Ransomware Variants

Deadbolt ransomware has got a decryption key after a few days it first appeared. However, the threat actors must provide a decryption key for it to work. 

Emsisoft, the security vendor, released the key. The key comes a few days after the QNAP customers were targeted by DeadBolt ransomware gang. The gang asked the impacted customers to pay 0.03 bitcoin (approx $1,150 USD) for decrypting their files.

The customers received a ransomware note which also had a message for Taiwanese hardware vendor QNAP. The note states that Deadbolt exploited a zero day vulnerability that allowed the gang to target vulnerable QNAP NAS devices connected to the internet. The gang demanded 5 bitcoin for vulnerability details or 50 bitcoin for mas decryption key along with vulnerability details from QNAP.

But doubt has clouded over the credibility of the decryption tool as a user on the QNAP NAS community forums shared his ordeal. The user wrote that he paid the ransom but received an invalid key. Further, Emsisoft CTO Fabian Wosar tweeted that QNAP’s firmware update has caused decryption issues.

Deadbolt’s encryption leaves the victims with the option of paying the ransomware (apart from resetting the device and applying a backup), said Emsisoft threat analyst Brett Callow. 

“DeadBolt’s encryption seems to be secure, meaning the only way for victims to recover the data is to pay the ransom. 

Our decryptor is designed to help those who do pay,” Callow said. “QNAP’s forced update removes the ransomware payload and, without that, the decryptor supplied by the criminals will not work. Our decryptor addresses that problem.”

QNAP published a blog last Wednesday with instructions for customers to protect their vulnerable devices.

QNAP has not responded to SearchSecurity’s request for comment at press time.