QNAP has released a statement indicating that a new malware called DeadBolt has been detected targeting NAS (Network Attached Storage) devices from Taiwanese vendor QNAP. It is a ransomware that encrypts user data and demands a ransom of 0.03 Bitcoins (approximately 1,000 euros) to recover it.
The ransomware would be taking advantage of a zero-day vulnerability (0-day) unknown to the manufacturer. The developers of this malware communicate in the blocking message that is displayed after the infection of the device, that they are willing to sell QNAP the specific details of said vulnerability for 5 Bitcoins (about 171,000 euros). They are also willing to give up the master key that would allow the data of all affected devices to be decrypted for 50 Bitcoins.
If the NAS device is exposed to the Internet and the system management service can be directly accessed from an external IP address, the following settings are recommended:
Disable the port forwarding feature of the router
From the router administration interface, in the section corresponding to the Virtual Server, NAT or Port Forwarding configuration, the port forwarding option of the NAS administration service port (port 8080 and 443 by default).
Disable the UPnP port forwarding function of the NAS
From myQNAPcloud in the QTS menu, under “Router auto configuration”, uncheck “Enable UPnP port forwarding”.
