Earlier this week (25 January, 2022) news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. The threat actors claimed the attack was based on a zero-day vulnerability specific to the devices.
Today QNAP® Systems, Inc. (QNAP) pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers' "DeadBolt" ransomware.
You might think that that is a good thing—if not exactly cause for celebration, at least a cause for relief—but some customers aren't happy.
The ransomware group responsible for this attack is calling themselves Deadbolt. They also use the same name in the file extension of the encrypted files their ransomware generates. Rather then using the habitual method of dropping ransom notes in each folder on a affected device, Deadbolt ransomware hijacks the QNAP device's login page. The hijacked screen starts with "WARNING: Your files have been locked by DeadBolt". The complete ransom message is shown below:
WARNING: YOUR FILES HAVE BEEN LOCKED BY DEADBOLT
? What happened?
All your files have been encrypted. This includes (but is not limited to) Photos, Documents and Spreadsheets.
? Why me?
This is not a personal] attack. You have been targeted because of the inadequate security provided by your vendor (QNAP).
? What now?
You can sake a paywent of (exactly) 0.030000 bitcoin to the following address: ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
Once the payment has been made we'll follow up with a transaction to the same address, this transaction will include the decryption key as part of the transaction details.[more information]
You can enter the decryption key below to start the decryption process and get access to all your files again.
important message for QNAP
Reportedly, the ransomware has already affected at least 3,600 victims. Besides urging individual victims to pay for a decryption key, the ransomware gang is also trying to sell the full details of the alleged zero-day vulnerability to QNAP for five bitcoins, and is apparently also willing to sell QNAP the master decryption key that can decrypt the files for all affected victims, and the zero-day info, for 50 bitcoins. There are many good reasons for not giving in to ransomware gangs' demands, and QNAP doesn't need the zero-day information because it has already created an update to thwart the vulnerability. However, the update hasn't been as welcome as you might expect.
The day after the news broke (26 January) QNAP issued a statement in response to the ransomware. It urged NAS users to follow the recommended security setting instructions to ensure the security of their routers, and immediately update to the latest version of QTS—the Linux based operating system developed by QNAP to run on their devices.
Later that day, QNAP took more drastic action and force-updated the firmware for all customers' NAS devices to version 220.127.116.111, the latest universal firmware which has been available since December 23rd, 2021.
As you might expect after a forced update, a number of unexpected side-effects arose, making users that were affected by these problems unhappy.
Some users reporteded losing their devices' ISCSI connections (ISCSI is a networking standard for linking data storage facilities), and some adaperts were apparently left disabled by the update. The firmware update removed the ransomware executable and the ransom screen used to initiate decryption, which apparently caused some victims who had paid the ransom to be unable to proceed with decrypting the files after the update.
When warnings alone are not enough
As we all know, there is often a lawning gap between when a patch becomes available and when it's actually applied. In this case, QNAP seems to have decided that closing that gap is the lesser of two evils.
And in all fairness, QNAP has been urging users to secure their devices since 7 January, 2022, with elaborate instructions on how to check whether their NAS devices are exposed to the Internet, how to disable the Port Forwarding function of the router, and how to disable the UPnP function.
This is just good advice either way since QNAP NAS owners were already being targeted by other ransomware operations like Qlocker and eCh0raix. Rather ironic, since many NAS owners use their devices to store backups in case their main systems become dislabed by things like ransomware.
In response to criticism about the unannounced forced update, QNAP support stated:
“I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of deadbolt and our desire to stop this attack as soon as possible that we did this.”
We are curious as to how our readers feel about this. Let us know in the comments. Should device vendors be allowed to push updates when there is a clear and imminent danger?
Unless both business and conusmer users get to grips with patching sooner, we can probably expect to see more of these kind of forced updates.
Update February 1, 2022
Today QNAP explained how it was able to update systems of which the owners were convinced they had disabled the auto update setting. QNAP actively updates NAS system software to ensure that each of their products runs efficiently throughout every stage of its lifecycle. These updates include feature updates, bug fixes, and security patches.
To allow users to obtain the latest version of system software more easily, QNAP has introduced the auto update to “Latest Version” feature in QTS 4.5.0 / QuTS hero h4.5.0. Further, an auto update to "Recommended Version" feature is implemented in QTS 4.5.3 / QuTS hero h4.5.3 to give users more flexibility.
Users that disabled the auto-update after installing 4.5.0 which introduced the option to auto-update, but before installing 4.5.3 which introduced recommended updates may find that their device will still auto-update the recommended updates. The update intended to mitigate and isolate the Deadbolt attack was pushed as a recommended update.