Deadbolt ransomware
-
- Posts: 1
- youtube meble na wymiar Warszawa
- Joined: Mon Feb 21, 2022 11:57 pm
Deadbolt ransomware
My 5304T NAS just been hit by Deadbolt Ransomware!
I noticed a large amount of disk activity and tried to log in to my NAS to see what was going on and saw the “All your files have been encrypted” message. I switched off the NAS so am hopeful that at least some of my data will still be unencrypted but need advice as to what I should do next.
I noticed a large amount of disk activity and tried to log in to my NAS to see what was going on and saw the “All your files have been encrypted” message. I switched off the NAS so am hopeful that at least some of my data will still be unencrypted but need advice as to what I should do next.
-
- Posts: 1
- Joined: Tue Feb 22, 2022 12:06 am
Re: Deadbolt ransomware
I jost woke up for the same thing, is there a way to kill the process, half my files are still beeing processed...
-
- Posts: 61
- Joined: Sun Apr 19, 2015 5:57 pm
- Location: Göteborg, Sweden
Re: Deadbolt ransomware
Take your nas OFF of ez connect. Block its traffic incoming from outside.
This overwrites the index.cgi with their own. In /usr/webman/portal there is a backup copy of your index there.
To remove theirs, you need to chattr -i index.cgi and replace it with the backup.
But you'll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers.
This is probably not possible to fix without a reset but you can get back into your portal with the above info. Right now though mine is still immediately replacing the index.cgi.
-
This overwrites the index.cgi with their own. In /usr/webman/portal there is a backup copy of your index there.
To remove theirs, you need to chattr -i index.cgi and replace it with the backup.
But you'll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers.
This is probably not possible to fix without a reset but you can get back into your portal with the above info. Right now though mine is still immediately replacing the index.cgi.
-
-
- Posts: 22
- Joined: Wed Dec 28, 2016 6:05 am
Re: Deadbolt ransomware
How do you use chattr to do that? Any simple instructions?billsargent wrote:Take your nas OFF of ez connect. Block its traffic incoming from outside.
This overwrites the index.cgi with their own. In /usr/webman/portal there is a backup copy of your index there.
To remove theirs, you need to chattr -i index.cgi and replace it with the backup.
But you'll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers.
This is probably not possible to fix without a reset but you can get back into your portal with the above info. Right now though mine is still immediately replacing the index.cgi.
-
Was/is the index replacement simply like a redirect or could the encryption already have taken down many/most files?
Is there any way to do it through a GUI interface with a live Linux distro? Never had to work on Linux command line interface before.
-
- Posts: 61
- Joined: Sun Apr 19, 2015 5:57 pm
- Location: Göteborg, Sweden
Re: Deadbolt ransomware
I am assuming you have ssh capabilities? If so you just need to ssh in and login as root and run these commands. This should help you get back into the portal.
If you look at the index.cgi they created before you delete it, its a text script.
I am still in the investigative stages but nothing in my shares have been locked up with this yet. Just things in /root so far.
I've pulled out a ton of LTO tapes to backup my data. I think this is going to require a full reset. I hope asustor releases a fix for this but I will never again allow my NAS to have outside access again.
Code: Select all
cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgi
I am still in the investigative stages but nothing in my shares have been locked up with this yet. Just things in /root so far.
I've pulled out a ton of LTO tapes to backup my data. I think this is going to require a full reset. I hope asustor releases a fix for this but I will never again allow my NAS to have outside access again.
- Attachments
-
- image_2022_02_21T16_32_09_173Z.png (41.61 KiB) Viewed 28028 times
-
- Posts: 9
- Joined: Thu Jan 08, 2015 5:10 am
Re: Deadbolt ransomware
This better be fixed asap. same deadbolt shit here
-
- Posts: 61
- Joined: Sun Apr 19, 2015 5:57 pm
- Location: Göteborg, Sweden
Re: Deadbolt ransomware
It most likely wont be.Machinae wrote:This better be fixed asap. same deadbolt shit here
If you have shares to windows, check your shares and see if you can still access your files. Mine are all fine. Only the OS stuff seems to be damaged and deadbolted. All of my shares are totally normal.
Files that have been encrypted have a .deadbolt extension
-
- Posts: 1
- Joined: Tue Feb 22, 2022 1:12 am
Re: Deadbolt ransomware
I've been hit as well. I remove the index.cgi and restored that backup file so I'm back in the portal now. Is there a way to stop this before it locks all of the files and how can I remove it for good?
-
- Posts: 22
- Joined: Wed Dec 28, 2016 6:05 am
Re: Deadbolt ransomware
Interesting (and extremely infuriating).billsargent wrote:I am assuming you have ssh capabilities? If so you just need to ssh in and login as root and run these commands. This should help you get back into the portal.
If you look at the index.cgi they created before you delete it, its a text script.Code: Select all
cd /usr/webman/portal chattr -i index.cgi rm index.cgi cp index.cgi.bak index.cgi
I am still in the investigative stages but nothing in my shares have been locked up with this yet. Just things in /root so far.
I've pulled out a ton of LTO tapes to backup my data. I think this is going to require a full reset. I hope asustor releases a fix for this but I will never again allow my NAS to have outside access again.
Luckily (I guess) this was shortly after a drive upgrade so the old drives are untouched. Would it be safe to swap in the old drives or should I do a full system reset (I'm leaning towards the reset)?
What's the best format option if doing a full reset? BTFRS or EXT4?
-
- Posts: 9
- Joined: Thu Jan 08, 2015 5:10 am
Re: Deadbolt ransomware
I just turned it off, have no idea about the damage done and not to prone to start it up again as i have no clue what to do.billsargent wrote:It most likely wont be.Machinae wrote:This better be fixed asap. same deadbolt shit here
If you have shares to windows, check your shares and see if you can still access your files. Mine are all fine. Only the OS stuff seems to be damaged and deadbolted. All of my shares are totally normal.
Files that have been encrypted have a .deadbolt extension