users, but needs to be accessible to fully decrypt the victim’s device.

"To make this abundantly clear: this will not get you around paying the ransom," said Fabian Wosar, Emisoft CTO, on social media. "Victims will still need to provide the key. It is merely an alternative decryption tool if you can't use the mechanism provided by the threat actors due to QNAP forcing a firmware update."

Official QNAP support explained to users over the weekend that the forced update triggered QNAP's Malware Remover tool to "quarantine" the DeadBolt ransomware rather than deleting it. A support representative said users can contact the QNAP helpdesk team to remove the DeadBolt page block and use a decryptor key, should they obtain one, to begin the file decrypting process.

It's currently unconfirmed if the Emisoft decryptor can be used in the decryption process described by QNAP support, but IT Pro has contacted both Emisoft and QNAP for clarity.


The best defence against ransomware

How ransomware is evolving and how to defend against it


QNAP users were last week controversially subjected to a forced firmware update after a DeadBolt ransomware incident targeted and crippled thousands of NAS drives. Users expressed anger towards the Taiwan-based hardware firm for forcing the update without their permission and some argued their devices were left weaker than they were before.

Users reported losing large amounts of data after being hit with DeadBolt, including high-profile podcast host and MIT research scientist Lex Fridman, who lost 50Tb of data after being handed a 0.3 Bitcoin ransom demand (roughly £8,100 at the time).

Explaining the fiasco

QNAP published a press release today explaining how and why the forced update was issued to all QNAP customers, adding that it still recommends not exposing NAS products to the internet.

The company explained that if the auto-update function for the 'Recommended Version' is enabled on a user's NAS drive, then the drive will automatically update to the firmware version QNAP believes to be the most secure.

User's originally expressed confusion as to why their product underwent an auto-update, having not manually enabled the auto-update setting. QNAP support explained that with firmware version 4.5.0 the feature was disabled by default, but was enabled in firmware version 4.5.3 with users thinking the setting would transfer unchanged after upgrading to the newer version.

"Recommended version does not apply to every update," said QNAP support. "So people did not realise recommended update was enabled on their NAS. But after Deadbolt, we released a recommended update to protect from deadbolt. Because this update was set as a "recommended version", NAS with "recommended version" enabled updated.

"Having recommended version enabled by default did allow us to protect many NAS units. But if anyone does not want this feature, they can disable it."

The company added that it understood services could be interrupted during the update and that it is always looking to improve its products. Users can find further information in QNAP's official statement.

Chief points of contention were echoed in response to today's announcement with some users saying Universal Plug and Play (UPnP), a set of networking principles allowing devices to discover others on a shared network, should be disabled by default. This will disable port forwarding and secure the device, for the most part, from attacks such as the DeadBolt incident.

Others reiterated their concern over the absent warning users were given that an automatic update was coming, while one complaint that QNAP said it would consider implementing, was that firmware versions should have been backported so fixes could have been applied to users on both versions 4.x and 5.x.

Ransomware recap

QNAP released a security update on 27 January for the DeadBolt ransomware campaign it said had been "widely targeting" users' devices for a number of days. This was automatically initiated for all QNAP customers sparking fury in the community.

More than 3,000 NAS drives were successfully encrypted with DeadBolt ransomware with ransom demands ranging between 0.3 Bitcoin to 50 Bitcoin for decryptor tools. Many individual and business users reported paying the ransom to restore access to their data at the time.

QNAP justified the forced update as a difficult but necessary decision to secure the majority of NAS products around the world, but users expressed anger towards the firm for issuing the automatic patch.

Many owners of NAS drives operate on older firmware versions for various reasons, and updating to newer, safer releases can be an arduous process given the highly individualised configurations running from user to user.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.