Tracking Deadbolt Ransomware Across the Globe
Deadbolt, the ransomware attack that just won’t end, appears to be back for a third round. Our Rapid Response Team has been monitoring the QNAP vulnerability since it first appeared in late January 2022.
A quick refresh on QNAP Deadbolt ransomware
QNAP is a manufacturer of network-attached storage (NAS) devices. In January of this year, a group calling themselves Deadbolt targeted a series of QNAP NAS devices made for consumers and small businesses that run the QNAP QTS (Linux-based) operating system, infecting the devices with ransomware.
Instead of encrypting the entire device, which effectively takes the device offline (and out of the purview of Censys), the ransomware only targets specific backup directories for encryption and vandalizes the web administration interface with an informational message explaining how to remove the infection.
Due to how this ransomware communicates with the victim, Censys could easily find infected devices exposed on the public internet via this simple search query. Along with general information about what hosts were infected with Deadbolt, we could also obtain and track every unique bitcoin wallet address used as a ransom drop.
When Censys teamed up with Concinnity Risks, we determined the exact amount of money involved in this attack by tracking the Bitcoin wallet transactions associated with an infection; as of last month, we concluded the following. Note that this does not include the most recent set of infections but gives us good insight into the inner workings of a ransomware campaign.
For more on the original attacks, you can check our posts from January, “The QNapping of QNAP Devices,” and our entry on the resurgence in March, “Deadbolt Ransomware is Back.”
Real-time tracking of Deadbolt
Because of the persistence of this threat, our research team has created a dashboard that tracks the infections of Deadbolt devices using the same data that feeds Censys search.
At the time of this writing, on May 20th, Deadbolt infected around 469 devices. In the last seven days (May 11-May 18), most infected devices have been in the United States, followed by Germany and the United Kingdom.
Digging deeper into the report, we can examine the number of infected devices by country, see detailed information on hosts and see the associated Bitcoin addresses.
We’ll continue to monitor NAS devices infected with Deadbolt ransomware. In the meantime, you can start exploring the Censys Deadbolt Ransomware Report below.
Catch up on the latest Deadbolt news
Tech Target – QNAP devices hit by DeadBolt ransomware again
Special thanks to Eireann Leverett @ Concinnity Risks for providing the BTC transaction info.