October 7, 2022
Yes, ransomware is still a thing. No, not all ransomware attacks unfold in the way you might expect. Most contemporary ransomware attacks involve two groups of criminals: a core gang who create the malware and handle the extortion payments, and “members” of a loose-knit clan of “affiliates” who actively break into networks to carry out…

Yes, ransomware is still a thing.

No, not all ransomware attacks unfold in the way you might expect.

Most contemporary ransomware attacks involve two groups of criminals: a core gang who create the malware and handle the extortion payments, and “members” of a loose-knit clan of “affiliates” who actively break into networks to carry out the attacks.

Once they’re in, the affiliates then wander around the victim’s network, getting the lie of the land for a while, before abruptly and often devastatingly scrambling as many computers as they can, as quickly as they can, typically at the worst possible time of day.

The affiliates typically pocket 70% of the blackmail money for any attacks they conduct, while the core criminals take an iTunes-ike 30% of every attack done by every affiliate, without ever needing to break into anyone’s computers themselves.

That’s how most malware attacks happen, anyway.

But regular readers of Naked Security will know that some victims, notably home users and small business, end up getting blackmailed via their NAS, or networked attached storage devices.

Plug-and-play network storage

NAS boxes, as they are colloquially known, are miniature, preconfigured servers, usually running Linux, that are typically plugged directly into your router, and then act as simple, fast, file servers for everyone on the network.

No need to buy Windows licences, set up Active Directory, learn how to manage Linux, install Samba, or get to grips with CIFS and other network file system arcana.

NAS boxes are “plug-and-play” network attached storage, and popular precisely because of how easily you can get them running on your LAN.

As you can imagine, however, in today’s cloud-centric era, many NAS users end up opening up their servers to the internet – often by accident, though sometimes on purpose – with potentially dangerous results.

Notably, if a NAS device is reachable from the public internet, and the embedded software, or firmware, on the NAS device contains an exploitable vulnerability, you could be in real trouble.

Crooks could not ony run off with your trophy data, without needing to touch any of the laptops or mobile phones on your network, but also modify all the data on your NAS box…

…including directly rewriting all your original files with encrypted equivalents, with the crooks alone knowing the unscrambling key.

Simply put, ransomware attackers with direct access to the NAS box on your LAN could derail almost all your digital life, and then blackmail you directly, just by accessing your NAS device, and touching nothing else on the network.

The infamous DEADBOLT ransomware

That’s exactly how the infamous DEADBOLT ransomware crooks operate.

They don’t bother attacking Windows computers, Mac laptops, mobile phones or tablets; they just go straight for your main repository of data.

(You probably turn off, “sleep”, or lock most of your devices at night, but your NAS box probably quietly runs 24 hours a day, every day, just like your router.)

By targeting vulnerabilities in the products of well-known NAS vendor QNAP, the DEADBOLT gang aims to lock everyone else on your network out of their digital lives, and then to squeeze you for several thousands dollars to “recover” your data.

After an attack, when you next try to download a file from the NAS box, or to configure it via its web interface, you might see something like this:

In a typical DEADBOLT attack, there’s no negotiation via email or IM – the crooks are blunt and direct, as you see above.

In fact, you generally never get to interact with them using words at all.

If you don’t have any other way to recover your scrambled files, such as a backup copy that’s not stored online, and you’re forced to pay up to get your files back, the crooks expect you simply to send them the money in a cryptocoin transaction.

The arrival of your bitcoins in their wallet serves as your “message” to them.

In return, they “pay” you the princely sum of nothing, with this “refund” being the sum total of their communication with you.

This “refund” is a payment that is worth $0, submitted simply as a way of including a bitcoin transaction comment.

That comment is encoded as 32 hexadecimal characters, which represent 16 raw bytes, or 128 bits – the length of the AES decryption key you will use to recover your data:

The DEADBOLT variant pictured above even included a built-in taunt to QNAP, offering to sell the company a “one size fits all decryption key” that would work on any affected device:

Presumably, the crooks above were hoping that QNAP would feel guilty enough about exposing its customers to a zero-day vulnerability that it would pony up BTC 50 (currently about $1,000,000 [2022-09-07T16:15Z]) to get everyone off the hook, instead of each victim paying up BTC 0.3 (about $6000 now) individually.

DEADBOLT rises again

QNAP has just reported that DEADBOLT is doing the rounds again, with the crooks now exploiting a vulnerability in a QNAP NAS feature called Photo Station.

QNAP has published a patch, and is understandably urging its customer to ensure they’ve updated.

What to do?

If you have a QNAP NAS product anywhere on your network, and you are using the Photo Station software component, you may be at risk.

QNAP’s advice is:

  • Get the patch. Via your web browser, login to the QNAP control panel on the device and choose Control Panel > System > Firmware Update > Live Update > Check for Update. Also update the apps on your NAS device using App Center > Install Updates > All.
  • Block port-forwarding in your router if you don’t need it. This helps to prevent traffic from the internet from “reaching through” your router in order to connect and log in to computers and servers inside your LAN.
  • Turn off Universal Plug and Play (uPnP) on your router and in your NAS options if you can. The primary function of uPnP is to make it easy for computers on your network to locate useful services such as NAS boxes, printers, and more. Unfortunately, uPnP often also makes it dangerously easy (or even automatic) for apps inside your network to open up access to users outside your network by mistake.
  • Read up QNAP’s specific advice on securing remote access to your NAS box if you really need to enable it. Learn how to restrict remote access only to carefully-designated users.

Source