If you own an Asustor NAS and are reading this – CHECK IT NOW
Original Article – As of around 1 hour ago, multiple users online are reporting that their Asustor NAS systems have been attacked by ransomware known as Deadbolt. Much like the ransomware attack of QNAP NAS systems of the same name, this is a remote-command-pu#sh encryption attack that takes advantage of a vulnerability in the system software to command the system to encrypt the data on the NAS system, but with the added twist in this recent update of adding a new login GUI style space screen asking for 0.03BTC.
Updated 24/02 09:45 GMT
Asustor has just released a firmware update for their ADM 4 systems (HERE) for users who have not been hit by the Deadbolt ransomware attack, who are keeping their systems offline and/or powered down until the security issue/vulnerability was identified and neutralized. Here are the Asustor details on this:
An emergency update to ADM is provided in response to Deadbolt ransomware affecting ASUSTOR devices. ASUSTOR urges all users to install the latest version of ADM as soon as possible to protect themselves and minimize the risk of a Deadbolt infection. ASUSTOR also recommends taking measures to guard against the potential harms of Deadbolt in accordance with the previously announced protective measures. Please review the measures below to help increase the security of your data on your ASUSTOR NAS.
- Change your password.
- Use a strong password.
- Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively.
- Change web server ports. Default ports are 80 and 443.
- Turn off Terminal/SSH and SFTP services and other services you do not use.
- Make regular backups and ensure backups are up to date.
In response to increasing numbers of ransomware attacks, ASUSTOR has committed to an internal review of company policies to regain customer trust. This includes, but is not limited to increased monitoring of potential security risks and strengthening software and network defenses. ASUSTOR takes security very seriously and apologizes for any inconvenience caused.
Updated 23/02 21:03 GMT
Much like the deadbolt attack on QNAP devices earlier in 2022, in the changed index GUI on affected NAS’, the deadbolt team are offering to provide information to ASUSTOR about the zero-day vulnerability used to breach NAS devices and the master decryption for all affected users to get their data back. The DeadBolt link includes a link titled “important message for ASUSTOR,” which displays a message from DeadBolt for the attention of ASUSTOR. DeadBolt orchestrators are offering to details of the vulnerability if ASUSTOR pays them 7.5 BTC, worth $290,000. DeadBolt is also offering ASUSTOR the master decryption key for all victims and the zero-day breakdown explained for 50 BTC, worth $1.9 million. The ransomware operation states that there is no way to contact them other than making the bitcoin payment. However, once payment is made, they say they will send the information to the security@asustor.com email address.
Updated 06:50 GMT
Asustor has issued the following statement and recommendation for those who are (or believe they have been affected by the Deadbolt ransomware):
In response to Deadbolt ransomware attacks affecting ASUSTOR devices, ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and ezconnect.to will be disabled as the issue is investigated. For your protection, we recommend the following measures:
Change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443.
Disable EZ Connect.
Make an immediate backup.
Turn off Terminal/SSH and SFTP services.For more detailed security measures, please refer to the following link below:
https://www.asustor.com/en-gb/online/College_topic?topic=353If you find that your NAS has been affected by Deadbolt ransomware, please follow the steps listed below.
1. Unplug the Ethernet network cable
2. Safely shut down your NAS by pressing and holding the power button for three seconds.
3. Do not initialize your NAS as this will erase your data.
4. Fill out the form listed below. Our technicians will contact you as soon as possible.https://docs.google.com/forms/d/e/1FAIpQLScOwZCEitHGhiAeqNAbCPysxZS43bHOqGUK-bGX_mTfW_lG3A/viewform
Regarding filling out the technical support form, this is likeLy to help the brand identify the scale of the issue, but also allow a faster sharing (to those affected) of any recovery tools that might be possible. However, the culprit is looking increasingly like the EZ Connect Asustor Remote service. This has been further backed up by the fact that the official Asustor ADM demo page has also been hit by the Deadbolt ransomware (now taken offline). Additionally, many users who powered down their device during the deadbolt attack, upon rebooting their NAS system have been greeted with the message in the Asustor Control Center application that their system needs to be ‘re-initialized’. The most likely reason for this is that during the encryption processes, the core system files are the first files that get targeted and if the system was powered down/powered off immediately during this process, it may have corrupted system files. We are currently investigating if a recovery via mounting a drive in a Linux machine is possible (in conjunction with roll-back software such as PhotoRec).
If your Asustor NAS is in the process of being hit (even if you simply suspect it) as your HDDs are buzzing away unusually (and the HDD LEDs are flickering at an unusual hour), then it is recommended that you head into the process manager and see if the encryption process has been actioned by Deadbolt. The following suggestion of action was suggested by NAScompares commenter ‘Clinton Hall’ :
My solution so far, login vis ssh as root user
cd /volume0/usr/builtin
ls
you will see a 5 digit binary executable file For me it was 22491. I use that in the following command to get the process ID
ps | grep 22491
from this I got the Process id 25624. I kill that process
kill 25624
I then remove the binary file
chattr -i 22491
rm -f 22491
Now, restore the index as above
cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgi
Now for the fun part…. a LOT of file had been renamed (not encrypted) to have .deadbolt appended to the end of the filename… So rename them back
(note, you may want to do this folder by folder and check it is working). The following will do for the entire /volume1
cd /volume1
find . -type f -name "*.deadbolt" -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//.deadbolt/}"; done' _ {} +
After these are all renamed, everything should work. Probably a good idea to reboot to restart the services etc.
Also, I’m not sure if the above will definitely traverse the .@plugins etc… so I did this manually
cd /volume1/.@plugins
find . -type f -name "*.deadbolt" -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//.deadbolt/}"; done' _ {} +
If you have not been hit, I would recommend you action the following from within your Asustor NAS (or better yet, where possible) power the device down until an official statement and a possible firmware patch is issued.
- Disable EZ Connect
- Turn off automatic updates
- Disable SSH (if you do not need it for other services)
- Block all NAS ports of the router, and only allow connections from inside the network
Updated 19:30 GMT
More details are coming up and it looks like (at least looking at the messages on the official Asustor Forum and Reddit) the vulnerability stems from a vulnerability in EZConnect that has been exploited (still TBC). User billsargent on the official Asustor forums has posted some useful insights into how to get around the login screen and also details on the processes:
Take your NAS OFF of ezconnect. Block its traffic incoming from outside.
This overwrites the index.cgi with their own. In /usr/webman/portal there is a backup copy of your index there.
To remove theirs, you need to chattr -i index.cgi and replace it with the backup.
But you’ll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers.
This is probably not possible to fix without a reset but you can get back into your portal with the above info. Right now though mine is still immediately replacing the index.cgi.
And:
I am assuming you have ssh capabilities? If so you just need to ssh in and login as root and run these commands. This should help you get back into the portal.
cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgiIf you look at the index.cgi they created before you delete it, its a text script.
I am still in the investigative stages but nothing in my shares have been locked up with this yet. Just things in /root so far.
I’ve pulled out a ton of LTO tapes to backup my data. I think this is going to require a full reset. I hope asustor releases a fix for this but I will never again allow my NAS to have outside access again.
For clarification. This is what my /usr/webman/portal directories looked like. the .bak file is the original index.cgi.
I apologize if my posts seem jumbled up a bit. I’m trying to help and also figure this out as well. So I’m relaying things as I find them in hopes that others will be able to at least get back to their work.
Thank you to Asustor user billsargent for the above and full credit to him on this of course.
(Continuing with the Original Article from 21/02 17:30 GMT)
Although it is still very early in the actioning of this encryption attack, these attacks are slowly starting to emerge on forums right now, as well as twitter, see below:
やばい!!家のASUSTOR製NASがDEADBOLTとか言うランサムウェアに攻撃された!QNAP製のNASに最近入るってのは見たけど、まさか自分のNASもやられるとは…
そこまで大事なデータ入れてなかったのが不幸中の幸いだけど700GBくらいのデータ死んだのショックASUSTOR NAS使ってる人すぐネット切断した方がいい pic.twitter.com/gBFu8yx4hG— sudara (@sudara_hodara) February 21, 2022
Additionally, this splash message contains a call-out to Asustor themselves (much like the QNAP NAS deadbolt attack) that states a message and a link for the brand to open a discussion (i.e pay) towards a master key and details of the vulnerability they have exploited:
“All your affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage:”
Details are still emerging, so I will keep this article short and sweet for now (and add more later as details emerge), if you own an Asustor NAS drive, check it immediately! Regardless of whether you have enabled remote access via EZConnect or not (as that is not necessarily the key to the attack vector and possible remote DLNA port changes by your system, for example), check it now and ideally disconnect it from the internet. Currently, there is not enough information to ascertain if this relates to a case of ‘out of date firmware’ having an existing vulnerability or something inherent in the current firmware. Regardless, check your system and where possible, disconnect it from the internet until further details are confirmed here, on reputable sites such as Bleeping Computer or via direction from Asustor themselves.
Once you log into your NAS, check your logs and check your processes. If you have the means to backup to a NEW location, do so. DO NOT overwrite your existing backups with this backup unless you are 100% certain you have not been hit by deadbolt ransomware.
What to Do if you have been hit by the Deadbolt Ransomware
If you have been hit by the vulnerability, you will likely be unable to connect remotely with your NAS files/folders. Even if you can, you need to check whether you can open them or they have been encrypted to a new format (the extension/ .type or file will have changed). The following users commented onreddit and there are similar threads that we can see on their setup and how they got hit.
IF you still have access to your files, get your backups in order!!!!!
Otherwise, if you have been hit by this, then you need to disconnect your system from the internet. Killing any processes in the task manager is an option HOWEVER do bear in mind that doing so might corrupt currently encrypting files and therefore stop any kind of recovery. I am checking with a couple of affected users (as well as reaching out to Asustor as we speak to see if a suitable course of action can be recommended. Some users who have restarted their system or immediately pulled the power and rebooted have found that their system now states that it needs to be reinitialized.
One big factor to keep in mind right now is that not is still unclear if a) the deadbolt ransomware can be killed as a system process in the Asustor control center (I do not have an Asustor NAS that is affected in my possession right now) and b) if switching your system off DURING the deadbolt attack can lead to the data being unsalvagable as the encryption is partway through. So, disconnect from the internet (physically and via EZConnect for now) and if you can see youR CPU usage spiking and/or your HDD LEDs going nuts, you are likely being hit.
My Asustor NAS is Saying it is Uninitialized
DO NOT RE-INITIALIZE YOUR NAS. At least not yet, if you have already powered your NAS as a reaction to the attack (understandable, if not the best choice without knowing the full attack vectors or how this affects the encryption) and you are being greeted by the option to reinitialize in the Asusto Control Center application, then power the device down again. But again, I only recommend this action right now for those that already reacted to the attack by shutting down their system/restarting already post-attack
If I am not hit by Deadbolt, Should I disconnect my Asustor NAS from the internet?
For now, YES. As the act vectors are not clear and there are reports from some users right now that state that they had the latest firmware, they were still hit, there is so much unconfirmed info here to allow remote access (in my opinion) and until further info is made available, I strongly recommend disconnecting your Asustor NAS from the internet (wire AND via the software settings) and getting your backups in order.
I will update this article soon as more information becomes available.
📧 SUBSCRIBE TO OUR NEWSLETTER 🔔
🔒 Join Inner Circle
Get an alert every time something gets added to this specific article!
This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below
Need Advice on Data Storage from an Expert?
Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry.(Early Access) Flashstor Gen 2 NAS - SHOULD YOU BUY? (Short Review)
(Early Access) The DREAM Video Editor NAS - Flashstor Gen 2 Review (FS6806X)
(Early Access) A $230 10GbE and i3 6 Bay NAS Mobo - HOW? Any Good? (MW-N305-NAS)
(Early Access) CWWK Q670 8-Bay Gen5 NAS Mobo Review (UPGRADED VERSION)
(Early Access) Flashstor Gen 1 vs Flashstor Gen 2 - Which Is Best?
(Early Access) UGREEN vs Terramaster vs Asustor NAS - Best For Your Budget
Access content via Patreon or KO-FI
Jeez, I’m glad I found this channel. So much good info.
REPLY ON YOUTUBE
Any solution for the “Uninitialized” situation? I’ve updated the firmware on my NAS, so it’s not encrypting files anymore, but I still have the “Uninitialized” status. If I initialize the drive, it will erase all data. It’s amazing how little information ASUSTOR has on this attack.
REPLY ON YOUTUBE
My reason for buying this is also to remote access my media through jellyfin. Is using reverse proxy + cloudflare safe enough?
REPLY ON YOUTUBE
Thank you smartcodetch666 he helped me recover everything I lost within 24/7.
REPLY ON YOUTUBE
Tudo graças a☝️☝️por me ajudar a recuperar meu dinheiro
REPLY ON YOUTUBE
Scary stuff. I have a Synology, but I would never have used EZ Connect anyway just as I would never use Synology Quick Connect, so I imagine the brand doesn’t matter in my case.
I have ports 80 and 443 forwarded from the router to the NAS, and one Plex port (which I could probably stop, to be honest, as I use Jellyfin now, and I only really have Plex still running for comparison purpose), nothing else if memory serves. I only even forward 80 because everything is set to autoredirect to HTTPS and I’m too lazy to type https:// before URLs.
My setup is that 80/443 are forwarded to the NAS, and the LSIO swag container on the NAS reverse proxies the request to everything else. I’m not sure if that layer between would obfuscate or help with this etc… but I do this because I don’t want to have to connect my phone to a VPN every time I want it to upload a picture to Nextcloud or something.
REPLY ON YOUTUBE
Just got mine fixed mine through the help Bobutensil.
REPLY ON YOUTUBE
Just got mine fixed mine through the help Bobutensil.
REPLY ON YOUTUBE
https://www.youtube.com/watch?v=UVgq3ZnMfP8&t=184s
REPLY ON YOUTUBE
This ransomware attack made me almost lost my project folders????. I was then recommended to the name on my bio⬆️????, who helped to decrypt
REPLY ON YOUTUBE
This ransomware attack made me almost lost my project folders????. I was then recommended to the name on my bio⬆️????, who helped to decrypt
REPLY ON YOUTUBE
I’m thinking about using Microsoft ONEDRIVE and paying Microsoft to avoid all this mess in the future.
REPLY ON YOUTUBE
I was hit by deadbolt ransomeware some weeks ago. Finally I got the key and my files have been fully decrypted Thank you.
REPLY ON YOUTUBE
All praise to this dude ???????????? cos I never thought I’d have my files back
REPLY ON YOUTUBE
Trusting him ???????????? is what you need to have your files back ASAP
REPLY ON YOUTUBE
Lucky enough for me i got help from this guys on my bio????⬆️, my files were successfully decrypted and recovered
REPLY ON YOUTUBE
Lucky enough for me i got help from this guys on my bio????⬆️, my files were successfully decrypted and recovered
REPLY ON YOUTUBE
My files were all encrypted with this ransomware virus, I was then recommended to this guys on my bio *mouse*⬆️⬆️ who finally helped me to recover my files
REPLY ON YOUTUBE
My files were all encrypted with this ransomware virus, I was then recommended to this guys on my bio *mouse*⬆️⬆️ who finally helped me to recover my files
REPLY ON YOUTUBE
900Ethics for assistance
REPLY ON YOUTUBE
900Ethics for assistance
REPLY ON YOUTUBE
Is it affect NAS only, or somehow PC too ? Will be problem solved is i will use some linux distro instead of official OS ? or it more hardware problem ?
REPLY ON YOUTUBE
he was able to help me track my device from
dump later, thank you sir. recommendation
I strongly envy you a message if you have????????
any lost device you still need????????????????
????????????????????
REPLY ON YOUTUBE
Worker with a reliable hacker is what I think is all over the world and I recommend a hacker parfait who works with good heart and sincerity Dee_hack11 is in Seoul☝️☝️☝️
REPLY ON YOUTUBE
????????????Contact this hacker he is honest he helped me recovered my files I’m grateful
REPLY ON YOUTUBE
????????????Contact this hacker he is honest he helped me recovered my files I’m grateful
REPLY ON YOUTUBE
????????????Contact this hacker he is honest he helped me recovered my files I’m grateful
REPLY ON YOUTUBE
you should remind all people watching your vids that they need 2 everything.
REPLY ON YOUTUBE
After trying for some time, I had to contact *SCOTTS_HACK* to help me get the deadbolt off my Nas. I’m free now
REPLY ON YOUTUBE
After trying for some time, I had to contact *SCOTTS_HACK* to help me get the deadbolt off my Nas. I’m free now
REPLY ON YOUTUBE
Am able to contact #GLOCYBER and I showed him what has happened to my computer. He was able to assist and get my computer free from the virus.
REPLY ON YOUTUBE
I recommend you all to contact #GLOCYBER. He was able to help me recover all my encrypted files. Am glad I met him earlier.
REPLY ON YOUTUBE
It was through the help of #GLOCYBER that we ware able to get our money photos decrypt. The virus has held all the pics in the system.
REPLY ON YOUTUBE
I found a legit cyber professional. He is #GLOCYBER. he was able to help me fix and decrypt all my encrypted files. Thanks to him for his kindness.
REPLY ON YOUTUBE
I was dead in need of my computer. But I could not all because of this virus. I was recommended to #GLOCYBER and he responded to me and helped me fix my laptop.
REPLY ON YOUTUBE
Contacting #GLOCYBER was the best thing I did after my files got infected. He quickly decrypt all my files and get me free from the virus.
REPLY ON YOUTUBE
Am happy I could contact #GLOCYBER and he was able to help me remove all the virus. My exams files are free now.
REPLY ON YOUTUBE
Contacting #GLOCYBER was the best thing I did after my files got infected. He quickly decrypt all my files and get me free from the virus.
REPLY ON YOUTUBE
It was #GLOCYBER that was able to help me fix all my files and get them decrypt. He really did a great work and am happy I met him.
REPLY ON YOUTUBE
my files have been encrypted and I thought I would never use them again. My lecturer told me to reach #GLOCYBER and he was able to help me recover my files from the virus. Thanks to him.
REPLY ON YOUTUBE
*I was hit, so unplugged, shutdown, external USB backs fine. Plex user, was watching at the time no issues, went to update saver denied, then found the splash screen, no on reboot, water gapped on an independent switch no WiFi etc, it instantly goes to initialization. So save to assume the service themselves have been affected. Did safe shutdown. After some time I turn on everything then I found out I’ve been truly hit by deadbolt. I did as many research as I could and I found out that scott can actually decrypt the encrypted files. So I paid some money not upto what deadbolt team are asking, then he decrypted my files*
REPLY ON YOUTUBE
Good day all, for DEADBOLT RANSOMWARE REMOVAL, consult *SCOTTS_HACK* Thank you
REPLY ON YOUTUBE
Good day all, for DEADBOLT RANSOMWARE REMOVAL, consult *SCOTTS_HACK* Thank you
REPLY ON YOUTUBE
You can message *SCOTTS_HACK*
REPLY ON YOUTUBE
You can message *SCOTTS_HACK*
REPLY ON YOUTUBE
Am cool with #GLOCYBER idea. He has much research on the virus and has helped a lot including my self.
REPLY ON YOUTUBE
Am glad #GloCyber could help me decrypt all my files. He did the best and I will forever be grateful. Thanks to him.
REPLY ON YOUTUBE
????I was so glad when I finally realized and get in touch with Glo Cyber while I used the contact above. He is indeed a genius and his skill are authentic. I rec. everyone to appreciate his efforts.
REPLY ON YOUTUBE
my cloud sera seguro de usas en estos tiempo !!
REPLY ON YOUTUBE
Is synology also been affected? I see Asustor, qnap, terramaster, but not synology or truenas, truenas i get it since you don’t use a their dedicated cloud, but synology? Does this mean that synology is more secure, or others less?
REPLY ON YOUTUBE
Anything major targeting Synology or do they seem any safer?
REPLY ON YOUTUBE
Has Ausustor come up with a PhotoRec solution like Qnap did yet? Are they even working on that? I have been checking their web site but haven’t even seen mention of this. :/
REPLY ON YOUTUBE
I really whant to know how and where dit it enter on the NAS, some deadbolted Nas have SSH down, 2FA and hard password (note 2FA activated is also needed for SSH). I also note that as i have ear, that no password was pirated (If it’s true that elimimate the bad or Not enoungh Strong password). Because i Always ear “it’s the user fault”. And i dont think that all true.
REPLY ON YOUTUBE
Scott also helped us too to retrieve our files
REPLY ON YOUTUBE
People keep talking about Scott. I think he is good. I will try him.
REPLY ON YOUTUBE
Someone recommended you ????and you also helped me recover mine too. You a genius indeed.
REPLY ON YOUTUBE
Rather than spending a long time trying to retrieve data and risk my NAS being connected to my laptop, I’d prefer to just wipe clean the two drives in my AS6302T NAS and lose the data permanently. Can this be done and the NAS setup anew with clean disks as if they had just been installed? I have a Raspberry Pi with a Linux OS set up on the network as an Apple Airprinter server. Could this be used with a disk caddy connected by USB cable to wipe the disks?
REPLY ON YOUTUBE
I was looking at buying a buying a nas but with everything going on should I just wait?
REPLY ON YOUTUBE
can anyone help me recover my files if not, format everything and resetting up my NAS?
REPLY ON YOUTUBE
This is a warning to avoid trying to recover from deadbolt Ransomwhere using USA based business found on Instagram, Whats app and this forum . They are know as “900Ethics” in the forums. They offer to restore deadbolt files for a total of $300, then when they have that, they then ask for another $100 for decryption software, then when thats paid they are for a delivery and gas fee of $150, then when thats paid, they say you have paid $550 but others have paid $1000 so 900Ethics say we should pay more also.. These guys are dishonest crooks and scammers..
REPLY ON YOUTUBE
Luckily I wasn’t infected. But I feel bad for those who were. I applied the patch and changed to all the recommended settings. Now I have a NAS disconnected from the Internet and only on my LAN. Like a glorified bunch of drives. This shows once again that anything connected to the internet needs adequate security. And has to be security patched almost forever. Is it worth it having an internet connected fridge or heating system or smart meter or electric/fuel cell car and so on. I have a lot of doubts. I’m going to try and ignore Solutionism.
REPLY ON YOUTUBE
I had accidentally knocked the power off of my NAS before the attack. I plugged it back in when I figured it out. Went 2 days before I logged in only to see the splash screen. I was able to get to the main screen and shut it down from my office. Still seems like I lost my data.
REPLY ON YOUTUBE
Question:
If I am getting the black ransomware screen and my ssh is disabled, how can I get into the interface to enable ssh and stop the encryption process.
Also how can we find how much data was encrypted?
Thanks!
REPLY ON YOUTUBE
Updated ADM and had a snapshot from 8/21. Didnt loose too much. Only problem is now one of my drives is showing bad. Going to scan after its synced
REPLY ON YOUTUBE
I have my 4 drives that are in RAID5 connected to an Ubuntu based PC. The volume mounted itself, there was nothing to be done.
As I feared, most of my files have been encrypted (about 80%). The worst is, the most important are in that category.
Anyone has any clue how this could be encrypted?
REPLY ON YOUTUBE
pretty sure i found the code inbeded inthe location encrypted files are located it can be found by using ssh with filezilla
D:\WD SmartWare.swstor\LAPTOP-HP\Volume.cd16bea6.1b75.11e9.a278.a0481c06abb2\ the end of the volume is the key in between the dots is by my count 32 char. its got to be it when the files transfer it is transfered by location is not visable.. emsisoft decrypter for dead bolt should be able to crack i hope backing up 4 tb of data before i attempt to decrypt. If this works let me know as i havent been able to try it yet only 102,000 files to go… ###fuc_asustor***
I have ASUSTOR NAS AS1002T which has been hit with Deadbolt. But I have never seen or used AppCentral or Plex Server. Are these only valid for newer models of ASUSTOR NAS?
REPLY ON YOUTUBE
I got hit with this Deadbolt Ransomware a few days ago. On 24th morning, my internet was down. When the internet came up, I logged on to my laptop and tried to access the ASUSTOR NAS (AS1002T) – I had earlier mapped different volumes on the NAS to different drive letters on the laptop. When I clicked on a mapped drive, I could not access it. Control Centre did not display the device. I thought it has something to do with the internet going down, so I powered down the NAS (may have pressed the button longer than 3 secs). After that the Control Centre displayed the device but with the “Uninitialized” status.
A few questions:
1. If I do as the ASUSTOR support suggestions and update the ADM, and bypass the “Uninitialized” status, will the ransomware encryption (that had stopped earlier because of shutdown), start up again? Do I have to do something to stop that?
2. Will I see the Black screen message after the ADM is updated? If so how to bypass that and access the different volumes to check the status of the files?
3. At any stage after the ADM update, if I decide that I need to pay the ransom in order to recovery my data, is it possible? Or, the update will do away with that avenue?
4. Once I am able to see my files, do I need to immediately copy them to another disk drive (external drive attached to my laptop)? If I delay that copy for a few days, will the situation get worse? If so, I need to buy an external drive before I attempt to update the ADM. BTW. I have photos and videos of past 25 years on the NAS, and I do not have a backup of the data for last 3 years, and therefore recovery of as much data as possible, of the last 3 years, is important to me.
5. If I decide to pay the ransom, how do I pay in Bitcoin? I have never dealt in bitcoins before. BTW. I live in Canada.
Can the good folks who are knowledgeable on this issue be kind enough to provide some answers, please.
REPLY ON YOUTUBE
An update was published to solve the uninitialized issue: https://www.asustor.com/en/knowledge/detail/?id=6&group_id=630
REPLY ON YOUTUBE
FIXED Please read. A tech was able to get all data back! had the “Unitialized” situation. setup was 4 disks in RAID 10 (2 disks striped and then mirrored to the other two that were stripped. Just take disk one and use “EaseUS” to find the hidden data. Some of it was in folders with correct names and some were not but they did have the file names. I have no idea why this worked with only one disk and still sifting through the files (1000+) to see if they all work. So far so good. I dunno I can’t rap my head around why recovering from only one disk got this much information back. *I never use EaseUS btw. I have RapidSpar but the tech used it. JUST TRY IT! OR I DON’T CARE USE ANY RECOVERY SOFTWARE ON ONE DISK. I really hope this helps someone!
REPLY ON YOUTUBE
not sure if this is going to help anyone, but when i was going through my files, two new files stood out to me. both files were in a random folder which im sure were not there before. first one is a text file called _Incapsula_Resource and in it is
(function() { var z=””;var b=” here there is about 10K of random characters “;eval((function(){for (var i=0;i<b.length;i+=2){z+=String.fromCharCode(parseInt(b.substring(i,i+2),16));} return z;})());})();
the other file is a picture that has a deadbolt extension which is 430Gb. that size is very similar to the size of all my files in my nas. its almost like all my files were compressed in a picture. the other pictures in that folder were less than a Mb each.
if anyone has any questions
husainh00@gmail.com
I wonder if is is encrypted. Most probably it is exactly that – a file containing all your files. The deadbolt files are encrypted with your personal key. Maybe this one is encrypted with the master key. I wonder if the other file has something to do with the key itself. Seems like it reads a string of hex characters and makes an unicode string out of it…
Hello I tried to do what Chiton has specified for renaming however not working
cd /volume1
find . -type f -name “.deadbolt” -exec bash -c ‘for f; do base=${f##/}; mv — “$f” “${f%/*}/${base//.deadbolt/}”; done’ _ {} +
when I run it I get the following:
root@ASUSTOR-604T:/volume1/Media # find . -type f -name “.deadbolt” -exec bash -c ‘for f; do base=${f##/}; mv — “$f” “${f%/*}/${base//.deadbolt/}”; done’ _ {} +
find: bash: No such file or directory
find: bash: No such file or directory
find: bash: No such file or directory
find: bash: No such file or directory
find: bash: No such file or directory
I assume I am doing it wrong. Please tell me the command to change all the directories that have the deadbolt extension
Anyone have any luck on unencrypting files that were hit by the deadboult? As I mentioned I followed Asustors steps and was able to update my ADM but my files are still encrypted by the deadbolt hack. Please let me know the steps to take. Renaming does not fix it since they are encrypted
Thanks
I have managed to fix my Asustor Raid and got rid of the Deadbolt Index screen and stopped the process. I can now log into my nas as per normal. Most of my files are encrypted by deadbolt. Is there any way to decrypt without paying the damn ransom?
Asustor has released the instruction how to solve. But it is not clear and no FAQ etc. I regret to death to buy this crap.
REPLY ON YOUTUBE
Good morning again everyone. So, there has been some updates from AsusoR and some little tiny bits of useful information for those of you who have Asustor NAS that are stuck at uninitialized and just want to ACCESS your NAS to see the extent of the damage and maybe attempt any kind of recovery OR just pay the stupid F-ing ransom (again, absolute S%!T to even think about but some business users are going to lose 10x this ransomware amount for their lack of backups). I have updated the article and also published the guide and walkthough to it all HERE – https://nascompares.com/2022/02/25/asustor-nas-uninitialized-repair-after-deadbolt-ransomware-getting-back-to-adm-avoiding-the-black-threat-screen-seeing-what-remains-of-your-data/
Must admit this was a good video about a bad topic
REPLY ON YOUTUBE
Has anyone paid the ransom and confirmed they got their data back?
REPLY ON YOUTUBE
Hi guys, anyone out there that can help a noob? I was able to update ADM but all my files are still deadbolt… I have SSH installed on my machine but I am a little unsure what the process is to access my NAS via SSH, I was trying to follow Clinton Hall’s but I feel like there are some commands that are generic and I don’t know what to put in its place, so for a noob, could you be so kind, I would love to be able to rename all the files. Thank you
For those who want to know, there is a bit of an update on the “stuck on un-initialised” screen – New ADM version can actually bypass now for some users so you can access ADM and start to see how many files have been encrypted by deadbolt. Hope like me, many got off lightly (only volume 1 effected, but my drives were single volumes not in RAID)
REPLY ON YOUTUBE
I tried following Clinton Hall’s path and it seemed to work until I get to the Kill order:
“cd /volume0/usr/builtin
ls
you will see a 5 digit binary executable file For me it was XXXXX. I use that in the following command to get the process ID
ps | grep XXXXX
from this I got the Process id xxxxx. I kill that process
kill XXXXX” And this is where it fails. Putty says no such process. It may be too late as ACC is saying now that I have to initialize.
Anyone know if pulling my drives and putting them into an external HD enclosure would allow me to access any of my 4 drives and maybe save anything?
I got hit, I cannot pay the ransom, but I stopped the NAS as it was being encrypted, so I hope some of my files are still ok.
I followed the instructions received by email from Asustor, saying to remove the drives. Done that.
Then I tried following the instructions at https://www.asustor.com/knowledge/detail/?group_id=630 about fixing the NAS, but if I point my browser at the NAS, I only see a “No drive detected” (obviously).
Is there any way to update the ADM without formatting the disks?
I was able to use Clinton’s workaround to get back to adm. I also was able to update to the latest firmware. there has been more progress made by end users to solve issues than the company themselves. Asustor hasn’t taken any responsibility for this happening. Simply stating how it happend is t taking responsibility. That being said, I have no intent on allowing this Nas to be permanently connected to the internet ever again. I don’t see any efforts being made public by asustor to be able to retrieve any data lost. To that end, I strongly encourage everyone to rethink using their products.
i would love to see a synology version of this video
REPLY ON YOUTUBE
After deadbolt I’ve disconnected NAS from the internet but I did not restart it as it seems this can cause several problems.
Now Asus has released ADM 4. that seems to be patched
BUT
My NAS is still shoqing the deadbolt page, how can I install the new ADM?
Is it enough to get back the original home page with the “putty” workaround already described in the general asus forum 3d?
And how one can get rid of all the crypted files? (Happily I have redundant backups of my NAS)
Is it enough to reset to fabric through the option in ADM?
Thanks in advance for your answers
After the attack, we shut down the server with AiMaster. When we opened it again, we got a “Uninitialized” warning in the Control Center application. What are we supposed to do? Not all of our data was encrypted. We do not want our data to be deleted. What should we do?
REPLY ON YOUTUBE
Sadly I am also affected, and I feel sick and violated. Unlike others, I do not entirely blame Asus but it makes me sad that there are some very clever people in this world who’s morals are such that they feel it is okay to use their skills to take advantage of innocent people. My Asustor has (had?) backups from my PC and from my wife’s MacBook, all my music and over 100,000 digital images (20 years’ worth). I suppose the good news is that my music and all the digital images are safely backed up to an old NAS; I have just checked and all the files are safe. The backups can be rebuilt. I did the safe shut down of my affected NAS, so I will leave it off until the dust settles and advice emerges as to the best way forward.
REPLY ON YOUTUBE
How does one get effected in the first place❓ Is it a user clicking or downloading links from unknown sources or emails that leads to this❓
REPLY ON YOUTUBE
Good morning eveyone. Just updated the article with a new update, as Asustor have released a patch for ADM 4 that they say will close the door on this security issue. Sadly, this will be more useful to those who have not been affected by the deadbolt attack (and who are keeping their systems offline/powered down until a fix was announced). There are still little to no details on any kind of recovery, but I am working with an affected user’s system (who had a backup, so happy for me to tinker with their RAID 1) in an effort to connect with a linux machine, access the folder structure, then use the snapshots in BTRFS to attempt a recover. This is still very much in the early stages and I have a bunch of other projects on the go, so I apologize for the delay on this. You can find out more on the update from Asustor here – https://nascompares.com/2022/02/21/asustor-nas-drives-getting-hit-by-deadbolt-ransomware/
Fucking Seagulls again. Bastards shit all over everything worse than Pigeons.
JUST finished transferring a hard drive full of data over to my brand new Asustor NAS that I bought in a large part due to the videos on this channel. We’re going to see if I’m affected here soon after I get all the information I need and have a run at shutting down the offending processes if I log into that black screen. Haven’t even had time to setup a backup of the NAS yet but also haven’t had time to enable remote access or install Plex yet so I’m hoping I haven’t been hit. Wish me luck
REPLY ON YOUTUBE
I just found out that I have been attacked by the Deadbolt Ransomware. And ALL my files have been effected. Is there anyway to fix this? I have no backup all. Everything I have years and years of data all in my Asustor. This is such a shit situation and Asustor needs to be held accountable!
REPLY ON YOUTUBE
Everything you said is spot on. Especially the uninitialized issue.
REPLY ON YOUTUBE
I am confused as some say it’s not a lost cause and others are doom and gloom. I am stressed out as I have everything since 1999 on this NAS.
Although I have read the agreement and Asustor owes you nothing legally.
This is a bit different in that there was a clear threat and activity encountered by others that ASUS at a minimum should have sent notice to its clients. An indemnification is only good in that they can defend the lack of actively engaging. The question here is did they participate by not informing the end user or did they support it by ignoring it. This definitely is the making of a bad day for ASUS down the road.
In the meantime, I will patiently wait as I have no clue about SSH or any other knowledge of this access it and rewrite the cgi blah blah
If someone knows if an idiots guide for this SSH process please share. I mean idiots guide.
Or if I can pay a security company to try and recover the files, please do let me know of one.
Yes, I know now backup offsite…. thanks deadbolt.
I hope someone finds those responsible and shares their info, as I would hate to watch them lose things that matter and cannot be replaced…….
Is Raid 6 on a 5304 any saving grace?
No, only those who had created a separate volume are not effected. They targeted volume1.
It is never 100% lost cause. After a file is deleted from a hard drive, it simply means that that space on HDD is available for different data. But it is still there. You can use PhotoRec data recovery tool to see deleted files. But I would recommend talking to IT guys, they will know better.
My Asurtor system was attacked Monday. Luckily I had done a backup last Thursday so I only lost a day worth of work and still have all my files. All I did was reformatting the hdd erasing and going over 7 times to make sure all files were deleted. Back up and a good malware program can save you a lot of $$ and down time..
REPLY ON YOUTUBE
Will the Asustor hardware run any different Linux OSs? If I just want to build a NAS device can’t I do that with a server version of a different Linux OS? Most of them have some kind of GUI. Just a thought.
REPLY ON YOUTUBE
Its a really really crap day.
REPLY ON YOUTUBE
There are so many products and boxes in the studio that the presenter will become invisible in a few months 😉
REPLY ON YOUTUBE
I think that a good idea would be that all the files on the NAS are read-only (maybe with some exceptions for logging etc) and if for any reason the device needs to change them, there could be an option to ask you to authorize it.
REPLY ON YOUTUBE
I am not sure if this will do the job. If they have a root access to your NAS, they will be able to change the attributes of the files and get write access.
Is there risk of contagion if I remove the drives, attach them to an external enclosure, then try to view them on my PC? Or is this an Asustor-hardware-only ransomware?
REPLY ON YOUTUBE
In a few messages and on the video, you claim that the initialization message is caused by suddenly unplugging or pushing the power button too long so a sudden power-off even happened, causing the system files to be corrupted.
I am 99% sure this is not what caused the system crash on my system (Lockerstor 10 with 4x 18Tb drives)
What I did :
– I first rebooted the nas through the front panel and it rebooted fine, but came back up with the Deadbolt interface
– when I looked on the logs of my router, it saw a lot of refused activity (2 to 3 per minute) from several unknown IP addressed
– I then blocked all the ports and services to my Asustor on my router
– then rebooted the system through the front panel on the Lockerstor
– it’s only then after rebooting it showed the initialization page and my 54Tb of data is now not accessible (and also not mountable in Linux…)
So my 2cts are that the Deadbolt process somehow also communicated with the outside port and the sudden blocking of those ports corrupted whatever it was doing.
Or what else could it be ?
When I got my AS6510T I turned on all those services just because I wanted to see if there were security issues with them enabled. I had not transferred any data to the NAS yet so there was no data risk. I monitored the logs and within a few days I was getting attempted access from most of the countries where attacks originate like China, North Korea, Russia… etc. I shut down all remote access services and I have not seen a single access attempt since. I think Asustor needs to reassess their security model
REPLY ON YOUTUBE
How do I know what file system i’m using? Is it ext4 or btrfs? I don’t know
REPLY ON YOUTUBE
I pray I never find anyone responsible for such an attack or I’ll break every bone in his fingers at least twice.
REPLY ON YOUTUBE
I have a Synology but would this affect a backup on an external drive plugged into the Nas? Assuming that this same type of attack might be implemented on Synology Nas systems.
I’m going to be setting up a backup on my Synology with an external drive so I’m curious if that would be a version of back that you are talking about to help recover your data in this case?
REPLY ON YOUTUBE
Came across this video whilst reading up on the attack, I have an Asustor, not sure yet if its been effected, as I only accessed it remotely via Android login from work to shut it down. I will be checking it later using these tips and wanted to thank you in advance for your efforts. Hoping all data is OK, and if it is i will be changing all the ports and following your suggestions – Hope everyone else is OK too! Good luck everyone
REPLY ON YOUTUBE
Well Im screwed then, as I have a RAID5 and I shut down the machine as soon as I saw the message…
REPLY ON YOUTUBE
20 Years of photos deadbolt locked. Wedding, birthdays, births, holidays. Memories potentially lost forever. I’m beyond gutted and really upset. Of course, I am learning the painful way that if I ever get them back, to have a secondary backup but more than that I am furious as Asustor. If Qnap got hit last month, did they not consider warning the rest of us? I didn’t know about qnap attack until it happen to my asustor.
Have any Qnap owners got their data back without paying the ransom? I can’t afford $1100 without even the guarantee of the key working.
REPLY ON YOUTUBE
Same thing ,every file deadbolted. Initially after noticing of decrypted files on shared folders, I’ve turned off NAS and removed hard drives. I’ve tried to connect drives to PC to read content and every document and image is encrypted. Not sure if i can even get to the hacker message screen to send bitcoins for data unlock.
From what I’ve been reading around forums and various sites it seems like impossible to get your data unlocked once encrypted without the “key” from hackers. At least 80% of NAS content were just a copies/backups from the machines connected to it, but still some important documents has been lost forever.
As much as its user fault to have only copy in the NAS its also responsibility on the software creators to label warnings/disclaimers about setting up remote access. Especially knowing there were attacks on other devices before.
Hacking is a form of terrorism. Capital punishment is the only way to stop them.
REPLY ON YOUTUBE
I got it hit too but all able to access via network share and all backed up all my file so I’m not very worried but the day after my system file got encrypted I guess prolly I did force shutdown, since greeted to initialized the NAS
REPLY ON YOUTUBE
Several users affected by Deadbolt Ransomware did not even enable EZConnect. Plex is one of the suspect.
REPLY ON YOUTUBE
I agree with the other comments, I’d like to see a video on securing a Synology NAS. I figure some of these steps would work for Synology. I just wanna keep my home NAS secure.
REPLY ON YOUTUBE
Always backup your data separate from your NAS
You can never be to careful
REPLY ON YOUTUBE
Hi I followed the advice to clear the visus. However changing the files to remove the .deadbolt is not working
REPLY ON YOUTUBE
Gladly I never had remote access or ez-connect enabled and never used plex on it, also when this all started I happened to have my Asustor turned off. With that said, powered on, immediately switched off SSH-connection and swithed https-protocols, seems all good for me luckily. Also, I am using a VPN on my router.
REPLY ON YOUTUBE
Only I got notified of your upload I’d have never of known, thanks lad.
I haven’t been effected, it’s now shutdown.
REPLY ON YOUTUBE
I am on QNAP, but this is very usefull
REPLY ON YOUTUBE
Any updates on this issue?
REPLY ON YOUTUBE
In my infinite wisdom (NOT) I had an older Asustor NAS (3102t v2) backing up my main Asustor NAS (5304T). one raid 5 and the other just one big drive. I saw these articles and the 5304T was powered off already. Not sure by what. The 3102T gave me that black screen with the Ransom Request. I unplugged both from power and internet. The most important info on there are the pictured of my kids growing up. i did have a backup of those from March 2021. All newer pictures are on my phone anyway. Although I lost many ripped CDs and downloads that I didn’t have a backup of the backup. Not the end of the world, but it has changed my backup strategy completely going forward. I thought having a whole second NAS that backed up the first was a good idea. i don’t even use the online tools and didn’t realize my NASs were logged in. Shame on me.
I do agree that my own strategy as regards NAs will have to change
My por-, I mean, my legal documents!
REPLY ON YOUTUBE
Make Hacking like this a Capital Offense, and treat it like terrorism.
REPLY ON YOUTUBE
How do I know what file system i’m using? Is it ext4 or btrfs? I don’t know
REPLY ON YOUTUBE
Can anybody send me what is the content of the /volume1/.@system/volume.conf file?
It is already encrypted on my system, and i would like to reconstruct it.
Thanks in advance!
Does Snapshot on Synology prevent loosing all your Data ? – Does it help to recover encryptet files or would the snapshot files encrypted too ?
REPLY ON YOUTUBE
Can you make a similar video for Synology users focused on preventing this sort of attack?
REPLY ON YOUTUBE
I was thinking to buy an Asustor NAS, it seems not a good idea at this moment…
REPLY ON YOUTUBE
Should I as Synology owner be worried?
REPLY ON YOUTUBE
Thanks for the video! Maybe I was saved by using an OpnSense router that hasn’t Upnp
REPLY ON YOUTUBE
What I (noob) think I have understood till now.
Attack came from ADM (as I see that not everyone who is affected had EzConnect on).
There is a solution but only for 2 bay in raid 1
Asus is aware and it seems they are working on it (but unless they pay I don’t see many chances to get back the encrypted files)
After the announce on Asus support site (and after I did some emergency backup) I disconnected NAS from lan but DID NOT shut it down as it seems that on reboot it asks to reinitialize (causing complete loss od data – encrypted or not)
I have two backups of my NAS content, both made on 11 february, so I am quite not worried about losso of data
BUT
even if I reinitialize the NAS and restore data, I’ll have to face the same problem with ADM, how can I be sure that even disconnecting NAS from the internet the NAS will be safe?
Yep, I got it yesterday thought my NAS was making a lot of noise but had to go to work immediately and forgot to check after, today found my whole NAS locked out. Immediately shut it down, just waiting for Asustor now to come with some more information 🙁
REPLY ON YOUTUBE
Just a reminder that your dealing with criminal and non-moral people who have no honor. Do not send money , if you send money your a put on a list of naïve people and the will attack again knowing your paying. Just be patient Asustor will find a solution. Also i can access my asustor with my phone app. So my plan is to wait for update and update with my asustor phone app. #iloveseagulls
REPLY ON YOUTUBE
who is willing to pay 1k €?
Not me I can’t afford it!. Las thing we need at the moment with all the other shit going on in life
Yikes. I feel a bit freaked out and I don’t even have an Asustore. Good luck to everyone!
REPLY ON YOUTUBE
high pass filter……that is all.
REPLY ON YOUTUBE
Apologies for the slightly rushed nature of this video. The Deadbolt ransomware attack on Asustor NAS systems largely kicked off yesterday afternoon and I have been pretty much non-stop on this since then (pulling an all-nighter like the old days!) and assisting a bunch of users, as well as finding out as much as I can and being as noisy as possible to alert any users left who might be targetted. As the video suggests, I will be updating the article on this as more info arrives and if a workable solution appears (I have a deadbolt affected Asustor arriving with me later in the week), I will make a video on this. Otherwise, night night everyone, I am bloody shattered! #Ihateseagulls
REPLY ON YOUTUBE
It looks like the files on the RAID volume are toast, it’s a AS6604, but the files on the MyArchive drive appear uncorrupted. This is simply a straight copy of what’s help on the RAID.
Was I simply fortunate to catch this before it got its teeth into the MyArchive drive or was that drive somehow not exposed to the Deadbolt encryption? I’m clearly fortunate that the daily back up must have happened before the RAID files were screwed.
Yes, it looks like the malicious code only attacks Volume1. If you had OS separate from the rest, you might not have been effected.
Yeah I’ll take my relatively easy to recover position over many others I’ve read this morning. Am I correct in saying that the OS is held on the volume 1 drive/s (unless set up otherwise) and if I boot with the disks removed it’ll boot like a new unit, I can then add to drives, wiping as I initialise and just rebuild from scratch? Bit nuclear I know but given I have intact backups it seems the logical step.
Yes. if you have backups, the best option will be to reinitialize. This will format the drives and delete everything including virus.
I think that it may be comming through the web server. Yesterday I was playing with my NAS and had to turn on the apache and php logs in order to fix the migration of my site. While scrolling through the logs, I saw that something tried to execute a bash script, but was rejected. Maybe I was lucky or maybe it was because I transferred all my web sites to SSH, but wasn’t infected until I got the news (then I simply stopped all connections and EZConnect, checked that nothing is trying to encrypt the data and turned off the nas – the data is more important than the uptime currently)
As most people here, I cannot even boot into ADM anymore.
So I used the following procedure : https://nascompares.com/recover-raid-or-move-data-from-broken-nas-to-a-new-one-synology-qnap-asustor/
– installed the 4 drives into an old PC with Ubuntu Linux
– installed mdadm and lvm2
– checked that the drives were in the right order with mdadm –examine
When I tried “mdadm -Asf && vgchange -ay”, I get the error message “No arrays found in config file or automatically”
Alternatively, I opened the Ubuntu Disks App and there it clearly see the 54 Tb RAID5 (btrfs), but when I try to mount it there, I get “Error mounting system-managed device /dec/md125: wrong fs type, bad option, bad superblock on dev/md125, missing codepage or helper program, or other error (udisks-error-quark, 0)
I feel like I am a bit closer to accessing my disks, but missing in-depth Linux knowledge to get me further.
I was lucky that I had a snapshot from a few days ago that I have been able to recover from. I’ll be keeping the NAS offline while I work on backup solutions.
From Asustor’s update they say to disable EZ-Connect, how can we do this with the NAS offline? mine keeps saying it requires an internet connection and logged in account to even have the option to disable EZ-Connect
Log into ADM using a Web browser.
Select [Settings] [EZ-Connect].
Untick the [Enable EZ-Connect Service] checkbox and then click on [Apply].
Here is an image https://www.asustor.com/images/tinymce/20211007095527_enable_ez_connect_s1.png
Yes but how can I connect even from a web browser? When I enter the ip of the nas, I get the deadbolt message.
Thanks for the info. I got hit as well (ASUSTOR 6104 NAS, 4x6TB disks in RAID 5), but noticed it very late (being in Hawaii, I am also behind most people). Sent the form to ASUSTOR.
Have a full backup, so will just wait to read more, so I know how to restart the NAS and reinitialize everything before transferring my backup.
Thank you for your comments here and messages via the free advice section everyone. Just wanted to quickly update the state of play on this right now (in case you skimmed the article and missing bits). It sucks to hear how many got hit with this. To be completely straight to the point on this (as I think that is what you would prefer) right now there is not a vast amount you can do aside from paying the ransom (which I still do not advice unless your data is mission-critical). The key word there is ‘right now’ as I do think there is work happening right now at asustor HQ working with decryption tool options andor ways to fix the OS that might have been corrupted in the event of users powered their NAS down abruptly to halt the attack, which harms the OS as the encryption seems to start at core system files), as well as options emerging involving mounting the drive in a linux OS as an external drive and seeing the data (opening the door to PhotoRec and tools like that). However, it is a question of your NAS’ current status. That will be one of three states right now:
1 – You are only seeing the black deadbolt splash screen that states that you need to pay, to receive an encryption key
2 – You powered down the device abruptly and you are now seeing the NAS on the Asustor Control Center software as ‘uninitialized’ – DO NOT INITIALIZE!
3 – You have navigated around the black deadbolt screen and have access to your NAS GUI and File/Folder structure, but they have all been encrypted (with the .deadbolt file format)
I do not have an Asustor NAS in my office/studio that has been hit (in order to conduct experiments and tests for any kind of resolution) but a colleague is bringing one in later today. Overall, I STRONGLY advise you bookmark this article or at least set up a change alert, as I will keep adding to this as I learn more. As well as DEFINITELY filling out the form linked in the Asustor response (first 1/4 of the doc), as it will allow you to hear directly from the brand if they can work out a solution to this. Apologies for my abruptness, Eddie and myself are answering a large volume of enquiries on this via the free advice section and as you might imagine, it is fairly grim stuff. Stay frosty. Robbie
Managed to kill the encryption process via SSH and able to login back to GUI page. Can see from the CPU utilization drop to 5% after killing the process. Only lost Plex screenshots/thumbnails and some files that is not critical to Deadbolt. Lucky me. Re-install back Plex and refresh metadata. Temporary measure till the fix is in. Still going to transfer all my files to external storage soon. 20TB worth of data almost gone if I had not kill the process.
Ok First time I have been hit … just relocate NAS form one room to another and mentioned encryption
Gurus – is the backup only the option? NAS is currently off. I guess it was hit from outside using software vulnerability.
Appreciate your input
Hit at this end.
My solution so far, login vis ssh as root user
cd /volume0/usr/builtin
ls
you will see a 5 digit binary executable file For me it was 22491. I use that in the following command to get the process ID
ps | grep 22491
from this I got the Process id 25624. I kill that process
kill 25624
I then remove the binary file
chattr -i 22491
rm -f 22491
Now, restore the index as above
cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgi
Now for the fun part…. a LOT of file had been renamed (not encrypted) to have .deadbolt appended to the end of the filename… So rename them back
(note, you may want to do this folder by folder and check it is working). The following will do for the entire /volume1
cd /volume1
find . -type f -name "*.deadbolt" -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//.deadbolt/}"; done' _ {} +
After these are all renamed, everything should work. Probably a good idea to reboot to restart the services etc.
Also, I’m not sure if the above will definitely traverse the .@plugins etc… so I did this manually
cd /volume1/.@plugins
find . -type f -name "*.deadbolt" -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//.deadbolt/}"; done' _ {} +
Don’t try renaming the files… I thought a few looked good… but indeed some are actually encrypted. Probably best to keep the .deadbolt extension so you know which ones
A quick update to this. The corrupt webui will eventually return… to stop this happening add the following to the suggestion above
cd /usr/builtin/etc
chattr -i cgi_install
rm -rf cgi_install
so basically, the commands previous posted will stop the service from running and prevent further encryption.
This last set of commands stops the process that tries to replace your login screen.
Following this my system is fully functioning again (I have updated the firmware, remove and reinstalled EVERY App, and I have restored backups of some data as indeed some files were encrypted.)
Don’t try renaming any of the files (to remove the “.deadbolt” extension as per my post above) as this will not restore the file… interestingly when I first tested this I checked some .nfo and config files, and even though these had been renamed, they were ok once I removed the .deadbolt extension… however all significant files such as picture, movie, music, pfd appear to have been encrypted.
Is there some special way to connect through ssh? I’ve submitted the ip of the nas and as a port of 8000 but after trying to load, it shows an error message. Thanks
Is this patched out yet? I’m needing to reinitialize, but what’s the point if they can hit me again?
No, not yet. Waiting on their response. If this happened through their update function it will be quite embarrassing. Connecting via VPN would be only option.
The way EZConnect was implemented was obviously flawed. It apparently requires port forwarding and perhaps even having UPnP enabled on your router which is a horrible security issue in itself.
By the sound of it, Through EZConnect port attackers [to be confirmed]
1. place a script on the server
2. encrypts only volume1
3. generates a ransomware file asking for a key purchase to decrypt those files.
What to do if you can see Deadbolt already encrypting your NAS:
If you can see encryption running in the background blocking internet access will not help.
I would suggest shutting down the NAS until Asustor comes back with an action plan.
This will stop the encryption process. The longer you wait more files get encrypted.
Shutting down a NAS.
If you get a message that NAS is fully encrypted already?
-You can pay ransomware and hope the decryption process will fix system files too
-You can connect drives to a Linux machine and recover deleted files
https://nascompares.com/recover-raid-or-move-data-from-broken-nas-to-a-new-one-synology-qnap-asustor/
Running PhotoRec can help you to recover the lost files from hard disks to the external drive. Now you will recover the NAS files to the “recup1” (example: recup+{disk_number}) folder on the external drive.
https://www.qnap.com/static/landing/2021/qlocker/qrescue/en/. [This is not Qlocker Ransomware, but you can use the same tool to recover deleted files]
Preventative Measures
If you have not been breached and still need to have the NAS running make sure the following has been done…
Disable EZ-Connect
Turn off Auto-Updates
Block all NAS ports from your router and only allow communication to your local LAN network.
What solution do you recommend for the people who turned their system off quickly enough and cannot access their NAS anymore and get the “System Initialization” page ?
Obviously not continue with the initialization and as said, the proposed solution the architect works fine for small RAID1 NAS, but not on a RAID5 with lots of drives.
I hope Asustor won’t forget about us…
I would wait for Asustor Action Plan. If you shut down your NAS early, only some of the data encrypted.
System will not boot because it encrypts entire Volume1 that has operating system as well as your files.
Combination of these two things might be a way to get get data back
https://nascompares.com/recover-raid-or-move-data-from-broken-nas-to-a-new-one-synology-qnap-asustor/
Running PhotoRec can help you to recover the lost files from hard disks to the external drive. Now you will recover the NAS files to the “recup1” (example: recup+{disk_number}) folder on the external drive.
https://www.qnap.com/static/landing/2021/qlocker/qrescue/en/. [This is not Qlocker Ransomware, but you can use the same tool to recover deleted files]
I was able to access the NAS from my Explorer window and offloaded almost everything to a different hard drive. I then shut down the NAS. Should I restart it and wait for Asustor to present a solution?
Yes, we should wait what they say.
A later commentor has put a guide together here that (if the deadbolt encryption has been stopped early enough) seems to indicate that recovery of the remaining data is possibly – https://thearchitect.wordpress.com/2022/02/21/deadbolt-on-asustor-nas/
unfortunately this guide does not work for a RAID5 configuration….
Hi Guys,
I was able to connect to my NAS via ssh, and identified the running encrypting process (name: 29267).
After i got killed it, i have found out that the index.cgi of the lighthttpd (under /volume0/usr/builtin/webman/portal) server was changed, but the original file was backed up in the same folder. Changed it back to original and now i can access my admin site.
I have also found the executable under /volume0/usr/builtin/
Now i will check what is already encrypted.
Hi, im hit too. I can connect with ssh. How can I identify which process to kill ?
run the top command, and then press M and P keys. The process should be on top of the list.
Thank you for pointing out the binary in the builtin directory. I was going to mention it on the asustor forum and forgot. 🙂 Its nice how the bad guys backed up the crap they messed up for us 😀
I did the same as Sab. Do I just reinitialize? Also, should reinitialize if I will just get attacked again?
A later commentor has put a guide together here that (if the deadbolt encryption has been stopped early enough) seems to indicate that recovery of the remaining data is possibly – https://thearchitect.wordpress.com/2022/02/21/deadbolt-on-asustor-nas/
I have posted a solution here https://thearchitect.wordpress.com/2022/02/21/deadbolt-on-asustor-nas/
Thank you for sharing this buddy! Would you object to me putting this on NASCompares (with credit to you and links back to your site)? It would be a damn sight more effective than me just posting links on Facebook etc. Cheers
Update.
It is working and encrypting the files.
I got 54TB of data over 4x 18Tb drives on this one. Trying not to panic…
Rebooting the NAS does not necessarily force the System Initialization. I rebooted once and it went back to the same. Drives accessible via SMB, the android apps (AiMAster and AiData) worked fine after rebooting.
It’s only when I took the NAS of the WAN, that Deadbolt trigger the system initalization.
Putting it back on the network does not change a thing.
So I presume the ADM is somehow corrupted, but the data (or most of it) should still be on the drives.
What if I would plug in a new empty HDD, take the 4 drives with my data and old ADM out and then continue the system initialization on this new drive.
After that is done, stay off the WAN and then try to add the 4x 18Tb drives.
Should it not recognize those 4 drives as a valid BTRFS volume and give back access to my data ?
Can’t try it right now, because all of my HDD are used, so ordered one online which should arrive tomorrow.
Would be cool if someone here could try that already ?
OK, I have been able install a fresh ADM on an SSD.
I then plugged in my 4 HDDs from my previous volume, but it somehow does not recognize the volume is there any way to force ADM to do that ?
A later commentor has put a guide together here that (if the deadbolt encryption has been stopped early enough) seems to indicate that recovery of the remaining data is possibly – https://thearchitect.wordpress.com/2022/02/21/deadbolt-on-asustor-nas/
That guide only works for a RAID 1 and if you have a Linux system laying around.
I have RAID5 and would hope there is a way to rebuild my old volume by installing a fresh ADM on my Asustor and then somehow rebuilt the volume by inserting my 4 drives.
But ADM does not recognize the drives and thinks they are idle. Of course I won’t build a new volume with them, because then for sure I loose my data.
I am disappointed there is no Asustor feature or tool to simply rebuild old volumes as long as the volumes are still intact and in the same order.
Same here, but I can see files from my PC.
Also from my android phone I can use AiMater and see both services and options.
Maybe I must shut off EzConnect?
You should disconnect EzConnect and make sure you have no open ports and upnp on your router or NAS.
Shut down my AS4004 about 2 hours ago. Now I am afraid to switch it on again.
I have backups, but do not want to run into the same trouble again.
A later commentor has put a guide together here that (if the deadbolt encryption has been stopped early enough) seems to indicate that recovery of the remaining data is possibly – https://thearchitect.wordpress.com/2022/02/21/deadbolt-on-asustor-nas/
My files are being encrypted as we speak. Do I turn the NAS off, or leave it on to complete?
I have made backups of my most important files, since most is unencrypted at th emoment.
My fear is damage will be done if I shot it off…!
A later commentor has put a guide together here that (if the deadbolt encryption has been stopped early enough) seems to indicate that recovery of the remaining data is possibly – https://thearchitect.wordpress.com/2022/02/21/deadbolt-on-asustor-nas/
Thanks a lot for the article! I’ve been hit on my Asustor NAS about an hour ago. After a restart I was able to connect to it for a while but some of my files were already encrypted to deadbolt format so I powered it off and got the “Uninitialized” message. Waiting for now. Hopefully it’s not a lost case!