QNAP advises users to disconnect NAS from internet to avoid DeadBolt ransomware ransomware

Typically, NAS is preferred for local storage via LAN. However, many users knowingly or unknowingly allow remote NAS access. New ransomware called DeadBolt is actively scanning to find these internet-connected NAS systems. If a NAS has an internet connection and is not secured, the ransomware will encrypt the data on them.

The DeadBolt ransomware isn't complicated at all. However, NAS systems that are not up-to-date or properly configured are easy targets.

QNAP advises users to disconnect NAS from internet to avoid DeadBolt ransomware ransomware Picture 1

Once infiltrated, the ransomware sends a notification to the victim that their data has been encrypted. It is not clear how DeadBolt sends the notification. Most likely the guys behind this ransomware left a written note on one of the compromised NAS drives.

QNAP side confirmed that DeadBolt ransomware demands ransom in Bitcoin.

The company asks users to pay attention to the message: "The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP" on the dashboard.

If this message appears, it means that your NAS is exposed to the internet. QNAP recommends that all existing NAS users disconnect their NAS from the internet. This will block NAS access over the internet but local access will still be maintained. Currently, QNAP's NAS systems are all running the QTS operating system.

To ensure even more safety, QNAP also recommends that users disable all port forwarding on the main router that the NAS connects to and also disable the UPnP function completely.

If you feel the above steps are a bit drastic, you should at least update your NAS operating system regularly and double-check authentication and usage policies.

Lesley Montoya

Update 04 February 2022