Taiwanese company QNAP has warned customers to secure network-attached storage (NAS) appliances and routers against a new ransomware variant called DeadBolt.

A query on IoT search engine Censys shows that at least 3,687 devices have been encrypted by the DeadBolt ransomware so far, with most NAS devices located in the U.S., Taiwan, France, Italy, the U.K., Hong Kong, Germany, the Netherlands, Poland, and South Korea.

In addition, QNAP is also urging users to check if their NAS devices are public-facing, and if so, take steps to turn off the port forwarding function of the router and disable the Universal Plug and Play (UPnP) function of the QNAP NAS.

The advisory says that QNAP NAS devices are being encrypted by the DeadBolt ransomware by exploiting a supposed zero-day vulnerability in the device's software. The attacks are believed to have started on January 25.

The ransomware strain, which locks the files with a ".deadbolt" file extension, demands that victims pay a ransom of 0.03 bitcoins (approximately $1,100) to a unique Bitcoin address in exchange for a decryption key.

On top of that, the operators of the ransomware claimed they are willing to offer complete details of the alleged zero-day flaw if QNAP pays them five bitcoins (~$186,700). It's also ready to sell the master decryption key that can be used to unlock the files for all affected victims for an extra 45 bitcoins (~$1.7 million).

While it's not immediately clear if QNAP heeded to the extortion demand, the company, on Reddit, acknowledged that it had silently force-installed an emergency firmware update to "increase protection" against the ransomware, adding "It is a hard decision to make. But it is because of DeadBolt and our desire to stop this attack as soon as possible that we did this."

QNAP devices have emerged a frequent target of ransomware groups and other criminal actors, prompting the company to issue numerous warnings in recent months. On January 7, it advised customers to safeguard their NAS devices from ransomware and brute-force attacks, and ensure that they are not exposed to the internet.

The company also said the vulnerability relates to a flaw affecting QTS and QuTS hero operating systems that, if successfully exploited, could allow attackers to run arbitrary code in the affected system. The issue has been addressed in the following versions:

• QTS 5.0.0.1891 build 20211221 and later
• QTS 4.5.4.1892 build 20211223 and later
• QuTS hero h5.0.0.1892 build 20211222 and later
• QuTScloud c5.0.0.1919 build 20220119 and later

The information contained in this website is for general information purposes only. The information is gathered from TheHackernews, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.