DeadBolt Ransomware Actively Targets QNAP NAS Devices — Again

The QNAP network-connected devices, used to store video surveillance footage, are a juicy target for attackers, experts warn.

Concept art illustrating a ransomware attack with locked laptop
Source: The Lightwriter via Alamy

QNAP network-attached storage (NAS) devices running out-of-date software are under snowballing numbers of active attacks in a new DeadBolt ransomware campaign, an advisory has warned.

The company is investigating the situation, but meanwhile, QNAP recommends updating its QTS and QuTS hero to the latest versions as soon as possible. This is the second spate of attacks in the past few weeks.

QNAP NAS devices are used to store video surveillance footage and the data. In the hands of ransomware threat actors, the data could be used to extort any number of organizations and individuals, experts warned.

"Ransomware is starting to shift towards data theft, as the cybercriminals can gain from both being paid the ransom as well as sale of the data," Bud Broomhead, CEO of Viakoo, told Dark Reading in reaction to the campaign. "Threats against NAS devices will increase along with the shift to extending ransomware into data theft."

Why NAS Devices Are Easy Targets

Besides the potential data bonanza stored inside, Broomhead added that NAS devices are soft targets for cybercriminals because they're often not set up properly or protected by a firewall. They're also often not managed by IT teams, meaning there isn't a robust security patching or monitoring strategy in place to protect them from attack, he said.

"QNAP (and NAS drives in general) have been part of CISA's Known Exploited Vulnerability Catalog for some time," Broomhead added. "Out of 778 currently exploited vulnerabilities, 10 are specific to QNAP."

The company is offering support for customers who have already been compromised.

"If your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then, upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page," QNAP wrote in its security advisory on DeadBolt ransomware.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights