7:45pm, 22 February 2022
QNAP and Asustor NAS vulnerabilities exploited to deploy ransomware
Vulnerabilities in QNAP and Asustor Network Attached Storage (NAS) devices are being actively exploited to deploy ransomware. The encrypted files have a ‘.deadbolt’ extension.
QNAP has released updates for the affected software. CERT NZ advises all organisations with QNAP NAS devices to update and then apply all other software updates.
Both QNAP and Asustor NAS devices are being actively targeted by attackers intending to deploy ransomware.
QNAP NAS devices that are internet exposed and running QTS and QuTS operating systems, or add-ons with the following versions are affected:
- QTS 126.96.36.1991 build 20211221 and later
- QTS 188.8.131.522 build 20211223 and later
- QuTS hero h184.108.40.2062 build 20211222 and later
- QuTS hero h220.127.116.112 build 20211223 and later
- QuTScloud c18.104.22.1689 build 20220119 and later
Asustor devices that are internet exposed and running ADM operating systems including, but not limited to, the following models:
- AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, AS1104T
What to look for
How to tell if you're affected
To discover whether you have Deadbolt ransomware on your system, users can log in to the QNAP or Asustor NAS and run the following command to find all files with the .deadbolt extension:
sudo find / -type f -name "*.deadbolt".
What to do
If you have not been breached and still need to have the NAS running, make sure the following has been done:
- For Asustor devices disable EZ-Connect (service for remote access).
- Disable SSH.
- Ensure that the device is not exposed to the internet, particularly the web interface or file shares.
- If the device is clear of ransomware, update the operating system and all installed add-ons.
- If in doubt, contact your local technical support for further advice.
If you have been compromised with ransomware, do not update your NAS device until it is clean of ransomware.
- Further information from the community on the Asustor vulnerability and mitigation advice. External Link
- Further information on the QNAP vulnerability and mitigation advice External Link .
- CERT NZ Critical control: Securing Internet Exposed Services External Link
- Protect Yourself from Deadbolt External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ External Link
For media enquiries, email our media desk at email@example.com or call the MBIE media team on 027 442 2141.