Faced with DeadBolt ransomware, QNAP forces NAS updates

In the company, no one will hear the cry of the CISO. In any case, QNAP hopes that its latest action will prevent the spread of the DeadBolt ransomware currently plaguing its network storage servers. To date, more than 3,600 NAS providers have been victims of this ransomware in the United States, France, Taiwan, Great Britain and Italy, including the amount to – theoretically – recover a decryption key and recover the stolen files, amounts to nearly $1,100.

While QNAP was initially content to warn users asking them to secure their systems by updating the latest QTS firmware, disabling UPnP and port forwarding, the manufacturer has decided to spend the second . It has indeed forced the installation of the firmware of its NAS, available since December 23, 2021, namely version 5.0.0.1891. It turns out that this version contains many security patches, the majority of which concern Samba, whose relationship with DeadBolt remains tenuous.

The remedy worse than the disease?

QNAP explained its decision: “We are trying to increase protection against dormant attacks. If the recommended update is activated, as soon as we have a security patch it can be applied immediately. During the Qlocker era, many people were infected after we fixed the vulnerability. In fact, this whole outbreak happened after the patch was released. But many people don’t apply a security patch on the same day or week of release. And that makes stopping a ransomware campaign much more difficult. We will be working on security fixes/enhancements and hope they will be applied immediately.”

This new version is automatically downloaded to QNAP NAS even if the automatic update download setting is not enabled. This is apparently causing some problems: “A few of our QNAPs lost the ISCSI connection last night. After a day of tinkering and pulling hairs out, we finally found out it was because of the update,” one user shared on Reddit. If the problem did not affect all of its NAS, the situation is however embarrassing. To circumvent this forced update, the latter found a manipulation to perform: “In Storage and Snapshots>ISCSI and Fiber Channel, right-click on your alias (IQN), select Edit> Network Portal and select the adapter you are using for ISCSI”. Even more annoying: companies that had bought decryption keys from cyber kidnappers and started decrypting their stolen data, report that their NAS firmware update also erased the ransomware executable file and the ransom screen used to start decryption. With the key to the impossibility of continuing the decryption process. For some, the cure therefore seems worse than the disease.