QNAP ransomware victims dealt double blow as firmware update hampers decryption
Emisoft releases decryptor for victims while QNAP explains why and how it controversially auto-updated user’s products


QNAP users affected by the DeadBolt ransomware incident last week have been dealt another blow as users report being unable to decrypt their files after paying the ransom because the company's controversial forced update removed the ransomware's binary.
Now available to download, Emisoft’s decryptor works only for victims who have paid the ransom but were unable to acquire an official decryptor from the ransomware operators before their network-attached storage (NAS) drive updated. The forced security update QNAP issued last week isolated the DeadBolt binary, making it inaccessible to users, but needs to be accessible to fully decrypt the victim’s device.
"To make this abundantly clear: this will not get you around paying the ransom," said Fabian Wosar, Emisoft CTO, on social media. "Victims will still need to provide the key. It is merely an alternative decryption tool if you can't use the mechanism provided by the threat actors due to QNAP forcing a firmware update."
Official QNAP support explained to users over the weekend that the forced update triggered QNAP's Malware Remover tool to "quarantine" the DeadBolt ransomware rather than deleting it. A support representative said users can contact the QNAP helpdesk team to remove the DeadBolt page block and use a decryptor key, should they obtain one, to begin the file decrypting process.
It's currently unconfirmed if the Emisoft decryptor can be used in the decryption process described by QNAP support, but IT Pro has contacted both Emisoft and QNAP for clarity.
RELATED RESOURCE
The best defence against ransomware
How ransomware is evolving and how to defend against it
QNAP users were last week controversially subjected to a forced firmware update after a DeadBolt ransomware incident targeted and crippled thousands of NAS drives. Users expressed anger towards the Taiwan-based hardware firm for forcing the update without their permission and some argued their devices were left weaker than they were before.
Users reported losing large amounts of data after being hit with DeadBolt, including high-profile podcast host and MIT research scientist Lex Fridman, who lost 50Tb of data after being handed a 0.3 Bitcoin ransom demand (roughly £8,100 at the time).
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Explaining the fiasco
QNAP published a press release today explaining how and why the forced update was issued to all QNAP customers, adding that it still recommends not exposing NAS products to the internet.
The company explained that if the auto-update function for the 'Recommended Version' is enabled on a user's NAS drive, then the drive will automatically update to the firmware version QNAP believes to be the most secure.
User's originally expressed confusion as to why their product underwent an auto-update, having not manually enabled the auto-update setting. QNAP support explained that with firmware version 4.5.0 the feature was disabled by default, but was enabled in firmware version 4.5.3 with users thinking the setting would transfer unchanged after upgrading to the newer version.
"Recommended version does not apply to every update," said QNAP support. "So people did not realise recommended update was enabled on their NAS. But after Deadbolt, we released a recommended update to protect from deadbolt. Because this update was set as a "recommended version", NAS with "recommended version" enabled updated.
"Having recommended version enabled by default did allow us to protect many NAS units. But if anyone does not want this feature, they can disable it."
The company added that it understood services could be interrupted during the update and that it is always looking to improve its products. Users can find further information in QNAP's official statement.
Chief points of contention were echoed in response to today's announcement with some users saying Universal Plug and Play (UPnP), a set of networking principles allowing devices to discover others on a shared network, should be disabled by default. This will disable port forwarding and secure the device, for the most part, from attacks such as the DeadBolt incident.
Others reiterated their concern over the absent warning users were given that an automatic update was coming, while one complaint that QNAP said it would consider implementing, was that firmware versions should have been backported so fixes could have been applied to users on both versions 4.x and 5.x.
Ransomware recap
QNAP released a security update on 27 January for the DeadBolt ransomware campaign it said had been "widely targeting" users' devices for a number of days. This was automatically initiated for all QNAP customers sparking fury in the community.
More than 3,000 NAS drives were successfully encrypted with DeadBolt ransomware with ransom demands ranging between 0.3 Bitcoin to 50 Bitcoin for decryptor tools. Many individual and business users reported paying the ransom to restore access to their data at the time.
QNAP justified the forced update as a difficult but necessary decision to secure the majority of NAS products around the world, but users expressed anger towards the firm for issuing the automatic patch.
Many owners of NAS drives operate on older firmware versions for various reasons, and updating to newer, safer releases can be an arduous process given the highly individualised configurations running from user to user.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Using WinRAR? Update now to avoid falling victim to this file path flaw
News WinRAR users have been urged to update after a patch was issued for a serious vulnerability.
-
Amazon CEO Andy Jassy doubles down on the company's AI focus
News Amazon CEO Andy Jassy thinks companies need to "lean into" AI and embrace the technology despite concerns over job losses.
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.