ASUSTOR Community Forum

My 5304T NAS just been hit by Deadbolt Ransomware!

I noticed a large amount of disk activity and tried to log in to my NAS to see what was going on and saw the “All your files have been encrypted” message. I switched off the NAS so am hopeful that at least some of my data will still be unencrypted but need advice as to what I should do next.

I jost woke up for the same thing, is there a way to kill the process, half my files are still beeing processed...

Take your nas OFF of ez connect. Block its traffic incoming from outside.


This overwrites the index.cgi with their own. In /usr/webman/portal there is a backup copy of your index there.

To remove theirs, you need to chattr -i index.cgi and replace it with the backup.

But you'll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers.

This is probably not possible to fix without a reset but you can get back into your portal with the above info. Right now though mine is still immediately replacing the index.cgi.
-

billsargent wrote:Take your nas OFF of ez connect. Block its traffic incoming from outside.


This overwrites the index.cgi with their own. In /usr/webman/portal there is a backup copy of your index there.

To remove theirs, you need to chattr -i index.cgi and replace it with the backup.

But you'll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers.

This is probably not possible to fix without a reset but you can get back into your portal with the above info. Right now though mine is still immediately replacing the index.cgi.
-

How do you use chattr to do that? Any simple instructions?

Was/is the index replacement simply like a redirect or could the encryption already have taken down many/most files?

Is there any way to do it through a GUI interface with a live Linux distro? Never had to work on Linux command line interface before.

I am assuming you have ssh capabilities? If so you just need to ssh in and login as root and run these commands. This should help you get back into the portal.
If you look at the index.cgi they created before you delete it, its a text script.

I am still in the investigative stages but nothing in my shares have been locked up with this yet. Just things in /root so far.

I've pulled out a ton of LTO tapes to backup my data. I think this is going to require a full reset. I hope asustor releases a fix for this but I will never again allow my NAS to have outside access again.

This better be fixed asap. same deadbolt shit here

Machinae wrote:This better be fixed asap. same deadbolt shit here

It most likely wont be.

If you have shares to windows, check your shares and see if you can still access your files. Mine are all fine. Only the OS stuff seems to be damaged and deadbolted. All of my shares are totally normal.

Files that have been encrypted have a .deadbolt extension

I've been hit as well. I remove the index.cgi and restored that backup file so I'm back in the portal now. Is there a way to stop this before it locks all of the files and how can I remove it for good?

billsargent wrote:I am assuming you have ssh capabilities? If so you just need to ssh in and login as root and run these commands. This should help you get back into the portal.

Code: Select all

cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgi

If you look at the index.cgi they created before you delete it, its a text script.

I am still in the investigative stages but nothing in my shares have been locked up with this yet. Just things in /root so far.

I've pulled out a ton of LTO tapes to backup my data. I think this is going to require a full reset. I hope asustor releases a fix for this but I will never again allow my NAS to have outside access again.

Interesting (and extremely infuriating).

Luckily (I guess) this was shortly after a drive upgrade so the old drives are untouched. Would it be safe to swap in the old drives or should I do a full system reset (I'm leaning towards the reset)?

What's the best format option if doing a full reset? BTFRS or EXT4?

billsargent wrote:

Machinae wrote:This better be fixed asap. same deadbolt shit here

It most likely wont be.

If you have shares to windows, check your shares and see if you can still access your files. Mine are all fine. Only the OS stuff seems to be damaged and deadbolted. All of my shares are totally normal.

Files that have been encrypted have a .deadbolt extension

I just turned it off, have no idea about the damage done and not to prone to start it up again as i have no clue what to do.