QNAP and Asustor NAS vulnerabilities exploited to deploy ransomware

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

7:45pm, 22 February 2022

TLP Rating: Clear

QNAP and Asustor NAS vulnerabilities exploited to deploy ransomware

Vulnerabilities in QNAP and Asustor Network Attached Storage (NAS) devices are being actively exploited to deploy ransomware. The encrypted files have a ‘.deadbolt’ extension.

QNAP has released updates for the affected software. CERT NZ advises all organisations with QNAP NAS devices to update and then apply all other software updates.

What's happening

Systems affected

Both QNAP and Asustor NAS devices are being actively targeted by attackers intending to deploy ransomware.

QNAP NAS devices that are internet exposed and running QTS and QuTS operating systems, or add-ons with the following versions are affected:

  • QTS 5.0.0.1891 build 20211221 and later
  • QTS 4.5.4.1892 build 20211223 and later
  • QuTS hero h5.0.0.1892 build 20211222 and later
  • QuTS hero h4.5.4.1892 build 20211223 and later
  • QuTScloud c5.0.0.1919 build 20220119 and later

Asustor devices that are internet exposed and running ADM operating systems including, but not limited to, the following models:

  • AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, AS1104T

What to look for

How to tell if you're affected

To discover whether you have Deadbolt ransomware on your system, users can log in to the QNAP or Asustor NAS and run the following command to find all files with the .deadbolt extension:

sudo find / -type f -name "*.deadbolt".

What to do

Mitigation

If you have not been breached and still need to have the NAS running, make sure the following has been done:

  1. For Asustor devices disable EZ-Connect (service for remote access).
  2. Disable SSH.
  3. Ensure that the device is not exposed to the internet, particularly the web interface or file shares.
  4. If the device is clear of ransomware, update the operating system and all installed add-ons.
  5. If in doubt, contact your local technical support for further advice.

If you have been compromised with ransomware, do not update your NAS device until it is clean of ransomware.

More information