DeadBolt ransomware targeted NAS devices (notably QNAP and ASUSTOR) with a multitiered extortion scheme that includes both victim and vendor payout options and a web-based ransom interface. The report highlights DeadBolt’s configuration-driven, automated approach, its encryption techniques, and the economics of ransom payments, including blockchain-based payment disclosure. #DeadBolt #QNAP #ASUSTOR
Keypoints
- DeadBolt primarily targets NAS devices from QNAP and ASUSTOR, with a high infection footprint in early 2022.
- The malware uses a dynamic JSON configuration per vendor to tailor settings for campaigns and vendors.
- Two ransom schemes exist: victims pay for a decryption key, or vendors pay for a master decryption key (the latter not proven workable).
- Encryption uses AES-128-CBC and appends metadata to encrypted files; entropy increases indicate successful encryption.
- A ransom note is created on infected devices and a web UI is served by substituting the legitimate CGI script.
- Economics show only about 8% of victims paid, illustrating a volume-based business model rather than targeted big-game extortion.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – ‘The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing NAS devices.’
- [T1059] Command-Line Interface – ‘The two supported operation modes are encrypt (-e) and decrypt (-d).’
- [T1486] Data Encrypted for Impact – ‘DeadBolt uses AES-128-CBC to encrypt files with a provided key from the configuration file.’
- [T1036] Masquerading – ‘DeadBolt replaces the legitimate CGI script to show this ransomware page.’
Indicators of Compromise
- [SHA-256] context – example1, example2, and other N items (if applicable)
- [File name] context – !!!_IMPORTANT_README_WHERE_ARE_MY_FILES_!!!.txt, document.docx.deadbolt
- [File extension] context – .deadbolt – document.docx.deadbolt, spreadsheet.xls.deadbolt