Skip to main content

Deadbolt Ransomware Attacks Target ASUStor NAS

Asustor AS5202T
Asustor AS5202T (Image credit: Asustor)

Asustor NAS owners on Reddit and the official Asustor forums have reported that they've fallen victim to a DeadBolt ransomware attack. DeadBolt has been in the wild for some time now, infecting unprotected NAS systems connected to the Internet. The same ransomware previously wreaked havoc on QNAP devices, and it would appear that Asustor was the next target.

DeadBolt's modus operandi hasn't changed much. The attacker remotely slips into the victim's NAS, encrypts the latter's information, and consequently asks for a ransom in bitcoins. Each victim receives a unique Bitcoin address to send the funds. Once the payment goes through, the criminal sends the victim the decryption key to decrypt the files on the infected NAS system. The perpetrators are asking for 0.03 bitcoin, which by today's exchange rate is around $1,154. It's the same sum that the hijackers had demanded from their QNAP victims. Surprisingly, the gang didn't make Asustor any offers. With QNAP, the group had offered to share the vulnerability details with the company for five bitcoins ($184,000) or sell it the universal decryption master key for 50 bitcoins ($1.85 million).

Asustor users that synchronize their files from their NAS to a cloud service like Microsoft OneDrive or Google Drive should sever the link as soon as possible. One Redditor commented his infected system pushed the encrypted files to his OneDrive and Google Drive accounts. While he could recover the files from the former, he didn't have any luck with the latter.

Asustor hasn't released a statement regarding the DeadBolt attack. The recommendation from infected owners is to disconnect the NAS system from the Internet and wait for Asustor's fix. Owners speculate that DeadBolt gained access through Asustor's EZ Connect utility, which allows users to connect to their NAS systems from anywhere around the world. What's funny is that even the live demo of ADM (Asustor Data Master), the operating system for Asustor NAS devices, wasn't saved from the DeadBolt.

It's unknown if all Asustor NAS devices are susceptible to the DeadBolt attack as there is user feedback that some models, such as the AS6602T, AS-6210T-4K, AS5304T, AS6102T, or AS5304T, are free of infection. Meanwhile, some affected models include the AS5304T, AS6404T, AS5104T, and AS7004T.

Suppose you're one of the lucky owners that didn't get infected. In that case, one Redditor recommends taking some preventative measures, such as disabling EZ Connect, automatic updates, SSH, blocking all NAS ports from your router, and only allowing connections from within your network.

Zhiye Liu
Zhiye Liu

Zhiye Liu is a Freelance News Writer at Tom’s Hardware US. Although he loves everything that’s hardware, he has a soft spot for CPUs, GPUs, and RAM.

  • USAFRet
    "Asustor NAS owners on Reddit and the official Asustor forums have reported that they've fallen victim to a DeadBolt ransomware attack. DeadBolt has been in the wild for some time now, infecting unprotected NAS systems connected to the Internet."

    I think the problem here is self evident.
    Reply
  • helper800
    0.03 BTC is like 1100 dollars, although 1 BTC is about 37000 dollars.
    Reply
  • Alvar "Miles" Udell
    Yet another reminder why you should always have an offline copy of your files on an external hard drive.
    Reply
  • USAFRet
    Alvar Miles Udell said:
    Yet another reminder why you should always have an offline copy of your files on an external hard drive.
    3-2-1
    Reply
  • cryoburner
    Not sure how much I would trust a utility called "EZ Connect" to make the contents of a network accessible "anywhere around the world". And if they could get in there to encrypt the files, then it was also likely possible for them to upload the data to their servers as well.

    And Asustor is apparently just a division of Asus, if anyone was wondering.
    Reply
  • exploding_psu
    USAFRet said:
    3-2-1

    Somewhat off topic, but I finally found you. Just want to say thank you about your sig. Your sig picture finally got me to actually back up my data properly some time ago, and saved my data from a catastrophic drive failure (my main drive failed just few days after I finished backing up, that's like a lifetime worth of family pictures). If I hadn't found you randomly I'd be sitting here one lifetime memories short.

    Have been looking for you, I remember the sig, but couldn't figure out who's the user. Again, thank you.

    That said, I guess ignorance is a bliss, I couldn't figure out how to setup a NAS, so this won't affect me.
    Reply
  • watzupken
    One of the reasons why I moved away from using NAS besides the need to maintain it. The software for these branded NAS tend to be bad in terms of functionality and security. I've used Synology NAS before and the software keeps giving me problems, where some times it allow me to access my contents remotely and most of the time it keeps failing to let access my files and contents.
    Reply
  • samopa
    watzupken said:
    One of the reasons why I moved away from using NAS besides the need to maintain it. The software for these branded NAS tend to be bad in terms of functionality and security. I've used Synology NAS before and the software keeps giving me problems, where some times it allow me to access my contents remotely and most of the time it keeps failing to let access my files and contents.

    I'm using FreeNAS since 2015, it has all functionality I need, and best off all its free. Use old core i5-6400 with 8GB RAM and 4 x 4 TB WD Red in RAID 5. Last upgrade, installing 10Gbps NIC, so the backup prose is done much more quickly.
    Reply
  • USAFRet
    exploding_psu said:
    Somewhat off topic, but I finally found you. Just want to say thank you about your sig. Your sig picture finally got me to actually back up my data properly some time ago, and saved my data from a catastrophic drive failure (my main drive failed just few days after I finished backing up, that's like a lifetime worth of family pictures). If I hadn't found you randomly I'd be sitting here one lifetime memories short.

    Have been looking for you, I remember the sig, but couldn't figure out who's the user. Again, thank you.

    That said, I guess ignorance is a bliss, I couldn't figure out how to setup a NAS, so this won't affect me.
    I rather like that pic as well.

    Kudos to you for taking it to heart. Far too many people only think of the backup thing 5 minutes after they actually need it.
    Reply
  • Woodhigh
    USAFRet said:
    3-2-1
    Yes, should have had a backup, I know, but we didnt have one current enough .. We have been scammed --This is a warning to avoid trying to recover from deadbolt Ransomwhere using USA based business found on Instagram, Whats app and this forum . They are know as "900Ethics" in the forums. They offer to restore deadbolt files for a total of $300, then when they have that, they then ask for another $100 for decryption software, then when thats paid they are for a delivery and gas fee of $150, then when thats paid, they say you have paid $550 but others have paid $1000 so 900Ethics say we should pay more also.. These guys are dishonest crooks and scammers..
    Reply