FreshRSS

🔒
❌ À propos de FreshRSS
Il y a de nouveaux articles disponibles, cliquez pour rafraîchir la page.
À partir d’avant-hierFlux principal

Terramaster NAS Devices Being Attacked By Deadbolt Ransomware

1 mars 2022 à 11:49

Deadbolt Ransomware Attacking NAS Drives Again – This time it is Terramaster


It pains me to make this post, but yes, Deadbolt ransomware has once again attacked NAS drives and this time the target is Terramaster devices. Although exact details on the attack vector of this ransomware are yet to be confirmed (though I will be updating this article as more information arrives), it looks like a very similar attack to those that affected Asustor last week, using very similar display methods of highlighting the means of paying the ransom, as well as similar ways that people have been alerted to it on their individual systems. Likely candidates at the time of writing point to this either being based around a UPnP weakness (similar to a previous ransomware exploit that was used) or weak network management (either in the ports used or in 3rd party applications poking holes in your firewall etc in order to facilitate remote access). As mentioned, the details are still rather murky and the first reported hit by users online was around 10 hours ago, so similarities in how people have arranged their network/system services are slowly getting pieced together. If you DO own a Terramaster NAS drive right now, I would make the following recommendations:

  • Run a Backup! But check you have not been already hit by the deadbolt ransomware and inadvertently overwrite your ‘god’ backups. I would STRONGLY recommend where possible (space/budget) running a completely new and independent backup of the whole system or at the very least your irreplaceable/mission-critical data
  • Disconnect your system from ANY internet connection unless you are 100% confident that your network security is secure (even a VPN doesn’t avoid the fact some apps and services open router ports as a necessity)
  • Check your system logs for any large number of IP login attempts. Not strictly necessary in this case as the attack vector is still unconfirmed at the time of writing, but check nonetheless
  • Power Down your device unless you are 100% confident that you are untouchable. Although deadbolt is actioned INITIALLY over the internet to push command to the system to conduct a large scale encryption command, delete the encryption key and amend the login screen to their own payment window and key entry. So, if you are BEING attacked by deadbolt ransomware, disconnecting the system from the network internet is not enough (as from THAT point, all operations are being conducted locally (ie inside the system). So power down your device until Terramaster issue a patch to close whatever this exploit is that deadbolt is utilizing
  • At the time of writing, we are still awaiting further information on the deadbolt Active Process (i.e in the task/resource monitor). When that is established, you can use SSH and a suitable command client to patch in and kill the process, HOWEVER, you should disable SSH for now if you HAVE NOT been hit, as this manner of control is how the bulk of ransomware attacks are conducted automatically
  • Change credentials for the admin account. Although TOS 5 (previewed last month here on YouTube) has the option to disable the admin account (as well as a kill switch for all remote access), the current version of TOS 4 does not have this functionality
  • Change your local network and remote access ports from the default 8000, 8080, 8001 etc to something randomized

IF your Terramaster NAS is COMPLETELY isolated from the internet (and you are 100% certain of this, eg you directly PC-to-NAS interface your system OR you run the NAS on an isolated vLAN in your network behind a bunch of layers), then you can largely ignore the above.



 


UPDATED 02/03 08:00 GMT


Since the deadbolt ransomware’s first targetted attacks yesterday, Terramaster has rolled out a new firmware update (TOS version 4.2.30) and they strongly recommend users who have not yet been affected to upgrade now. The update will be available from the usual system settings, software update menu from within the TOS web browser GUI in the window below:



Also, you can choose to manually download the TOS 4.2.30 update directly on TerraMaster official website->SUPPORT->DOWNLOAD page (see image below) here – https://support.terra-master.com/download/



It is VERY IMPORTANT that users understand the following details before they update their Terramaster NAS to this latest firmware updated version:

  • If you install this update, it WILL NOT recover/unencrypt files that have been hit by deadbolt (i.e. files that now carry the ‘.deadbolt’ encryption in their name/format. This update closes the vulnerability that allowed the deadbolt group to inject a command towards your terramaster NAS and carry out the attack.
  • If you install this update, it will remove the black deadbolt entry screen to your Terramaster NAS when accessing it via the web browser. However, in doing this, you will also lose the (arguably crap) option to recover your files by paying the ransom group, getting an encryption key and decrypting your data. Although unaffected users and those who have zero intention of engaging with the deadbolt group will be happy with this, some users who have lost mission-critical /irreplaceable data that might consider this option might want to think about this update a little further. When Deadbolt hit Asustor NAS devices last week, when Asustor issued a firmware update, they also added a small add on in the app center that allowed the end-user to still access this screen in an isolated fashion to still keep the option of getting an (arguably illegally) paid for solution to recovery.
  • Right now, users are attempting to perform recovery with deadbolt files via linux mounted drive setups. It is a painfully slow and low success % operation (as in user base) but if your data is important to you and/or/if you want to resume access to your NAS whilst keeping the encrypted data to one side, I recommend removing the HDD/SSD media (keep track of which drive in which bay) and replace the drives in the Terramaster NAS and re-initialize. Then you can reintroduce those drives to the NAS or to a linux machine in the event of a recovery method becoming possible.

Back to the Original Article.

What Do We Know About the Terramaster NAS Deadbolt Ransomware Attack?


The bulk of the details even at this early stage of the terramaster NAS deadbolt ransomware attack bear alot of similarities to those of the Asustor attack last week (Read the article on that plus all the updates and MOST IMPORTANTLY the comments of that article as there is alot of information on how people have responded/adapted to when this hit them). Most users understood that their Terramaster NAS system was in the process of being hit by deadbolt Ransomware in two very clear ways, one arguably worse than the other. The first was that many of the more value series Terramster NAS systems (2/4 Bay systems at the Dual-Core level) had a sharp and very noticeable rise in system fan activity (and HDD LED lights kicking off incessantly) as the encryption command pushed the system very hard indeed. If you were fortunate enough to spot this early, then there is a reasonable chance that the % of files encrypted would be very low. However, a larger proportion of users found their NAS system was mostly/completely encrypted overnight (or whilst they were out of sight/earshot of the NAS) and their first knowledge of the attack was to be greeted by this (now depressingly familiar in 2022) deadbolt login screen:


Important Message for TERRAMASTER
All your affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage:


1) Make a bitcoin payment of 5 BTC to bc1qhkeecsgmzf2965fg57ll3enqyj7y094lxl5nzm:


You will receive all details about this zero-day vulnerability so it can be patched. A detailed report will be sent to [email protected].


2) Make a bitcoin payment of 15 BTC to bc1qhkeecsgmzf2965fg57ll3enqyj7y094lxl5nzm:


You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files. Additionally, we will also send you all details about the zero-day vulnerability to [email protected].


Upon receipt of payment for either option, all information will be sent to you in a timely fashion.


There is no way to contact us.
These are our only offers.
Thanks for your consideration.


Greetings,
DEADBOLT team.


If you are unsure if you have been hit by the deadbolt ransomware attack (i.e. you can still login fine and the login screen has not changed) but want to do a quick checklist on things to monitor. Here is a brief to-do list:

  • Your Remote mounted storage is suffering delayed responses/file opening (eg mapped drives, SMB mounts, etc) as this could mean that these are in use by the system and being encrypted. The same goes if you have a recently accessible remote mount that is now inaccessible
  • Search for .deadbolt in the file manager search bar. It is not the quickest, but any file hit by this will have the .deadbolt file extension
  • Your regular overnight backup(s) failed or took way, WAY too long, as this indicates a large amount of HDD activity taking place at the same time as your regular backups and even 3-4 hard drives in a RAID 5 will struggle to maintain even marginally good input/output actions when these larger volume activities are run simultaneously
  • Your system fans are increasing as drive activity has increased notably (encryption is a hefty task for any system to conduct, especially on the entire storage pool/volumes/etc
  • Your HDD/SSD LEDs are going NUTS! This also applies if you are using larger than 8TB drives or larger Seagate Ironwolfs NAS drives, Ultrastar, Red Pros, EXOs, etc as these Pro/Ent class drives make some real noise in heavy crunch activity such as large scale encryption

Currently (01/03/22 930AM GMT) Terramaster has yet to issue a formal statement on this or a firmware update, but the attack is around 12 hours old at most. Still, this is now the 3rd Deadbolt attack to hit NAS brands in the last 6 months (Asustor and QNAP previously) and alongside the earlier attack of a vulnerability in TOS at the start of the year. There are hopes that the current TOS 5.0 update (still in Beta) will feature improvements in it’s network security and how much access installed apps have to the core system administration.

What Does Terramaster Advise to Prevent the Deadbolt Ransomware?


Terramaster has responded to this recent Deadbolt ransomware attack of their NAS systems with the following statement:


Recently, we have received reports of some TNAS devices being attacked by Deadbolt Ransomware. Based on the case analysis, we initially concluded that this was an external attack against TNAS devices. To protect your data from Deadbolt, please take action now!


If your NAS works normally, we suggest you take the following countermeasures:


1. Upgrade your TOS to the latest version;


2. Install good anti-virus software on your computer, TNAS device and router to help you detect and resist malicious threats;


3. Disable port forwarding on your router. After disabling this function, you will not be able to access TNAS through the TNAS device bound to the DDNS external network.


4. Disable the UPnP function on your TNAS. After disabling, your PC, multimedia box, TV and other devices may not be able to access TNAS through UPnP protocol, please use DLNA, NFS, SMB protocol to access TNAS instead.


For more detailed measures, please refer to the following link:


https://www.terra-master.com/global/press/index/view/id/1143/


 


If you find that your NAS has unfortunately been affected by Deadbolt Ransomware, please follow the steps as below:


  1. Remove the LAN network cable from your TNAS device immediately.


  2. Power off your TNAS; x.86 models: short press the power button; ARM models: long-press the power button 3 seconds.


  3. Do not initialize your NAS as this will erase your data. 


  4. Please contact the online support on our official website or email to [email protected] directly.


Additionally, there is a great deal of activity in the last 12 hours on the official support forums on this, with a Terramaster Customer Representative issuing the following response to an initial enquiry on deadbolt ransomware attacks:



Right now, Asustor has yet to issue further information on recovery on this (unless I have updated this article above with further information), but I would recommend following the steps provided by other NAS brands in the wake of a ransomware attack such as this:

  • Change your password.
  • Use a strong password.
  • Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively.
  • Change web server ports. Default ports are 80 and 443.
  • Turn off Terminal/SSH and SFTP services and other services you do not use.
  • Make regular backups and ensure backups are up to date.

Until the attack vector is established, I would recommend going ‘all in’ on updating your security settings. Although a lot of the changes relating to password changes seem unrelated to this, without having a complete throughline on similarities between users, it is best to dot every i and cross every t!

Is There A Solution, Restoration or Recovery Method Currently Available to Deadbolt Affected Terramaster NAS?


As it stands, there is no resolution available from Terramaster NAS if your files have been encrypted by Deadbolt ransomware. other than paying the ransom (which would suck!) many are looking at methods of recovery using linux based mounting of the drives and accessing any snapshots in a BTRFS volume (or using PhotoRec/TeskDisk in the hope of reverting the files), but even then, there is little currently possible to recover affected files. That may not always be the case and I would still recommend keeping the encrypted files (in a 2nd location if you need to format your terramaster for continued use) as recovery methods might become available in weeks/months from now. Terramaster issued an updated press release on this with further instructions on disabling specific services, We suggest you take the following countermeasures:

  1. Upgrade your TOS to the latest version;
  2. Install good anti-virus software on your computer, TNAS device and router to help you detect and resist malicious threats;
  3. Disable port forwarding on your router. After disabling this function, you will not be able to access TNAS through the TNAS device bound to the DDNS external network.
  4. Disable the UPnP function on your TNAS. After disabling, your PC, multimedia box, TV and other devices may not be able to access TNAS through UPnP protocol, please use DLNA, NFS, SMB protocol to access TNAS instead.

  1. Disable RDP, SSH and Telnet when not in use;


Additional Changes Here:


  1. Change the default port of FTP. When you use the FTP protocol to access, please pay attention to bringing the port, such as ftp://192.168.0.1:1990.

  1. Set a high security level password for all users;

  2. Disable the system default admin account, re-create a new admin account, and set an advanced password;
    Note: For versions after TOS 4.2.09, you can set the administrator account without using the default admin username when installing the system. If it was upgraded from a version before TOS 4.2.09, you need to reset the system configuration, then you can customize the user name.

  3. Enable firewall and only allow trusted IP addresses and ports to access your device;
    a. Go to Control Panel > General Settings > Security > Firewall.
    b. Create a firewall rule and choose the operation of allow or deny.
    c. Fill in the IP range you allow or deny access to. If you fill in the network you want to deny access to, please fill in the subnet address correctly, otherwise it may cause your existing devices to be unable to access TNAS.

  1. Avoid using default port numbers 5443 for https and 8181 for http. After changing, please enter IP:Port in the browser address bar, such as 192.168.0.1:8186.
  2. Enable automatic IP block in TOS Control Panel to block IP addresses with too many failed login attempts;

  1. Backing up data is the best way to deal with malicious attacks; always back up data, at least one backup to another device. It is strongly recommended to adopt a 3-2-1 backup strategy.

 


If your Terramaster NAS was NOT affected, I would still recommend disabling remote/internet access., as the act vectors are not clear and there are reports from some users right now that state that they had the latest firmware, they were still hit. Therefore right now there is so much unconfirmed info here to allow remote access (in my opinion) and until further info is made available, I strongly recommend disconnecting your Terramaster NAS from the internet (wire AND via the software settings) and getting your backups in order. I will update this article soon as more information becomes available.


 

Asustor NAS Uninitialized Repair After Deadbolt Ransomware – Getting Back to ADM, Avoiding the Black Threat Screen & Seeing What Remains of your Data

25 février 2022 à 10:05

Getting Your Asustor NAS System Up and Running Again After Ransomware Attack


It has now been a few days since the initial attack of Asustor NAS systems by the deadbolt ransomware attack and although full recovery is still not a complete option for a lot of users (without having to take the agonizing step of paying the group for an encryption key – gah!), there have been steps by users, the linux community and Asustor to mitigate some of the damage for some and for those unaffected, allow them to use their systems with a little more confidence and comfort. Below are some instructions that will be of use to users who are currently in the following situations with their Asustor NAS:

  • When the encryption/attack first started (or you first noticed the NAS activity) you powered down your system abruptly and your NAS now shows as Uninitialized’
  • You Have the Asustor NAS working, but are being greeted by the black deadbolt threat screen that you want to navigate around WITHOUT using SSH/Command line
  • You are in either of the above two positions AND you have snapshots or a MyArchive routine setup on your NAS

If any of those three setups are how you would describe the position that you/your Asustor NAS is currently in, then you may well find this guide useful. However, DO remember that you are still dealing with your data and although this guide has been provided for the most part by the band themselves (with additions by myself – Robbie), you should immediately have a backup of your data (even if it’s encrypted in case of a system failure etc) and/or an external drive ready to move any/all data over too. If you caught the ransomware encryption early, then you might still have a  good % of your data still ok. Observing numerous affected machines have shown us that the encryption/changes begin at the system level (ie so it can change the index screen and renaming, etc), so in some cases, some people have reported that they caught it in time for some data to have been RENAMED (i.e the .deadbolt prefix that is affecting access or older structure in some cases) but not actually encrypted. So, this guide is about getting you into a position to access your Asustor NAS GUI and whatever the state of your data is. After that, you may still have no option but to format your system, wait for any kind of brand/community recovery method or (and I do not say this lightly, as the thought of continuing this kind of behaviour is disgusting) pay the ransom to get your data back. I appreciate that this is S&!T but some business users might have little choice. Let’s discuss access recovery options. If you are unaware of everything that has occurred to asustor and the deadbolt ransomware, you can use the attached video below:


Asustor NAS – How to Get Your NAS Running Again If It Is Saying Uninitialized


If you powered down your NAS abruptly when you saw the black threat screen OR unusual activity on your NAS (either by pulling the power cord or holding the power button for 5-10 seconds), then chances are that as the encryption hits the system files first and was in progress, that your NAS is not showing as ‘uninitialized’. This is because the system software is no corrupted. Yesterday Asustor released a new firmware update that closed the vulnerability (they claim, I have not verified personally yet). So, the following steps in the guide using the client desktop software Control Center and an internet connection (can be just on your PC/Mac and you directly connect with your Asustor if you choose) will allow you to access your NAS login GUI.



If you have shut down before, please connect to a network. If you enter the initialization page, please follow the instructions below to update your NAS:


Step 1

  • If you enter the initialization page and have an Internet connection, please press Next.

  • Please click Live update and then click Next.


Step 2

  • If you’re on the initialization screen and not connected to the Internet, please download ADM from ASUSTOR Downloads to your computer.
  • Once done, manually update ADM by uploading the ADM image file from your computer as shown below.
  • Please press Next.


Step 3

  • Update.
  • After the update has completed, you’ll be able to return to ADM.

Asustor NAS – If You Are Still Seeing the Black Threat Deadbolt Ransomware Screen


If you have access to your NAS drive BUT are faced with the black threat login screen replacement that replaced the previous one AND have followed the previous steps to install the latest firmware, the next three steps should allow your to navigate AROUND this and remove it entirely.


If the ransomware page remains after you connect to a network:

  • Please turn off your NAS, remove all hard drives and reboot.
  • When the initialization page appears, reinsert the hard drives.
  • Please follow the instructions above to update your NAS.

Asustor NAS – How to Restore Data with Snapshots, MyArchive Backups or Mirrored Volumes


Now, the next step is not going to be an option for everyone. Once you have logged in and accessed the extent of the file damage by encryption (eg, % of files affected, are they encrypted completely OR just renamed? etc). The following steps will be of use to those of you who are running a BTRFS setup and setup snapshots and/or the MyArchive backup/sync storage service. This part of the guide also includes the means to install a ransomware tool that (I know, ANNOYINGLY) gain access BACK to the black encryption entry screen. So if you have no choice (I am not judging you, the importance of your data is your call) and are going to choose to pay the ransom as it is going to cost you less than not retrieving your data, then you can use this ‘ransomware status’ tool to gain access back to the payment screen, encryption key window and ultimately allows you to pay the hackers. Again, it’s your call.


If you want to restore data and you have more than one volume installed on your NAS, use MyArchive drives, or have previously made Btrfs snapshots, please refer to the following instructions below. Restore all backups that you may have. Alternatively, if you have Btrfs snapshots, use Snapshot Center to restore previous versions of files and erase changes done by ransomware.



If regular backups were not kept and you want to enter the decryption key to retrieve lost data:


  • Confirm details and press Install.

  • Wait for installation to complete.

  • Reload the webpage to enter the ransomware screen again. You’ll be able to enter the decryption key.

  • If you want to return to ADM, you can do this in one of three ways. You can add backup.cgi after/portal/ in the address bar of your browser, you can hold the power button for three seconds to shut your NAS down and turn it on again or you may use ASUSTOR Control Center or AiMaster to restart your NAS.


 


  • Afterwards, it is imperative to uninstall Ransomware Status from App Central.


 

📧 LET ME KNOW ABOUT NEW POSTS 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,460 other subscribers


Get an alert every time something gets added to this specific article!


Want to follow specific category?

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

 

SEARCH IN THE BOX BELOW FOR ANY OTHER NAS

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  

Asustor NAS Drives getting hit by Deadbolt Ransomware

21 février 2022 à 18:30

If you own an Asustor NAS and are reading this – CHECK IT NOW


Original Article – As of around 1 hour ago, multiple users online are reporting that their Asustor NAS systems have been attacked by ransomware known as Deadbolt. Much like the ransomware attack of QNAP NAS systems of the same name, this is a remote-command-pu#sh encryption attack that takes advantage of a vulnerability in the system software to command the system to encrypt the data on the NAS system, but with the added twist in this recent update of adding a new login GUI style space screen asking for 0.03BTC.


Updated 24/02 09:45 GMT


Asustor has just released a firmware update for their ADM 4 systems (HERE) for users who have not been hit by the Deadbolt ransomware attack, who are keeping their systems offline and/or powered down until the security issue/vulnerability was identified and neutralized. Here are the Asustor details on this:


An emergency update to ADM is provided in response to Deadbolt ransomware affecting ASUSTOR devices. ASUSTOR urges all users to install the latest version of ADM as soon as possible to protect themselves and minimize the risk of a Deadbolt infection. ASUSTOR also recommends taking measures to guard against the potential harms of Deadbolt in accordance with the previously announced protective measures. Please review the measures below to help increase the security of your data on your ASUSTOR NAS.

  • Change your password.
  • Use a strong password.
  • Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively.
  • Change web server ports. Default ports are 80 and 443.
  • Turn off Terminal/SSH and SFTP services and other services you do not use.
  • Make regular backups and ensure backups are up to date.

In response to increasing numbers of ransomware attacks, ASUSTOR has committed to an internal review of company policies to regain customer trust. This includes, but is not limited to increased monitoring of potential security risks and strengthening software and network defenses. ASUSTOR takes security very seriously and apologizes for any inconvenience caused.


Updated 23/02 21:03 GMT


Much like the deadbolt attack on QNAP devices earlier in 2022, in the changed index GUI on affected NAS’, the deadbolt team are offering to provide information to ASUSTOR about the zero-day vulnerability used to breach NAS devices and the master decryption for all affected users to get their data back. The DeadBolt link includes a link titled “important message for ASUSTOR,” which displays a message from DeadBolt for the attention of ASUSTOR. DeadBolt orchestrators are offering to details of the vulnerability if ASUSTOR pays them 7.5 BTC, worth $290,000. DeadBolt is also offering ASUSTOR the master decryption key for all victims and the zero-day breakdown explained for 50 BTC, worth $1.9 million. The ransomware operation states that there is no way to contact them other than making the bitcoin payment. However, once payment is made, they say they will send the information to the [email protected] email address.



Updated 06:50 GMT



Asustor has issued the following statement and recommendation for those who are (or believe they have been affected by the Deadbolt ransomware):


In response to Deadbolt ransomware attacks affecting ASUSTOR devices, ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and ezconnect.to will be disabled as the issue is investigated. For your protection, we recommend the following measures:


Change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443.
Disable EZ Connect.
Make an immediate backup.
Turn off Terminal/SSH and SFTP services.


For more detailed security measures, please refer to the following link below:
https://www.asustor.com/en-gb/online/College_topic?topic=353


If you find that your NAS has been affected by Deadbolt ransomware, please follow the steps listed below.
1. Unplug the Ethernet network cable
2. Safely shut down your NAS by pressing and holding the power button for three seconds.
3. Do not initialize your NAS as this will erase your data.
4. Fill out the form listed below. Our technicians will contact you as soon as possible.


https://docs.google.com/forms/d/e/1FAIpQLScOwZCEitHGhiAeqNAbCPysxZS43bHOqGUK-bGX_mTfW_lG3A/viewform


Regarding filling out the technical support form, this is likeLy to help the brand identify the scale of the issue, but also allow a faster sharing (to those affected) of any recovery tools that might be possible. However, the culprit is looking increasingly like the EZ Connect Asustor Remote service. This has been further backed up by the fact that the official Asustor ADM demo page has also been hit by the Deadbolt ransomware (now taken offline). Additionally, many users who powered down their device during the deadbolt attack, upon rebooting their NAS system have been greeted with the message in the Asustor Control Center application that their system needs to be ‘re-initialized’. The most likely reason for this is that during the encryption processes, the core system files are the first files that get targeted and if the system was powered down/powered off immediately during this process, it may have corrupted system files. We are currently investigating if a recovery via mounting a drive in a Linux machine is possible (in conjunction with roll-back software such as PhotoRec).



If your Asustor NAS is in the process of being hit (even if you simply suspect it) as your HDDs are buzzing away unusually (and the HDD LEDs are flickering at an unusual hour), then it is recommended that you head into the process manager and see if the encryption process has been actioned by Deadbolt. The following suggestion of action was suggested by NAScompares commenter ‘Clinton Hall’ :


My solution so far, login vis ssh as root user


cd /volume0/usr/builtin
ls


you will see a 5 digit binary executable file For me it was 22491. I use that in the following command to get the process ID


ps | grep 22491


from this I got the Process id 25624. I kill that process


kill 25624


I then remove the binary file


chattr -i 22491
rm -f 22491


Now, restore the index as above


cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgi


Now for the fun part…. a LOT of file had been renamed (not encrypted) to have .deadbolt appended to the end of the filename… So rename them back


(note, you may want to do this folder by folder and check it is working). The following will do for the entire /volume1


cd /volume1
find . -type f -name "*.deadbolt" -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//.deadbolt/}"; done' _ {} +


After these are all renamed, everything should work. Probably a good idea to reboot to restart the services etc.


Also, I’m not sure if the above will definitely traverse the [email protected] etc… so I did this manually


cd /volume1/[email protected]
find . -type f -name "*.deadbolt" -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//.deadbolt/}"; done' _ {} +


If you have not been hit, I would recommend you action the following from within your Asustor NAS (or better yet, where possible) power the device down until an official statement and a possible firmware patch is issued.

  • Disable EZ Connect
  • Turn off automatic updates
  • Disable SSH (if you do not need it for other services)
  • Block all NAS ports of the router, and only allow connections from inside the network

Updated 19:30 GMT


More details are coming up and it looks like (at least looking at the messages on the official Asustor  Forum and Reddit) the vulnerability stems from a vulnerability in EZConnect that has been exploited (still TBC). User billsargent on the official Asustor forums has posted some useful insights into how to get around the login screen and also details on the processes:


Take your NAS OFF of ezconnect. Block its traffic incoming from outside.
This overwrites the index.cgi with their own. In /usr/webman/portal there is a backup copy of your index there.
To remove theirs, you need to chattr -i index.cgi and replace it with the backup.
But you’ll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers.
This is probably not possible to fix without a reset but you can get back into your portal with the above info. Right now though mine is still immediately replacing the index.cgi. 


And:


I am assuming you have ssh capabilities? If so you just need to ssh in and login as root and run these commands. This should help you get back into the portal.


cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgi


If you look at the index.cgi they created before you delete it, its a text script.
I am still in the investigative stages but nothing in my shares have been locked up with this yet. Just things in /root so far.
I’ve pulled out a ton of LTO tapes to backup my data. I think this is going to require a full reset. I hope asustor releases a fix for this but I will never again allow my NAS to have outside access again.


For clarification. This is what my /usr/webman/portal directories looked like. the .bak file is the original index.cgi.
I apologize if my posts seem jumbled up a bit. I’m trying to help and also figure this out as well. So I’m relaying things as I find them in hopes that others will be able to at least get back to their work.


Thank you to Asustor user billsargent for the above and full credit to him on this of course.


(Continuing with the Original Article from 21/02 17:30 GMT)


Although it is still very early in the actioning of this encryption attack, these attacks are slowly starting to emerge on forums right now, as well as twitter, see below:

やばい!!家のASUSTOR製NASがDEADBOLTとか言うランサムウェアに攻撃された!QNAP製のNASに最近入るってのは見たけど、まさか自分のNASもやられるとは…
そこまで大事なデータ入れてなかったのが不幸中の幸いだけど700GBくらいのデータ死んだのショックASUSTOR NAS使ってる人すぐネット切断した方がいい pic.twitter.com/gBFu8yx4hG


— sudara (@sudara_hodara) February 21, 2022



Additionally, this splash message contains a call-out to Asustor themselves (much like the QNAP NAS deadbolt attack) that states a message and a link for the brand to open a discussion (i.e pay) towards a master key and details of the vulnerability they have exploited:


“All your affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage:”


Details are still emerging, so I will keep this article short and sweet for now (and add more later as details emerge), if you own an Asustor NAS drive, check it immediately! Regardless of whether you have enabled remote access via EZConnect or not (as that is not necessarily the key to the attack vector and possible remote DLNA port changes by your system, for example), check it now and ideally disconnect it from the internet. Currently, there is not enough information to ascertain if this relates to a case of ‘out of date firmware’ having an existing vulnerability or something inherent in the current firmware. Regardless, check your system and where possible, disconnect it from the internet until further details are confirmed here, on reputable sites such as Bleeping Computer or via direction from Asustor themselves.



Once you log into your NAS, check your logs and check your processes. If you have the means to backup to a NEW location, do so. DO NOT overwrite your existing backups with this backup unless you are 100% certain you have not been hit by deadbolt ransomware.

What to Do if you have been hit by the Deadbolt Ransomware


If you have been hit by the vulnerability, you will likely be unable to connect remotely with your NAS files/folders. Even if you can, you need to check whether you can open them or they have been encrypted to a new format (the extension/ .type or file will have changed). The following users commented onreddit and there are similar threads that we can see on their setup and how they got hit.


IF you still have access to your files, get your backups in order!!!!!


Otherwise, if you have been hit by this, then you need to disconnect your system from the internet. Killing any processes in the task manager is an option HOWEVER do bear in mind that doing so might corrupt currently encrypting files and therefore stop any kind of recovery. I am checking with a couple of affected users (as well as reaching out to Asustor as we speak to see if a suitable course of action can be recommended. Some users who have restarted their system or immediately pulled the power and rebooted have found that their system now states that it needs to be reinitialized.


One big factor to keep in mind right now is that not is still unclear if a) the deadbolt ransomware can be killed as a system process in the Asustor control center (I do not have an Asustor NAS that is affected in my possession right now) and b) if switching your system off DURING the deadbolt attack can lead to the data being unsalvagable as the encryption is partway through. So, disconnect from the internet (physically and via EZConnect for now) and if you can see youR CPU usage spiking and/or your HDD LEDs going nuts, you are likely being hit.

My Asustor NAS is Saying it is Uninitialized


DO NOT RE-INITIALIZE YOUR NAS. At least not yet, if you have already powered your NAS as a reaction to the attack (understandable, if not the best choice without knowing the full attack vectors or how this affects the encryption) and you are being greeted by the option to reinitialize in the Asusto Control Center application, then power the device down again. But again, I only recommend this action right now for those that already reacted to the attack by shutting down their system/restarting already post-attack

If I am not hit by Deadbolt, Should I disconnect my Asustor NAS from the internet?


For now, YES. As the act vectors are not clear and there are reports from some users right now that state that they had the latest firmware, they were still hit, there is so much unconfirmed info here to allow remote access (in my opinion) and until further info is made available, I strongly recommend disconnecting your Asustor NAS from the internet (wire AND via the software settings) and getting your backups in order.


I will update this article soon as more information becomes available.


 



 


 

❌