Asustor warns users of Deadbolt ransomware attacks

Users of Asustor Network Attached Storage (NAS) devices are being warned of potential Deadbolt ransomware infections after dozens of people took to Reddit and other message boards to complain of attacks. 

Asustor Marketing Manager Jack Lu told ZDNet that the company is “going to release a recovery firmware for support engineers today for users whose NAS is hacked so they can use their NAS again.” 

“However, encrypted files can not be recovered unless users have backups,” Lu added. 

Asustor released a warning on Wednesday that the Deadbolt ransomware was being used in attacks affecting Asustor devices. It announced that the myasustor.com DDNS service will be disabled while the issue is investigated.

The company recommends users change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443. Users should also Disable EZ Connect, make immediate backups, and turn off Terminal/SSH and SFTP services.

Asustor also provided a more detailed guide for users in need of more help. If you have already been hit by Deadbolt ransomware, you should unplug the Ethernet network cable and shut down your NAS by pressing and holding the power button for three seconds.

Users are urged to fill out this form and make sure not to initialize their NAS because it will erase their data.

The New Zealand CERT released its own lengthy warnings about Deadbolt this week, writing that vulnerabilities in QNAP and Asustor NAS devices are being actively exploited to deploy ransomware. The US Cybersecurity and Infrastructure Security Agency declined to comment.

QNAP released its own Deadbolt guidance last month and took several controversial measures to limit the spread of the ransomware. 

CERT NZ said users should follow the guidance provided by both companies about how to protect their devices. But it noted that both are “being actively targeted by attackers intending to deploy ransomware.”

It said QNAP NAS devices that are internet exposed and running QTS and QuTS operating systems, or add-ons with the following versions, are affected:

• QTS 5.0.0.1891 build 20211221 and later
• QTS 4.5.4.1892 build 20211223 and later
• QuTS hero h5.0.0.1892 build 20211222 and later
• QuTS hero h4.5.4.1892 build 20211223 and later
• QuTScloud c5.0.0.1919 build 20220119 and later

Affected Asustor devices that are internet exposed and running ADM operating systems include the AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, and AS1104T models. 

Users have reported seeing the same ransom messages that were deployed last month when QNAP devices were hit. The Deadbolt ransomware group demanded 0.03 bitcoins (BTC) in exchange for the decryption key. 

In another note to Asustor, the ransomware group offers to provide the company with information about the alleged zero-day vulnerability they used to attack in exchange for 7.5 BTC. The group is also offering a master decryption key for 50 BTC, worth $1.9 million. 

For QNAP, the group demanded a payment of 5 BTC in exchange for details about the alleged zero-day and 50 BTC for a universal decryption master key.

As users wait for the firmware to be released, some are warning users to make a backup of the locked files. QNAP’s firmware removed the ransom note that is needed to get and use the decryption key. Both the decryption tools from Deadbolt and security company Emsisoft require the original ransom note. 

It is unclear how many Asustor users are affected by the ransomware. Censys reported last month that of the 130,000 QNAP NAS devices that were potential targets, 4,988 “exhibited the telltale signs of this specific piece of ransomware.”

Censys later told ZDNet that the number of exposed and infected devices was around 3,927.