QNAP and Asustor NAS vulnerabilities exploited to deploy ransomware

Both QNAP and Asustor NAS devices are being actively targeted by attackers intending to deploy ransomware.

QNAP NAS devices that are internet exposed and running QTS and QuTS operating systems, or add-ons with the following versions are affected:

• QTS 5.0.0.1891 build 20211221 and later
• QTS 4.5.4.1892 build 20211223 and later
• QuTS hero h5.0.0.1892 build 20211222 and later
• QuTS hero h4.5.4.1892 build 20211223 and later
• QuTScloud c5.0.0.1919 build 20220119 and later

Asustor devices that are internet exposed and running ADM operating systems including, but not limited to, the following models:

• AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, AS1104T

To discover whether you have Deadbolt ransomware on your system, users can log in to the QNAP or Asustor NAS and run the following command to find all files with the .deadbolt extension:

sudo find / -type f -name "*.deadbolt".

If you have not been breached and still need to have the NAS running, make sure the following has been done:

1. For Asustor devices disable EZ-Connect (service for remote access).
2. Disable SSH.
3. Ensure that the device is not exposed to the internet, particularly the web interface or file shares.
4. If the device is clear of ransomware, update the operating system and all installed add-ons.
5. If in doubt, contact your local technical support for further advice.

If you have been compromised with ransomware, do not update your NAS device until it is clean of ransomware.