QNAP Network Attached Storage (NAS) device users are still struggling to address a range of issues connected to the Deadbolt ransomware, which began infecting devices earlier this week. 

On Tuesday, QNAP NAS users flocked to Reddit and QNAP forums to report ransomware infections. Censys reported that of the 130,000 QNAP NAS devices, 4,988 services “exhibited the telltale signs of this specific piece of ransomware.”

On Friday afternoon, Censys updated its report, telling ZDNet that overnight, the number of exposed and ransomware infected devices went down by 1,061 to 3,927. 

“Why this went down could be for any number of reasons, we’re still investigating to see if we can pinpoint the reasoning behind this,” a Censys spokesperson said, theorizing that the decrease could be attributed to a forced update from QNAP. 

On Wednesday, QNAP initially urged users to update to the latest version of QTS, the Linux based operating system developed by the Taiwanese company to run on their devices.

But MalwareBytes said QNAP pushed out an automatic, forced update with firmware on Thursday containing the latest security updates.

“Later that day, QNAP took more drastic action and force-updated the firmware for all customers’ NAS devices to version 5.0.0.1891, the latest universal firmware which has been available since December 23rd, 2021,” MalwareBytes explained.

“As you might expect after a forced update, a number of unexpected side-effects arose, making users that were affected by these problems unhappy. Some users reported losing their devices’ ISCSI connections (ISCSI is a networking standard for linking data storage facilities), and some adapters were apparently left disabled by the update. The firmware update removed the ransomware executable and the ransom screen used to initiate decryption, which apparently caused some victims who had paid the ransom to be unable to proceed with decrypting the files after the update.”

QNAP responded to the controversy over the forced update on Reddit. A company representative explained why they decided to force the update, noting that it had been urging users to update their systems since January 7.

“In QTS there was a message in control panel/auto-update that ‘QTS/QuTS hero will enable recommended version update soon to protect nas from deadbolt.’ But I think a lot of people did not see that message. We are trying to increase protection against deadbolt. If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away,” the company spokesperson said. 

“Back in the time of Qlocker, many people got infected after we had patched the vulnerability. In fact, that whole outbreak was after the patch was released. But many people don’t apply a security patch on the same day or even the same week it is released. And that makes it much harder to stop a ransomware campaign. We will work on patches/security enhancements against deadbolt and we hope they get applied right away. I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of deadbolt and our desire to stop this attack as soon as possible that we did this.”

The message drew several furious responses from people who said the forced update caused a number of downstream issues. Others said it was concerning the company had a backdoor into their systems while some said the forced update did little to actually address the issues of people who had already been infected with Deadbolt. 

Recorded Future ransomware expert Allan Liska said this kind of specialty ransomware is very hard to defend against and commended QNAP for releasing a detailed guide to securing the appliance earlier this month. 

“It is difficult to defend against because the device is controlled by the manufacturer. Unless you are a company with the resources to enable compensating controls, you are largely at the mercy of the vendor,” Liska said. 

“For most IoT devices, this doesn’t matter too much. If someone launches a ransomware attack against my lightbulbs, I can just reset and go on with my life. But when those IoT devices hold all of your data it is a very different matter.”

Decryptor issues

Security company Emsisoft released its own version of a decryptor after several victims reported having issues with the decryptor they received after paying a ransom. Some users even said they never got a decryptor after paying the ransom while others said the decryptor malfunctioned. 

Unfortunately, Emsisoft’s decryptor requires users to have already paid the ransom and received the decryption keys from the Deadbolt ransomware operators. 

Deadbolt’s ransom note says victims need to pay 0.03 BTC (equivalent to USD 1,100) to unlock their hacked device and that it “is not a personal] attack.” 

Liska said ransomware groups are notorious for providing poor decryption software and noted that it is not uncommon for incident response teams to take the key given by the ransomware group and ignore the decryption code.

“The reason for Emsisoft to release a decryptor is to make sure victims have something they know will work once they get the key,” Liska explained.

Liska slammed the people behind the attack, questioning their insistence that the attack wasn’t “personal.”

“It is a personal attack. People often have their digital lives stored on these devices. Whether it is photos, work, the book they have been writing, or the program they have been developing this stuff is important to them and the attackers just took that away from them,” Liska added. 

“The attacker can dress it up as ‘poor vendor security’ all they want, but it is just a sign they are shitty people that have no regard for their fellow human beings.”