Ransomware, Endpoint/Device Security, Vulnerability Management

Deadbolt ransomware group targeting QNAP network storage devices

QNAP Systems urged its customers to update their storage devices after discovering an attack by the Deadbolt ransomware group. (“贊助商:QNAP” by COSCUP is licensed under CC BY-SA 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/2.0/?ref=openverse.)

QNAP Systems on Thursday disclosed that it detected a new attack by the Deadbolt ransomware gang on its network-attached storage (NAS) devices.

According to a QNAP release, the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1 with the affected model mainly TS-x51 series and TS-x53 series devices.

QNAP has urged all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the internet.

The NAS devices from QNAP have been a frequent target of ransomware groups, including by the QLocker and ech0raix ransomware groups, said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. Morgan said the latest activity follows similar activity from Deadbolt in targeting QNAP devices in January 2022.

Morgan added that much of this activity surrounds the use of the Universal Plug and Play (UPnP) protocol, which lets apps and other devices on a network open and close ports automatically to connect with each other. UPnP gets used for a variety of purposes, including gaming and streaming content, with the protocol allowing convenience of quickly connecting devices to a network, but at a security cost.

“QNAP has clarified that in the wake of attacks targeting their NAS devices, administrators should disable UPnP,” Morgan said. “They should also disable port forwarding, which also assists users in direct communication requests. Companies can take other sensible steps for this attack by simply ensuring devices are not internet-facing and are routinely patched with the most regular updates.”

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said storage appliances are attractive targets for cybercriminals for two big reasons.

First, by their very nature, the devices are often the primary data storage medium or are responsible for housing backups. Successfully encrypting a storage appliance with ransomware can mean that the victim loses not only their data, but also the source of their backups, and thus their ability to recover.  Second, appliances in general can often lag significantly behind patching cadences of desktop or server systems. Most lack a centralized mechanism for scheduling and deploying fixes for serious security flaws, meaning that administrators must manually apply the patches. 

“Patching storage appliances can also disrupt companies not only because they require reboots — during which time important data often becomes inaccessible to a business — but often security patches are distributed by appliance vendors as part of larger firmware updates that can alter or even remove existing functionality that an organization may depend on,” Clements said. “These patching challenges can make storage appliances vulnerable to a wider range of known exploits, making for easy targets for cybercriminals to compromise. Storage devices that are often a core piece of an organization’s operations that are easy to exploit create a perfect storm for ransomware gangs looking to ensure a quick payout to their extortion demands."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.