New ransomware may use zeroday in QNAP NAS systems

A new ransomware is circulating that encrypts QNAP NAS systems and asks victims to pay bitcoin for decryption. According to the criminals, the ransomware uses a zero-day, which can potentially bypass two-factor authentication.

QNAP warns users of ransomware hitting NAS systems and urges users to immediately shut down NAS systems with open connections. Their systems are vulnerable to what the attackers call DeadBolt ransomware. Several dozen victims have already reported on the QNAP forum.

According to BleepingComputer, this is a ransomware attack by the DeadBolt group, which encrypts files with a .deadbolt extension. Victims will see an on-screen notification that files have been encrypted by DeadBolt. The group is asking victims to transfer 0.03 bitcoin to decrypt the files. It has also put out an appeal online to QNAP stating that it will hand over the master key for the ransomware if the company pays 50 bitcoin.

The attackers say they are exploiting a zero day, but details are not available. It is suggested on Reddit that the zeroday bypasses two-factor authentication and deletes backups. QNAP strongly urges that users with NAS systems that connect to the Internet without encryption should immediately disconnect their system. Users are also prompted to disable port forwarding.

It is the second time in a short time that QNAP has warned about ransomware attacks. Two weeks ago, the company warned that more and more users were being affected by another ransomware, originating in 2019.

The Ransomware Letter QNAP Users Get