
A ransomware group that targets small businesses and home computer users has resurfaced, with more than a thousand infected devices showing up in the past few days alone, according to Sophos.
Instead of hijacking larger companies and then posting notification of the breach on their computer desktops, the DeadBolt malware uses vulnerable network-attached storage devices (NAS) to target backup files without users even realizing.
DeadBolt is thought to have been in operation since the beginning of 2021 – one year on from that, it claimed a high-profile scalp when MIT researcher and podcaster Lix Fridman admitted to losing 50TB of data to the ransomware group.
“DeadBolt infections have suddenly leapt back onto its radar, with more than a thousand affected devices showing up in the past few days,” said Sophos, citing reports by internet security scanning firm Censys.
“What we can’t tell you is why these infections have returned. It’s possible that the crooks behind DeadBolt have come up with a brand new exploit, or a variation on the exploit they used before,” it added, though it suggested that in the former case the surge in new infections might have been even bigger.
Sophos also believes the sudden resurgence could be down to unpatched devices not previously exposed to the internet being recently opened up to DeadBolt attacks by computer users “hurriedly revising their network configurations in the light of current cybersecurity anxieties provoked by the war in Ukraine.”
Turning defense into attack
In its latest surge, the ransomware group appears to be targeting a file storage device made by Taiwanese NAS company QNAP again – only this time it is using its own defenses against it.
The threat actors may have found a remote code execution (RCE) hole in QNAP’s security advisory QSA-21-57 – which it posted around the time of the Fridman attack – that “could be exploited to inject malicious code directly onto the storage device itself”, according to Sophos.
“If you’d inadvertently set up your backup device so that its web portal was accessible from the ‘internet side’ of your network connection – the port that’s probably labeled wide area network (WAN) on your router – then anyone who knew how to abuse the security hole patched in QSA-21-57 could attack your backup files with malware,” it added.
This attack vector means that victims might not even realize their computers have been breached until they review the files on their systems.
“If you were in the habit of looking at your device only when you needed to recover or review files you didn’t have space to keep ‘live’ on your laptop, you might not have realized that your files had been scrambled until you next went to the web interface of your NAS.”

Quirky and criminal
The threat actors behind DeadBolt alter the portal page of a victim’s NAS to run an extortion message that reads: “Warning: your files have been locked by DeadBolt. This includes photos, documents and spreadsheets.”
The message then quirkily assures the victim that “it is not a personal attack” and directs them to pay 0.03 in Bitcoin, valued at around $1,250 as at March 23 – believed by Sophos to be the current rate being extorted from small firms and lone computer users targeted by DeadBolt.
The ransomware group’s communication grows increasingly ironic after this point, as it assures victims that its “decryption key delivery process is 100% transparent and honest”, while advising them to migrate data to a secure platform to avert future attacks.
“If you struggle with this process, please contact an IT professional to help you,” the crooks thoughtfully suggest in closing.

Presumably emboldened by its success against the company, DeadBolt has also targeted QNAP itself, in what Sophos has called “meta-blackmail” attacks.
“Important message for QNAP! All your affected customers have been targeted using a zero-day [previously unidentified] vulnerability in your product,” another extortion message reads before going on to table two alternative payments.
The first of these is a straightforward one-time patch offer for BTC5 (around $200,000), but the second – costing ten times as much – is an “all you can eat buffet” key that will unlock all future encryptions done using the current version of the DeadBolt malware.
At the time of writing, QNAP is not thought to have paid any ransom to the group.

Stay alert
But if the DeadBolt ransomware is enjoying an unwelcome revival, it is at least easier to detect than one might think.
“As it happens, spotting devices affected by this malware is fairly easy,” said Sophos.
“If a publicly accessible IP number has a listening HTTP server, then the first few lines of HTML sent back in the web server’s main page will give away whether that server has already been scrambled by DeadBolt.”
The uppercase title on DeadBolt’s extortion page also makes it easy to detect using a simple text search at the top of HTML pages, it added.
To avoid attacks, Sophos advises users to avoid “set and forget” updates on mobile phones, smart TVs, and laptops and to ensure that network servers are not accidentally opened up to the internet.
“Regularly verify that any updates you receive – whether forced on you, automatically fetched or manually requested – have gone through correctly,” it said. “Don’t open your network servers up to the internet unless you really mean to. QNAP has advice on how to prevent your NAS device from receiving connections by mistake [and] being accessed or even discovered in the first place.”
Small businesses and personal computer users are also urged to keep offline data backups and avoid using the Universal Plug and Play feature – which runs the risk of making newly connected devices visible to cybercriminals.
More from Cybernews:
Lex Fridman targeted in a DeadBolt ransomware attack
North Korea's 'all-star squad' threat actor
The right to disconnect, remote work, and professional ghosting: the new realm of operations
Key industries warned over rising threat actor | Cybernews
Russia-linked gangs attack US critical infrastructure most often
Subscribe to our newsletter
Your email address will not be published. Required fields are marked