How to defend against Deadbolt Ransomware attacks on NAS devices

Quick and easy installation of a network device is rarely a good way to manage risk. Users of common network storage devices realize that enabling direct Internet access to their confidential information, information needed to run a business, is never a good idea, Deadbolt ably demonstrates.

Deadbolt, a ransomware iteration that appeared in January 2022, primarily targets NAS products of the Taiwanese company QNAP (Quality Network Appliance Provider), likely because it contains about 53% of the market share of the target systems. While ASUSTOR NAS devices have also been attacked, and this article focuses on the primary goal.

While this is a look at a specific set of trapped devices, what we’re reviewing here contains lessons for implementing critical information assets, including IoT and IoT devices.

See more: How to defend against Ryuk Ransomware’s new worm-like capabilities

What is QNAP NAS?

QNAP NAS (Network Attached Storage) devices for small/home offices, small businesses and some medium businesses are relatively inexpensive, easy to set up and easily accessible to threat actors. While Storage Area Networks (SANs) house the organization’s databases, NAS storage contains Word documents, Excel spreadsheets, and other files that contain data across multiple labels.

QNAP TS-664 (

Paul Ducklin writes that these NAS boxes are “…miniature, pre-configured servers, typically running Linux.” For a small business or home that installs a QNAP NAS, the customer just plugs it into their router, and the UPnP protocol allows for easy connectivity and availability. Larger organizations may require more complex configuration for wired access, but this quick and easy implementation approach can be an easy path to getting initial Internet access for NAS devices.

External challenges facing UPnP

UPnP, also known by many security professionals and threat actors as Universal PWN and Operation, is a set of protocols that allow any device on a network to detect any other device, enabling sessions to be established with those devices without any inherent authentication capability. .

UPnP was originally intended to provide home and home office users with an easy way to connect new devices to their internal networks. It was never intended to be used in an enterprise network environment, and should never be used to enable remote access.

What makes QNAP NAS devices so easy to set up is having UPnP enabled on the network router and the devices to be connected. The router uses UPnP to identify available UPnP-enabled devices and add them to the router Shipping Port Capabilities. An important point to remember; If the threat actor can talk to a device via UPnP, it can use all the specified services or reconfigure the device settings.

Once a device knows the router, the router configures port mapping for the services offered by the device. When UPnP port forwarding is enabled on a wireless router, as in Figure 2, any external entity that sends a session request to the router’s public-facing interface, with port number 55536, is forwarded to the QNAP NAS at In fact, the NAS is directly connected to the Internet, along with any known or unknown configuration and encryption errors.

See more: Why RagnarLocker is still a major threat to critical infrastructure

QNAP attack

Once threat actors gain access to a QNAP device, they take advantage of resident software and service vulnerabilities to install and execute their ransomware package. Over the past year, they have used various vulnerabilities that QNAP quickly patched. The latest attack, on September 22, exploited an unknown vulnerability in Photo Station that QNAP patched in about 12 hours.

The problem is not only with UPnP. It’s also with the practice of exposing internal network devices to the public internet in any way.

Stephen Helt, Erin Leverett, and Fernando Mercis of Trend Micro Provides a good ride About how Deadbolt infected vulnerable QNAP devices in June 2022. The attack path was the same as in September, with a different software vulnerability. Hilt et al. Provide the following view for high elevations:

  • Deadbolt uses a configuration file that dynamically chooses certain settings based on the vendor it’s targeting, making it highly adaptable to new campaigns across multiple vendors.
  • Threatening parties used two methods of payment; The victim pays for a decryption key, or the NAS vendor pays for a decryption master key, a master key that supposedly decrypts all affected customers’ NAS devices. To date, neither QNAP nor ASUSTOR have purchased a master switch over $1 million in price.
  • The key to decrypting a single client machine is about $1,200, a ransom that less than 10% of victims chose to pay.

There is something interesting Thread on Reddit Affected users discuss how they paid for the keys to the June 2022 attack and how it worked. It is also apparent that one of QNAP’s fixes to its systems disrupted the use of decryption keys provided after the June payments. However, QNAP Detailed instructions To deal with this problem, the instructions are not for beginners. Keys may not be affected by the September attacks.

play defense

The defense begins with not exposing storage devices to the public internet. This is a basic security requirement that most users are unaware of, or if they do, they are unaware that they have opened a gap in the perimeter wall. In the case of QNAP services, QNAP provides secure configuration advice, including turning off port forwarding. But customers should heed the seller’s safety tips.

QNAP provides cloud service, myQNAPcloudwhich provides Safe way to access their NAS solutions, including an easy way to configure routers for external access, lower privilege management, and provision of multi-factor authentication. The most secure element of this configuration is to remove direct access to the public internet for all of the customer’s NAS devices.

Setting up myQNAPcloud is a critical component of QNAP’s recommended approach to securing access to your NAS:

  1. Disable port forwarding on the router
  2. Set up myQNAPcloud on your NAS to enable secure remote access and prevent exposure to the public Internet
  3. Update the NAS firmware to the latest version [while ensuring reasonable and appropriate supply chain risk management]
  4. Update all applications on the NAS to their latest versions
  5. Apply strong authentication for all NAS user accounts
  6. Take snapshots and back up regularly to protect your data

Another precaution I’d like to add to this list is to change the default port numbers for NAS services. This won’t reduce the stakes significantly, but it’s easy to do and will add frustration to the actors’ efforts.

Final thoughts

This is a story of what happens when storage is provided directly to the public internet via a high-risk method such as port forwarding. Port forwarding has value, but direct access to data should never be allowed.

Organizations and individuals should always have a layer of defense between storing data and those who wish to access it, whether from the internal network or remotely. Applications that enforce the least privilege, strong authentication, logging, and monitoring are the best way to build this layer. If your NAS or other storage provider has one, use it. If they don’t, build one. If neither of these options is available, find another seller.

Let us know if you enjoyed reading this article on linkedinAnd the Twitteror Facebook. We’d love to hear from you!

Image source: shutterstock

More about NAS devices

Leave a Comment