Asustor NAS owners on Reddit and the official Asustor forums have reported that they've fallen victim to a DeadBolt ransomware attack. DeadBolt has been in the wild for some time now, infecting unprotected NAS systems connected to the Internet. The same ransomware previously wreaked havoc on QNAP devices, and it would appear that Asustor was the next target.
DeadBolt's modus operandi hasn't changed much. The attacker remotely slips into the victim's NAS, encrypts the latter's information, and consequently asks for a ransom in bitcoins. Each victim receives a unique Bitcoin address to send the funds. Once the payment goes through, the criminal sends the victim the decryption key to decrypt the files on the infected NAS system. The perpetrators are asking for 0.03 bitcoin, which by today's exchange rate is around $1,154. It's the same sum that the hijackers had demanded from their QNAP victims. Surprisingly, the gang didn't make Asustor any offers. With QNAP, the group had offered to share the vulnerability details with the company for five bitcoins ($184,000) or sell it the universal decryption master key for 50 bitcoins ($1.85 million).
Asustor users that synchronize their files from their NAS to a cloud service like Microsoft OneDrive or Google Drive should sever the link as soon as possible. One Redditor commented his infected system pushed the encrypted files to his OneDrive and Google Drive accounts. While he could recover the files from the former, he didn't have any luck with the latter.
Asustor hasn't released a statement regarding the DeadBolt attack. The recommendation from infected owners is to disconnect the NAS system from the Internet and wait for Asustor's fix. Owners speculate that DeadBolt gained access through Asustor's EZ Connect utility, which allows users to connect to their NAS systems from anywhere around the world. What's funny is that even the live demo of ADM (Asustor Data Master), the operating system for Asustor NAS devices, wasn't saved from the DeadBolt.
It's unknown if all Asustor NAS devices are susceptible to the DeadBolt attack as there is user feedback that some models, such as the AS6602T, AS-6210T-4K, AS5304T, AS6102T, or AS5304T, are free of infection. Meanwhile, some affected models include the AS5304T, AS6404T, AS5104T, and AS7004T.
Suppose you're one of the lucky owners that didn't get infected. In that case, one Redditor recommends taking some preventative measures, such as disabling EZ Connect, automatic updates, SSH, blocking all NAS ports from your router, and only allowing connections from within your network.
I think the problem here is self evident.
And Asustor is apparently just a division of Asus, if anyone was wondering.
Somewhat off topic, but I finally found you. Just want to say thank you about your sig. Your sig picture finally got me to actually back up my data properly some time ago, and saved my data from a catastrophic drive failure (my main drive failed just few days after I finished backing up, that's like a lifetime worth of family pictures). If I hadn't found you randomly I'd be sitting here one lifetime memories short.
Have been looking for you, I remember the sig, but couldn't figure out who's the user. Again, thank you.
That said, I guess ignorance is a bliss, I couldn't figure out how to setup a NAS, so this won't affect me.
I'm using FreeNAS since 2015, it has all functionality I need, and best off all its free. Use old core i5-6400 with 8GB RAM and 4 x 4 TB WD Red in RAID 5. Last upgrade, installing 10Gbps NIC, so the backup prose is done much more quickly.
Kudos to you for taking it to heart. Far too many people only think of the backup thing 5 minutes after they actually need it.