Deadbolt ransomware

[THX1139]

I saw this on Facebook and was wondering if anyone tried it and was successful. I was never hit but curius if there is a solution this easy.

” Just saw the new firmware update ADM 4.0.5.RRS1 for my AS5304T. Release Notes mentions "Added ransomware and malware removal mechanisms that recognize abnormal behavior.”

I think that has to be a mecanism to recognize and hopefully stop future attacks before they can spread. Not a way to remove the existing encryption. Of course… there is no way to know how a future attack may be carried out so this has to be more of an effort to save face and show future customers that this kind of thing cannot happen to Asustor users.

My NAS is still powered off. I’m on the fence about formatting it and starting over or not. If I am to start over I may as well buy new bigger hard drives anyway and that is going to cost a small fortune and take up a lot of my precious little time off work. I have been waiting for all this time to hear back from the insurance company and just now I learned that my wife has forgotten to send the email to them and I’m still at square one.

[ninecats]

Makes sense.

Good luck going forward with your situation.

[Saltrams]

First of all, I agree that a proper backup strategy would have prevented any data loss. But while that is true, there are things Asustor should have done in the leadup to the ransomware attack and also failed with their response afterwards.

Hindsight is 20/20, however, Asustor had warning signs from the QNAP attack. The Asustor attack seems very similar to the QNAP Deadbolt attack and Asustor should have immediately assessed that risk, especially knowing that EZConnect would punch holes into users firewall configurations. They should have pushed the firmware update that includes the splash screen prompting users to change ports directly after the QNAP attack.

Mistakes have been made, and that is ok, but Asustor’s response after the attack is the really damning bit for me. They only vowed to do an “internal audit to regain customers' trust”. This frankly is just not good enough. We need Asustor to lay open how attackers got access to the system and publish a detailed analysis on it, why it only happened on the latest firmware, and how they are planning to mitigate future attacks. Releasing a new firmware with an opaque “security fixes” changelog is not enough. Be transparent.
Linking to pages on how to mitigate ransomware attacks is not cutting it. You can’t advertise features like EZConnect and then point the fingers at users who are using it.

Additionally, I think Asustor should publish a detailed guide on how to try to recover data using data recovery tools, and ideally even provide one built in via App Center. Yes, users should have backups, but this can’t be your singular answer to a complex problem. Especially with the nature of Deadbolt, the best advice in absence of backups would have been to immediately stop using the NAS to prevent any deleted file overwrites and advise users to wait until an easy to use data recovery tool can be run on the empty drive space.

I understand that every NAS company is a large attack surface and that these things happen. What changes my consumer behaviour though is how those companies address the issue. At least for me, Asustors response so far has been unsatisfactory.

Thanks to the forum, subreddit and the community as a whole, I only lost data that I can recover from backups, but ultimately this is a role Asustor should have played.

Tldr:

• Asustor should have learnt from the QNAP attack and preemptively prompt the users to change ports and do an internal analysis for the risk EZConnect poses
• Asustour should provide a tool/steps for traditional data recovery
• Asustor should release a detailed report about the attack and mitigation

100% THIS! The attackers are criminals. Asustor is criminally negligent.

[Saltrams]

6 weeks post-Deadbolt and I'm about ready to address the situation now.
I would welcome experienced opinion on my 2 options for proceeding, please.

NAS is 7004T, which had 2x16TB IronWolfPro drives in a mirrored RAID1 setup, plus 2 MyArchive disks of varying sizes according to what was in use at the time. On the day of Deadbolt, I had 2x6TB Seagate HDDs inserted in the bays.
Not sure how long the Deadbolt process had been encrypting my files before I found the black screen of death but I powered off with a 3 second press & yanked the network cable (probably the other way round actually, FWIW).

So, My possible routes are:

• A. Follow the Asustor instructions "I've been affected by ransomware. What should I do?" at https://www.asustor.com/knowledge/detail/?group_id=630
  OR
  B. Take out all the disks, put in the 2 brand new, shiny replacement 16TB disks I just bought and start afresh like the NAS is new.

With A, my 2 main concerns are:
- Won't the Deadbolt process just start-up & continue encrypting files if I start the NAS & connect it to the Internet (one would hope not but I would like reassurance), and:
- Will I be able to update the ADM with Version: ADM 4.0.5.RRS1 Release Date: 2022-03-28 WITHOUT WIPING THE DATA ON THE EXISTING DISKS? My confusion stems from the Asustor walkthrough because it shows this:

[Edit - images removed, they were useless]. Basically, the written information in the walkthrough by Asustor is contradictory.

After following the process, will all the files (albeit most likely encrypted) remain on my disks with any possible unencrypted files accessible like they were before? Will I be able to look at the files, see what has the Deadbolt extension and, hopefully, what hasn't?

What I want to achieve is getting any unencrypted data copied to a temporary location, shutting down the NAS, inserting the 2 new drives & then initializing like new. Then I can re-fashion the NAS as I want, adding the files that escaped encryption. Finally, I plan to put the encrypted drives away and await the day when they might be unencrypted (best case scenario; when law enforcement finds the criminals and seizes their stuff).

[outside79]

I follow this instruction: https://www.asustor.com/en-gb/knowledge ... oup_id=630, but now i can't enter ransomware screen again.
"Ransomware Status" is instailled.
What should i do to enter ransomware screen?

as far as i understand you should update the loginpage from your webbrowser, then the deadbolt screen should show up again.

[outside79]

Please be realistic. One. If the encryption was done correctly, you have absolutely no chance, none, to brute-force it. Period.Two. Paying ransomware is illegal in many jurisdictions and most probably morally questionable. In the end means giving money to organized crime. If it works for them they will do it again and again. Three. First responsibility in protecting your data is yours. If you expose your NAS to the internet, no-one but you is to blame. Please learn this lesson.

That´s a bunch of bullshit. really i´m only looking in regards to weather its my responsibility what happened. thats the same victim shaming people use when girls get raped "you shouldn´t have worn that short skirt". Is that really the way you regard people? if i use facebook with open setting people are allowed to act as they please? No this is criminal intent, they are soley responible for attacking. , asustor on the other hand could have prevented this once they heard about the attack on qnap.

[outside79]

ok, so i need some real answers. i believe i can get the files back by paying, so lets start there, i will probably pay as i have 20 years of memories to get back. but i turned my machine on. not really knowing what to do i just print screened all the info, and downloaded that. í then repeated the process of turning it off. but i needed to recheck something and turned it on again, but now it states uninitialized.

where do i go from here?

should i restart with a different drive get it initialized, then remove discs put in infected ones once i have the key and open it through asustor method of reinitatilzing error or is the error gone through the ADM update? or the virus might be more correct to say.

would i need two drives to make the configuration the same so it would react properly when i reinstall the infected ones?

sorry about spelling but in a bit of a rush right now.

another question. has anyone followed a bitcoin chain in the making. what happens during the actual transaction?

[THX1139]

I gave up and formatted my drives after doing the firmware update. I’m currently copying (almost) everything back from a second backup with a cloud backup service. Finally got some value back for paying for that service for years. I’m happy with that. The file transfer has been going for three days now with about five more to go.

I did change the 8000 range ports but I don’t know where to do the web ones. Perhaps not needed as I don’t have the NAS online except for system updates and my Emby media server which I believe is connected to the Emby site somehow even if I am only streaming to decices in our apartment over our internal WiFi network. Don’t know if I need to change any ports for that somewhere. Anyway I don’t have a web server or anything.

Yes, with my complete lack of knowledge about any of this I’ll probably get hacked again some day.

[Moromoro]

Hi, I can't find the ransomware status App from app central , can anyone advice how to get it as I can't see the information message for that attack and all my data is locked .
Thank you.

[bazuev]

Hi, I can't find the ransomware status App from app central , can anyone advice how to get it as I can't see the information message for that attack and all my data is locked .
Thank you.

They provide a direct link for this app on the instruction page: https://www.asustor.com/knowledge/detail/?group_id=630

https://downloadgb.asustor.com/download ... r0_any.apk

Not sure why not just upload it to App Central.