New Reports of Deadbolt Ransomware Attacks on QNAP NAS via Photo Station
It would appear that the Deadbolt ransomware attack that has been a persistent pain for QNAP (and other NAS brands) in 2022 continues to remain current, with new reports emerging of further attacks of NAS systems in September 2022. The vulnerability that has been reported to be being exploited is in the QNAP Photo Station application and although a day one patch for the application for all current use QTS software systems has been issued, it has still resulted in users being hit in this new wave of attacked by the deadbolt ransomware group. Although the scale of this latest attack does not match that of previous attacks by the group, it is worth highlighting that the encryption of how this ransomware deploys and presentation to the user upon execution have changed a little, so even if you are not affected, it might still be worth getting clued up on this. In this article, I will cover everything that is known so far about this Photo Station vulnerability that was exploited, why deadbolt is still a thing, how it attacks, what you can do to avoid it and what can you do if you have been hit.
How Does Deadbolt Attack QNAP NAS?
Deadbolt Ransomware’s methodology in attacking your system has not changed much at all since its first attacks. We will touch on in a bit about why deadbolt is still around and the nature of software updates vs vulnerabilities, but for now we can discuss this specific instance. A vulnerability was found in Photo Station for QNAP NAS QTS/QuTS this week and this vulnerability created a small hole in the access control of the NAS that could be used to exploit as an attack vector for ransomware to be executed. It would still require your NAS to be setup in a weak remote access state (i.e. you allowed internet access to your system without sufficient layers of encryption, protection and/or authentication, such as a VPN, Firewall or disabling UPnP – will touch on these later) in order to reach ‘photo station’, but if it could, it could then execute the command to the QNAP NAS to encrypt it’s contents, create a ransom text not and modify the login screen to show the deadbolt warning. This one:
QNAP highlighted this vulnerability on their security advisor page, here under ID QSA-22-24 and state that they detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). The campaign appears to target QNAP NAS devices running Photo Station with internet exposure. This is not via the myQNAPCloud services, but rather users allowing remote access with open router ports, but no VPN or restrictive access rules in place. QNAP issued the following statement:
QNAP Product Security Incident Response Team (QNAP PSIRT) had made the assessment and released the patched Photo Station app for the current version within 12 hours. QNAP urges all QNAP NAS users to update Photo Station to the latest available version. QuMagie is a simple and powerful alternative to Photo Station. We recommend using QuMagie to efficiently manage photo storage in your QNAP NAS. We strongly urge that their QNAP NAS should not be directly connected to the Internet. This is to enhance the security of your QNAP NAS. We recommend users to make use of the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. This can effectively harden the NAS and decrease the chance of being attacked.
Additionally, this warning that is displayed to the end user also has an additional note directed towards QNAP themselves that highlights that they are willing to share the nature of the exploited vulnerability for 5BTC. See here:
Now, as nefarious and immoral as you might find the Deadbolt ransomware attackers and what is being done here, we also have to put the spotlight on QNAP. In their defence (I will go into more detail on this later on in the article), they are a software developer that provides a range of tools and services to maintain many backups of your data, hugely configurable security options/variables to their system, a remote access cloud portal that acts at a checkpoint in myQNAPCloud, they provide regular updates to their software/service applications with automated update options and they provide a public security advisory panel and can only remain a single step ahead of vulnerabilities. HOWEVER, when vulnerabilities are found in their platform and services (even if patched out – which relies on users remaining updated), it continues to bring into question the strength, depth and attention to detail of their security teams during development. It is true that QNAP is not the only brand that has been successfully targetted by deadbolt (see Asustor HERE and Terramaster HERE) as well as not being the only brand targetted by malware (see Synology Synolocker HERE) , but QNAP still seems to persistently be the one that gets hit most. Ultimately, ARE QNAP NAS SAFE? We discussed this over on the YouTube channel back on Febuary 2022
PSA – GET YOUR BACKUPS IN ORDER!
Before you even go one paragraph further, I have a simple question for you – do you have a backup in place? If yes, then carry on to the next part. If not, and I cannot stress this enough, GET ONE NOW. The time you are spending reading this you could be susceptible to data loss in about 10 different ways without even factoring in ransomware (Power failure leading to hard drive corruption, Malware from a slightly iffy google search this morning, cloud storage provider going bust, OS failure on your device, etc). In this day and age owning a sufficient data backup is as sensible as buying a raincoat or looking both ways when you cross the street – you don’t do it because you like rain or like looking at cars, you do it because they are peace of mind, they are a safety net, they are for caution in case of the worst. It is a bit tenuous, but owning one or multiple backups always make me think of this quote from Shawshank Redemption by Stephen King:
“There are really only two types of men in the world when it comes to bad trouble,” Andy said, cupping a match between his hands and lighting a cigarette. “Suppose there was a house full of rare paintings and sculptures and fine old antiques, Red? And suppose the guy who owned the house heard that there was a monster of a hurricane headed right at it. One of those two kinds of men just hopes for the best. The hurricane will change course, he says to himself. No right-thinking hurricane would ever dare wipe out all these Rembrandts, my two Degas horses, my Jackson Pollocks and my Paul Klees. Furthermore, God wouldn’t allow it. And if worst comes to worst, they’re insured. That’s one sort of man. The other sort just assumes that hurricane is going to tear right through the middle of his house. If the weather bureau says the hurricane just changed course, this guy assumes it’ll change back in order to put his house on ground zero again. This second type of guy knows there’s no harm in hoping for the best as long as you’re prepared for the worst.”
Get a Backup in place
Why Is Deadbolt Ransomware STILL HAPPENING?
First and foremost, it is INCREDIBLY IMPORTANT that users understand the risks of allowing remote access to their NAS system (not just QNAP, but ANY NAS Drive) without specific port discipline, a VPN, a Firewall and/or custom admin credential/enabling. In the case of this recent resurgence of the ransomware attack that was executed by the Deadbolt group, it is important to note that it is made possible by two KEY VARIABLES! Weaknesses and Opportunity.
Now, with weakness, this stems from a vulnerability is found in a software/application – not uncommon and ALL software can only be one step ahead of those looking to break it. to give it a little context. In 2022 there have been 671 vulnerabilities found in Microsoft software services, 22 in Synology NAS software services and Apple iOS has had 79. This is not to besmirch their software/platforms, but ultimately the minute a software maker releases a new version/update (often to plug vulnerabilities that were found), the nefarious will then get to work on finding vulnerabilities in which to exploit for financial gain. That is why software updates are so incredibly important! However, a weakness is no good without access and/or an opportunity.
An Opportunity (in the context of ransomware and malware attacks) can largely be defined as an open door (no matter how small) that can be used to inject a command to the NAS as an administrator (eg. encrypt everything). THIS is where one of the biggest misconceptions (and indeed finger-pointing) happens when an incident of ransomware, malware or data loss occurs. A vulnerability in a software platform (especially when the bulk of software in common use today is built on Linux universally) is only any use when it can be executed. So, in the case of a NAS vulnerability, such as the Photo Station vulnerability that has been identified, it can only be exploited if the NAS user has allowed external access to their NAS via the internet. This access may well be behind user login credentials, but lacked the barrier of a VPN, a Firewall setup with amply restrictions, trusted access credentials/identity, limited/zero admin control, 2-step verification, specific port access to a GUI and many other restrictions/limitations/authentications that can be enabled. Not all these hurdles and/or barriers are as effective as others (with some vulnerabilities being built on backend access), but all/most of these should be considered when allowing any form of external access to your NAS outside of your local network. Equally, you NEED to become more acquainted with your router! Get into your router and reactive UPnP settings, as this eliminates the possibility of applications on your NAS inadvertently opening ports remotely without your direct knowledge.
- Disable the Port Forwarding function of the router: Go to the management interface of your router, check the Virtual Server, NAT, or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 433 by default).
- Disable the UPnP function of the QNAP NAS: Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration,” and unselect “Enable UPnP Port forwarding.”
Do keep in mind though that you might well be using external UPnP services on your router for other things in your home or office environment.
What is UPnP Port Forwarding?
Universal Plug and Play (UPnP) is a way of quickly forwarding the ports in use to other devices on a network automatically with one setting change and no additional configuration needed. UPnP Port Forwarding is widely used by many network devices, allowing them to communicate with each other more efficiently and to automatically create workgroups for data sharing, among other applications.
Is UPnP Port Forwarding safe?
UPnP is not a secure protocol. It uses network UDP multicasts, no encryption and no authentication. Since UPnP is not authenticated, one device could request port mapping for an another one. Hackers can abuse UPnP to attack through malicious files to infect your system and gain control. Despite its convenience, UPnP may expose your device to public networks and malicious attacks. It is recommended that your QNAP NAS stay behind your router and firewall without a public IP address. You should disable manual port forwarding and UPnP auto port forwarding for QNAP NAS in your router configuration
How Many QNAP NAS Users Have Been Affected by Deadbolt?
Getting the numbers on how many users have been impacted by this recent attack by the deadbolt group on QNAP NAS devices is exceedingly hard to identify. On the one hand, as this photo station vulnerability has been identified and effective in QTS 5 it has the potential to be high, however, it still heavily relies on having a system set up in a comparatively weak remote access configuration AND having a specific application with access credentials running. This is further reduced in scope as the Photo Station has been largely overtaken in use by QNAP users by the AI-powered QuMagie application. Still, the Photo Station application still has several ‘professional photographer’ services/structural qualities that keep it in use. The Bleeping Computer website identified 182 submissions to the ID Ransomware site reported for ‘Deadbolt’ (which requires uploading an encrypted file, attacker address and/other identifies for clarification of an attack type) with a spike that started on the 3rd of September (necessitating the patch o nthe 4th Sept). How many of the previously submitted reports in August 2022 were related to this photo station vulnerability (at that point unidentified) and how many were repeats by any one user or related to a QNAP NAS that was not updated since the early phase of the Deadbolt ransomware attacks of Jan 2022 cannot be confirmed. Nevertheless, these are still noticable numbers and can comfortably be classed as victims hitting the 3 digit mark.
Source for the below graphic and article – https://www.bleepingcomputer.com/news/security/qnap-patches-zero-day-used-in-new-deadbolt-ransomware-attacks
Alternatively, you can use server/internet service monitors such as censys to search for reported text that is used in the Deadbolt ransomware note. However, this is not the most precise and only further highlights that only QNAP themselves and Deadbolt know the extent of impact of this campaign. Unlike the original Deadbolt attacks of Jan 2022 of QNAP devices, research and strategic advisors at Unit42 noted back in May ’22 that the attack/injection of the ransomware and how it is presented to the user changed (though seemingly still using the same exploit that remained in systems that were not updated, therefore still vulnerable to the exploit in older QTS/QuTS versions and/or continued use in weak internet-facing access scenarios:
Unit 42 is observing a new wave of attacks of the Deadbolt #ransomware targeting QNAP NAS devices involving a new lock screen with updated JavaScript. Cortex Xpanse discovered ~3000 instances of infected devices. Details at https://t.co/uj0TOqACxu pic.twitter.com/RmSzZOAsTq
— Unit 42 (@Unit42_Intel) May 16, 2022
There has been no substantial analysis of the latest version of DeadBolt, but Unit 42 said in it’s May summary that the ransomware program made some significant changes since the March campaign. Specifically, the DeadBolt program now uses revised JavaScript code with a stronger SHA-256 implementation, building on the previous, lower-level ‘SubtleCrypto’ cryptography. Unit 42 researchers said this was likely changed to a stronger standard to accelerate the key verification process and also to ensure the verification works on browsers that do not support the SubtleCrypto API.
What Should You Do To Protect Your QNAP NAS from Deadbolt Ransomware Attacks?
If you are using the QNAP Photo Station application, then you need to suspend using it until you have updated to the latest version. It is worth highlighting again that this vulnerability will ONLY affect you if you have your QNAP NAS directly connected to internet access services (i.e NOT using a VPN or the myQNAPcloud link service). Updates for Photo Station have been issued for QTS 4 and QTS 5 on the brand’s official app portal of your NAS and directly downloadable from their official website:
- QTS 5.0.1: Photo Station 6.1.2 and later
- QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
- QTS 4.3.6: Photo Station 5.7.18 and later
- QTS 4.3.3: Photo Station 5.4.15 and later
- QTS 4.2.6: Photo Station 5.2.14 and later
Outside of QNAP Photo Station, it is incredibly important that users maintain a secure layer/barrier between your NAS and your external internet connection. To protect your NAS from the DeadBolt ransomware, QNAP strongly recommends securing your QNAP NAS devices and routers by following these instructions:
- Disable the port forwarding function on the router.
- Set up myQNAPcloud on the NAS to enable secure remote access and prevent exposure to the internet.
- Update the NAS firmware to the latest version.
- Update all applications on the NAS to their latest versions.
- Apply strong passwords for all user accounts on the NAS.
- Take snapshots and back up regularly to protect your data.
Now, QNAP myQNAPCloud services are not the same as just opening your NAS connection from LAN only to LAN+Remote. myQNAPCloud creates a connection between the NAS and the QNAP access servers via a secure portal (with encryption, SSL certificates and other configurable options that can prevent interception via this tunnel). Then, if you want to create a connection remotely with your NAS, you do so via the QNAP access server – as opposed to the directly NAS connection. This DOES result in a drop in file transmission speeds remotely (as you are moving through an additional transit point), but increases security and authentication substantially. The alternative to this would be to use restrictive/specific open of ports on your router AND recommended use of a VPN – which is definitely a valid and ‘best of all worlds’ solution, but a little more technically advanced than many users are able to configure effectively/securely). If you want to set up a remote myQNAPcloud connection, you need to:
- Log on to QTS as an administrator.
- Open myQNAPcloud.
- Disable UPnP port forwarding.
- Go to Auto Router Configuration.
- Deselect Enable UPnP Port forwarding.
- Enable DDNS.
- Go to My DDNS.
- Click the toggle button to enable My DDNS.
- Do not publish your NAS services.
- Go to Published Services.
- Deselect all items under Publish.
- Click Apply.
- Configure myQNAPcloud Link to enable secure remote access to your NAS via a SmartURL.
- Go to myQNAPcloud Link.
- Click Install to install myQNAPcloud Link on your NAS.
- Click the toggle button to enable myQNAPcloud Link.
- Restrict which users can remotely access your NAS via the SmartURL.
- Go to Access Control.
- Next to Device access controls, select Private or Customized.
Note: Selecting Private allows only the QNAP ID logged in to myQNAPcloud to access the NAS via the SmartURL. Selecting Customized allows you to invite other QNAP ID accounts to access the device via the SmartURL. - If you selected Customized, click Add and specify a QNAP ID to invite the user.
- Obtain the SmartURL by going to Overview.
The final thing to do is to have two applications running on your QNAP NAS regularly. Malware Remover and the QNAP Security Counselor. The Malware tool is for scanning your system for existing threats that may have been installed/engineered inside your system. It then isolates, quarantines as appropriate and removes. The Security Councilor tool is designed to periodically check the security of your entire system, find any potential for an opening that a vulnerability could be exploited via, then makes recommendations on how to close it. This latter tool can be configured via a number of pre-set profiles that scale in severity, but can also be set to custom variables too. These (alongside having updates on both the QTS/QuTS OS and apps via the app center set to automatically download and install) should be among the FIRST things you set up on your QNAP NAS.
It is also REALLY important to note that these applications analyze and identify KNOWN vulnerabilities. They are not omnipresent and, much like in the case of the Photo Station vulnerability that has been identified here and a day 1 patch issued, until it IS recognized as a threat/attack-vector, it will not be seen
What Should You Do If Your QNAP NAS was Hit By Deadbolt Ransomware?
Unfortunately, as it stands, there is little resolution in place to reverse Deadbolt ransomware encryption without paying the 0.05 BTC to the attackers. Some users have reported that snapshots have been useful in reversing the impact (heavily dependent on your retention policy and location, as you still need the original file in a comparable form for snapshots to work). However, a full means to reverse deadbolt is not available. Previous attacks were able to be reverse using data recovery tools such as PhotoRec to restore them to their original version on an external drive, but success in this method with deadbolt has not been exactly positive. If you have no backup in place and your data is truly irreplaceable, then paying might be the only option (at least in the short term). You can follow the instructions that are attached to the Deadbolt warning page on your QNAP NAS GUI. If you have lost access to this GUI in an QNAP update (understandable that you might action this in the vein hope of halting/reversing damage), here is a Deadbolt Decryptor tool (this still requires the encryption key however) – https://www.emsisoft.com/ransomware-decryption/deadbolt
There are several useful references and setup pointers listed in the exceptionally long QNAP forum port HERE and here are their recommendations for you in the event you have been hit:
- If you have full external intact backups, reset your NAS and restore from backups
- If you have no backups and don’t intend to pay, try Qrescue (if your NAS has more than 50% free space and was not written to, chances are ‘OK’ to recover most files)
- If you decide to pay, here is a ‘user’ story’ (Make sure that all auto-updates are disabled during the decryption, so the process is not interrupted)
- To find your decryption key after paying the ransom check here.
- If you are missing the ransom note and bitcoin address (removed by a QNAP firmware update or Malware remover) check here
The Sad Truth about Servers, Security and Vulnerabilities
Vulnerability > Update > vulnerability > update > rinse > repeat
No platform, software or service is going to be 100% bulletproof. You can increase your personal layers of security (VPNs, Encryption, layers, restrictive white lists, etc) to hit 99.99% but whatever way you are looking at it, everything we use is software-based and therefore, fallible. Equally, users cannot pretend that it is still the early days of the internet anymore and still be annoyed when a statistical possibility that should have been factored against was not. Do I think QNAP NAS are safe? I’m sorry to say that the answer is never going to be a simple Yes/No. I think they provide what they say they provide and I think that QNAP hardware is still the best in the market right now. But their software needs to be less rushed, the extra time/budget be spent on that software, or utilize a trusted 3rd party. The need to relinquish some of the customization of their platform in efforts to remove some of the configuration out of the hands of less tech-savvy users who end up overly reliant in defaults. Perhaps a much more rigorous setup policy that, on day 1, have an EXPERT door and a NOVICE door, with randomized defaults and extremely regimented update rules on the latter. Equally, the brand (though better than it was) needs to work on its communication with its end-user base, both in the event of critical issues and education on what the user base needs to have to increase security OUTSIDE of their product. I still recommend the brand, I still think users should use their products, but we need to be realistic and honest with ourselves about what we buy and our expectations. If I buy a QNAP NAS, I expect it to store the data I store in it and allow me access to it on my terms, but ‘my terms’ might be a lot more/less strict than the next person and with that comes due diligence in 2022. I hope that the most recent ransomware attack, deadbolt, is the last ‘big’ one we hear about the year/moving forward, but I do not think it will be. More than just QNAP, one look at the vulnerabilities listed on security advisories of all the brands tell us that there is big money to be made by these intruders and the brands can only stay 1 step ahead. As always, me and Eddie here on NASCompares have been running a page that links to the bigger NAS security Advisory pages that gets regularly updated, so if you want to get notifications on these as they get added (pulled from the official pages themselves), then you can visit the page below and put your email in for updates when they happen. Have a great week and backup, backup, BACKUP.
Click Below to Read
📧 SUBSCRIBE TO OUR NEWSLETTER 🔔
🔒 Join Inner Circle
Get an alert every time something gets added to this specific article!
This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below
Need Advice on Data Storage from an Expert?
Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you.(Early Access) Minisforum MGA1 7600M XT eGPU Docking Station Review
(Early Access) The Best M.2 SSD NAS To Buy Right Now
(Early Access) My Favourite NAS Releases of 2024
(Inner Circle) Recommended ATX NAS Motherboard Guide - 6 GREAT NAS MOBOs!
(Early Access) Flashstor Gen 2 NAS - SHOULD YOU BUY? (Short Review)
(Early Access) The DREAM Video Editor NAS - Flashstor Gen 2 Review (FS6806X)
Access content via Patreon or KO-FI