Deadbolt ransomware

Backup and data protection discussion at its finest.
Post Reply
kippersbum
Posts: 1
youtube meble na wymiar Warszawa
Joined: Mon Feb 21, 2022 11:57 pm

Deadbolt ransomware

Post by kippersbum »

My 5304T NAS just been hit by Deadbolt Ransomware!

I noticed a large amount of disk activity and tried to log in to my NAS to see what was going on and saw the “All your files have been encrypted” message. I switched off the NAS so am hopeful that at least some of my data will still be unencrypted but need advice as to what I should do next.
rmtonin
Posts: 1
Joined: Tue Feb 22, 2022 12:06 am

Re: Deadbolt ransomware

Post by rmtonin »

I jost woke up for the same thing, is there a way to kill the process, half my files are still beeing processed...
billsargent
Posts: 61
Joined: Sun Apr 19, 2015 5:57 pm
Location: Göteborg, Sweden

Re: Deadbolt ransomware

Post by billsargent »

Take your nas OFF of ez connect. Block its traffic incoming from outside.


This overwrites the index.cgi with their own. In /usr/webman/portal there is a backup copy of your index there.

To remove theirs, you need to chattr -i index.cgi and replace it with the backup.

But you'll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers.

This is probably not possible to fix without a reset but you can get back into your portal with the above info. Right now though mine is still immediately replacing the index.cgi.
-
theimmortal
Posts: 22
Joined: Wed Dec 28, 2016 6:05 am

Re: Deadbolt ransomware

Post by theimmortal »

billsargent wrote:Take your nas OFF of ez connect. Block its traffic incoming from outside.


This overwrites the index.cgi with their own. In /usr/webman/portal there is a backup copy of your index there.

To remove theirs, you need to chattr -i index.cgi and replace it with the backup.

But you'll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers.

This is probably not possible to fix without a reset but you can get back into your portal with the above info. Right now though mine is still immediately replacing the index.cgi.
-
How do you use chattr to do that? Any simple instructions?

Was/is the index replacement simply like a redirect or could the encryption already have taken down many/most files?

Is there any way to do it through a GUI interface with a live Linux distro? Never had to work on Linux command line interface before.
billsargent
Posts: 61
Joined: Sun Apr 19, 2015 5:57 pm
Location: Göteborg, Sweden

Re: Deadbolt ransomware

Post by billsargent »

I am assuming you have ssh capabilities? If so you just need to ssh in and login as root and run these commands. This should help you get back into the portal.

Code: Select all

cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgi
If you look at the index.cgi they created before you delete it, its a text script.

I am still in the investigative stages but nothing in my shares have been locked up with this yet. Just things in /root so far.

I've pulled out a ton of LTO tapes to backup my data. I think this is going to require a full reset. I hope asustor releases a fix for this but I will never again allow my NAS to have outside access again.
Attachments
image_2022_02_21T16_32_09_173Z.png
image_2022_02_21T16_32_09_173Z.png (41.61 KiB) Viewed 28629 times
Machinae
Posts: 9
Joined: Thu Jan 08, 2015 5:10 am

Re: Deadbolt ransomware

Post by Machinae »

This better be fixed asap. same deadbolt shit here
billsargent
Posts: 61
Joined: Sun Apr 19, 2015 5:57 pm
Location: Göteborg, Sweden

Re: Deadbolt ransomware

Post by billsargent »

Machinae wrote:This better be fixed asap. same deadbolt shit here
It most likely wont be.

If you have shares to windows, check your shares and see if you can still access your files. Mine are all fine. Only the OS stuff seems to be damaged and deadbolted. All of my shares are totally normal.

Files that have been encrypted have a .deadbolt extension
racingscott
Posts: 1
Joined: Tue Feb 22, 2022 1:12 am

Re: Deadbolt ransomware

Post by racingscott »

I've been hit as well. I remove the index.cgi and restored that backup file so I'm back in the portal now. Is there a way to stop this before it locks all of the files and how can I remove it for good?
theimmortal
Posts: 22
Joined: Wed Dec 28, 2016 6:05 am

Re: Deadbolt ransomware

Post by theimmortal »

billsargent wrote:I am assuming you have ssh capabilities? If so you just need to ssh in and login as root and run these commands. This should help you get back into the portal.

Code: Select all

cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgi
If you look at the index.cgi they created before you delete it, its a text script.

I am still in the investigative stages but nothing in my shares have been locked up with this yet. Just things in /root so far.

I've pulled out a ton of LTO tapes to backup my data. I think this is going to require a full reset. I hope asustor releases a fix for this but I will never again allow my NAS to have outside access again.
Interesting (and extremely infuriating).

Luckily (I guess) this was shortly after a drive upgrade so the old drives are untouched. Would it be safe to swap in the old drives or should I do a full system reset (I'm leaning towards the reset)?

What's the best format option if doing a full reset? BTFRS or EXT4?
Machinae
Posts: 9
Joined: Thu Jan 08, 2015 5:10 am

Re: Deadbolt ransomware

Post by Machinae »

billsargent wrote:
Machinae wrote:This better be fixed asap. same deadbolt shit here
It most likely wont be.

If you have shares to windows, check your shares and see if you can still access your files. Mine are all fine. Only the OS stuff seems to be damaged and deadbolted. All of my shares are totally normal.

Files that have been encrypted have a .deadbolt extension
I just turned it off, have no idea about the damage done and not to prone to start it up again as i have no clue what to do.
Post Reply

Return to “Backup and Data Protection”