Multilevel Extortion: DeadBolt Ransomware Targets Internet-Facing NAS Devices

  /     /     /  
Publicated : 23/11/2024   Category : security


Multilevel Extortion: DeadBolt Ransomware Targets Internet-Facing NAS Devices


The innovative ransomware targets NAS devices, has a multitiered payment and extortion scheme as well as a flexible configuration, and takes a heavily automated approach.



The DeadBolt ransomware family is targeting QNAP and Asustor network-attached storage (NAS) devices by deploying a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.
These factors make DeadBolt different from other NAS ransomware families and could be more problematic for its victims, according to an
analysis from Trend Micro
this week.
The ransomware uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.
The payment schemes allow either the victim to pay for a decryption key, or for the vendor to pay for a decryption master key. This master key would theoretically work to decrypt data for all victims; however, the report notes less than 10% of DeadBolt victims actually paid the ransom.
Even though the vendor master decryption key did not work in DeadBolts campaigns, the concept of holding both the victim and the vendors ransom is an interesting approach, according to the report. Its possible that this approach will be used in future attacks, especially since this tactic requires a low amount of effort on the part of a ransomware group.
Fernando Mercês, senior threat researcher at Trend Micro, points out that the actors also created a functional, nicely designed Web app to deal with ransom payments.
They also know about the internals of QNAP and Asustor, he says. Overall, its an impressive job from a technical standpoint.
Mercês adds that ransomware actors in general are targeting NAS devices due to a combination of factors: low security, high availability, the high value of data, modern hardware, and common OS (Linux).
Its like targeting Internet-facing Linux servers with all kinds of applications installed and no professional security in place, he says. “Additionally, these servers contain high-value data for the user. It sounds like the perfect target for ransomware.
For organizations to protect against attacks targeting internet-facing NAS devices, he says, they could use a VPN service, although the configuration may require a few technical skills.
Suppose theres no other way other than exposing the NAS on the Internet, he says. In that case, Id recommend using strong passwords, 2FA, disabling/uninstalling all unused services and apps, and configuring a firewall in front of it to only allow the ports you want to access. This can be done in a router, for example.
Mercês notes that while it doesnt seem effective, its interesting to see criminals trying to put some pressure on vendors to fix the problem for their customers.
I think criminals thought the vendors would be worried about their image in front of their customers and maybe pay to get free decryptors for all of them, he says. It could be interesting if customers started pushing vendors to pay on their behalf, but that didnt happen.
In May,
QNAP warned
its NAS devices are under active attack by DeadBolt ransomware, and in January, a report from attack surface solutions provider
Censys.io
noted that out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection.
Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out that the DeadBolt ransomware operation is interesting for several reasons, including the fact that victims do not need to contact the threat actors at any time.
With most ransomware groups, victims need to negotiate with the threat actors, who are often in different time zones, she says. “These interactions can add a significant amount of time to the recovery process and a level of uncertainty because the outcome could rely on the success of the interaction.
However, she notes that from a technical perspective, DeadBolt ransomware attacks are different from ransomware attacks that target many enterprise devices, as initial access is gained by exploiting vulnerabilities in unpatched Internet-facing NAS devices.
There are no social engineering or lateral movement techniques required to carry out their objectives, Hoffman says. The threat actors do not need a lot of time, tools, or money to carry out these opportunistic attacks.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Multilevel Extortion: DeadBolt Ransomware Targets Internet-Facing NAS Devices