DeadBolt ransomware was recently used to target customers of QNAP, a Taiwanese company that produces network attached storage (NAS) devices.
The attacks target a Zero-Day vulnerability that was patched in December 2021 which allows the threat actor to run arbitrary code on vulnerable devices exposed to the internet.
The ransom note asked victims to pay 0.03 Bitcoin to have their files decrypted, as well as asking QNAP to pay 5 BTC to "receive all details about this zero-day vulnerability so it can be patched," or to pay 50 BTC for a universal decryption key.
However, those that did make the decision to pay the ransom have still had a difficult time decrypting their data.
Emsisoft offers decryption key for DeadBolt ransomware
The reason why some users have been unable to decrypt their data after paying the ransom is because QNAP force-installed an update to block the threat actors from exploiting the vulnerability, rendering the decryption key from DeadBolt useless.
Thankfully, Emsisoft CTO Fabian Wosar came to the rescue and shared this tweet:
QNAP users who got hit by DeadBolt and paid the ransom are now struggling to decrypt their data because a forced firmware update issued by @QNAP_nas removed the payload that is required for decryption. If you are affected, please use our tool instead. https://t.co/6fvO8ntvrU
— Fabian Wosar (@fwosar) January 30, 2022
This decryptor will allow users who paid the ransom to decrypt their data. Still, the only recovery option for victims who haven't paid is to pay the ransom. Brett Callow, a threat analyst at Emsisoft, explains:
"DeadBolt's encryption seems to be secure, meaning the only way for victims to recover the data is to pay the ransom. Our decryptor is designed to help those who do pay. QNAP's forced update removes the ransomware payload and, without that, the decryptor supplied by the criminals will not work. Our decryptor addresses that problem," Callow said.
QNAP published a blog with steps for customers to better protect devices and fight back against ransomware following this incident.