Deadbolt ransomware

Backup and data protection discussion at its finest.

Moderator: Lillian.W@AST

Saltrams
Posts: 67
youtube meble na wymiar Warszawa
Joined: Fri Oct 28, 2016 10:44 pm

Deadbolt ransomware STILL

Post by Saltrams »

I've been ignoring my NAS since the initial hit (February, was it?) Today was supposed to be my clear day for following the published Asustor ADM updating instructions but not only can I not follow them (questions below) but I see people are being hit AGAIN (June 10th someone reported it). So, given the volatility of the situation, I am wondering if I can salvage the situation without exposing the NAS to the Internet at all?

1. I can't even see the ADM screen when I reboot the NAS without any drives in place. The old IP address is unreachable. I found a new IP address from a network map and I get this screen there:
Image

2. Can I connect the NAS directly to my PC to do the update? I have downloaded the latest ADM update 4.0.5.RUE3 and also copied it to USB stick, so I could plug that into the NAS directly but I need to be able to SEE the ADM page somehow. Can I do HDMI to HDMI NAS to PC maybe?

3 months on, still :cry: :evil: :x :(
stormzone
Posts: 2
Joined: Sun Jun 19, 2022 7:54 pm

Re: Deadbolt ransomware STILL

Post by stormzone »

Saltrams wrote:I've been ignoring my NAS since the initial hit (February, was it?) Today was supposed to be my clear day for following the published Asustor ADM updating instructions but not only can I not follow them (questions below) but I see people are being hit AGAIN (June 10th someone reported it). So, given the volatility of the situation, I am wondering if I can salvage the situation without exposing the NAS to the Internet at all?

1. I can't even see the ADM screen when I reboot the NAS without any drives in place. The old IP address is unreachable. I found a new IP address from a network map and I get this screen there:
Image

2. Can I connect the NAS directly to my PC to do the update? I have downloaded the latest ADM update 4.0.5.RUE3 and also copied it to USB stick, so I could plug that into the NAS directly but I need to be able to SEE the ADM page somehow. Can I do HDMI to HDMI NAS to PC maybe?

3 months on, still :cry: :evil: :x :(

I've exactly the same problem :(
I followed the instructions on the asustor website, but i can't get access to my nas (AS1004T)....
peribo
Posts: 3
Joined: Fri Jun 17, 2022 6:13 pm

Re: Deadbolt ransomware

Post by peribo »

Do we have lawyers here? How about a class action lawsuit? If Asustor doesn't want to sponsor cyberterrorism, let them hire a codebreaker (decryption specialist) to solve the problem, it might be cheaper. What do you think?
stormzone
Posts: 2
Joined: Sun Jun 19, 2022 7:54 pm

Re: Deadbolt ransomware

Post by stormzone »

peribo wrote:Do we have lawyers here? How about a class action lawsuit? If Asustor doesn't want to sponsor cyberterrorism, let them hire a codebreaker (decryption specialist) to solve the problem, it might be cheaper. What do you think?
This sound like a good idea!
ilike2burnthing
Posts: 379
Joined: Thu Apr 09, 2020 8:01 pm

Re: Deadbolt ransomware

Post by ilike2burnthing »

Trying to break current encryption methods with a supercomputer has you in a race with the heat death of the universe.
Pilloso
Posts: 19
Joined: Tue Feb 02, 2016 6:32 pm

Re: Deadbolt ransomware

Post by Pilloso »

From what I've observed on several Asustor NAS over the past few months, the most likely backdoors are a combination of active FTP, standard ports, and simple passwords.

My personal NAS resisted the first attack but registered over 10,000 FTP login attempts in its events log.
exhausted
Posts: 1
Joined: Thu Jun 23, 2022 3:23 am

Re: Deadbolt ransomware

Post by exhausted »

3 month AS6604T owner here hit by the second Deadbolt attack.

Coincidentally, I was away from home for a week, which I was using as an opportunity to test out the remote access functionality, with Plex and EZ Connect enabled.

I never actually saw the ransom page though. Once I was home, I went into the NAS the first time in a week since accessing with AiData app remotely, noticed .deadbolt appended to files, Googled, saw the word ransomware, and immediately started to have a severe panic attack.

Before I could calm down enough to even type my way to answers, let alone read anything, I instinctively pulled the ethernet cable, but left the NAS on. I eventually plugged the cable back in, and was able to update ADM through the AiMaster app. It was only then I logged into the ADM web interface, with no issue.

The only thing that kept me from jumping off a bridge was realizing I kept a majority of the files in Dropbox before migration, so I was able to recover most.

As mentioned earlier in the thread, it seems the attack targets specific file types. Unaffected files for me included M4A, GIF, CUE, LOG, MP2, DMG, IMG, EPUB, MOBI.

My only questions now: Is it safe to move/delete affected files? I didn't touch anything on the off chance it could trigger further damage. Ideally I would like to save the few irreplaceable affected files on an external in case of future decryption. Also is anyone sure the seemingly unaffected files are safe to move/use?

If anyone wants to buy a near new AS6604T let me know! I want this thing out of my life.
marp
Posts: 17
Joined: Tue Jan 31, 2017 4:48 pm

Re: Deadbolt ransomware

Post by marp »

My 2 cents of wisdom. If you are exposing your NAS to the Internet you are just inviting bad guys to poke to your system. So NEVER open it to the internet, regardless on what Assus is tewlling. you. If you do need to acceess it while remote, either add a small small Raspberry Pi and configure a VPN solution on it, such as Wireguard os OpenVPN, or use another solution like ZeroTier-One.

Also, breaking the encryption - if it was done properly - has no chance, so do not waste your time, reformat your disks, restore your data from older backups - if you have it - and learn from this experience.
Pilloso
Posts: 19
Joined: Tue Feb 02, 2016 6:32 pm

Re: Deadbolt ransomware

Post by Pilloso »

What is the best backup in these cases? If the virus sees disks connected via USB or ethernet, can it attack those too?
I would like to use a disk for automatic backups without having to detach it every day, is it safe?
Medinfe
Posts: 8
Joined: Fri Feb 19, 2021 7:31 pm

Re: Deadbolt ransomware

Post by Medinfe »

Hy

My solution

I has a dock usb connected and its switch on and off by a smart plug... for the moment no problems at all with the disks and the shutdown.

It's not perfect at all, if a dont realise that I'm infected the copies will be blocked also.

BR
Post Reply

Return to “Backup and Data Protection”