deadbolt

[Content by Gemini 2.5]

Comprehensive Guide to DEADBOLT Ransomware (.deadbolt)

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .deadbolt
  • Renaming Convention:
  1. Appends the .deadbolt extension to encrypted files (e.g., AnnualReport.docxAnnualReport.docx.deadbolt)
  2. Entire filename may also be overwritten with a 40-character hexadecimal hash in newer variants (e.g., 3fa4bb781a3c...deadbolt), making manual identification of original files harder.
  3. Drops a ransom note named deadbolt.jpg at the root of every encrypted share as a wallpaper replacement.

2. Detection & Outbreak Timeline

  • First Public Sightings: January & February 2022, clustered as two “waves”.
  • Notable Victims: Primarily QNAP NAS devices (QTS OS firmware 4.x/5.x), a few ASUSTOR NAS, and rare Linux servers running exposed Docker containers.
  • Peak Activity: Second wave (late February 2022) introduced an automated super-wide spray, affecting an estimated ~3 000 QNAP devices in 24 h.

3. Primary Attack Vectors

| Mechanism | Details & Indicators |
|—|—|
| Targeted Exploitation | Weaponizes ANY of the following CVEs on patch-night-shy or “shipping-with-default” NAS/SAN boxes:
– CVE-2021-28799 (QNAP Photo Station)
– CVE-2021-28385 (Multimedia Console)
– CVE-2022-22648 (Drupal 9/10 core remote-code)
– CVE-2022-26318 (OpenSSL & Log4j backports)
Each wave packaged payloads tuned to the fresh exploits discovered in those weeks. |
| Zero-Login Web DAM Abuse | Uses exposed Photo Station/Web Administration endpoints on port 8080/TCP (http) or 443/TCP (https) to upload the deadbolt.cgi payload through unvalidated file-upload forms. |
| Docker API Mis-Config | Unprotected TCP daemon (tcp://:2375) lets attackers spin a temp container mounting the rootfs and execute host-level binaries (drop deadbolt into /sbin). |
| Brute-Force RDP/SSH | Secondary vector on Windows-based NAS or Linux servers with weak/no MFA credentials. Finds users via admin, administrator, root gerunds, then elevates with CVE-2022-0847 (Dirty-pipe) for full root. |

Remediation & Recovery Strategies:

1. Prevention

  • Patch Immediately: Apply latest QTS/QuTS hero firmware (5.0.x or later) and hotfixes; disable Photo Station, Video Station, and other unnecessary multimedia apps whose plugins historically open wide attack surfaces.
  • Expose no Web-Apps: Close ports 80, 443, 8080, 8443, and 3000 unless absolutely required; use reverse-proxy + IP allow-list for shrink-surface.
  • Segment LANS: Put NAS devices into isolated VLANs with only NTP & SMB ports (139/445) allowed; block outbound internet except for OS update servers.
  • Admin MFA & 2FA: Enable QNAP 2-step verification, or set strong 14+-char complex passwords stored in an enterprise password manager.
  • Container API hardening: Bind Docker to 127.0.0.1 only (DOCKER_OPTS="-H unix:///var/run/docker.sock"). If remote API is needed, wrap with mutual-TLS.
  • Offline & Immutable Backups: Maintain at least one air-gapped or immutable copy (e.g., QNAP immutable snapshots, Azure Blob with soft-delete, or tape). Validate backup restoration quarterly.

2. Removal

  1. Disengage & Quarantine:
  • Unplug network LAN cable or disable the NAS NIC; do not power off.
  1. Boot into Rescue Mode (QNAP):
  • Power cycle; hold Reset for 3 seconds → selects “Firmware/Recovery mode”.
  • Do NOT format storage pools.
  1. Patch First, Scan Second:
  • Flash latest firmware from QTS web-rescue wizard.
  • Run full AV scan using QNAP Malware Remover (QTS App Center).
  1. Purging Deadbolt Binaries:
  • SSH in (admin cmd only post-patch):
    bash
    ps aux | grep deadbolt
    kill -9 <PID>
    rm -f /var/deadbolt.sh /run/deadbolt.cgi /opt/deadbolt /root/.config/autostart/deadbolt
  • Delete all *deadbolt.jpg/deadbolt.txt ransom-drop notes.

3. File Decryption & Recovery

  • Recovery Feasibility: At time of writing NO viable master-key has been recovered for the second wave (AES-256 keys stored per-device); however:
  • Early Jan 2022 wave: QNAP obtained the leaked master-key for DeadBolt build 1.x. Free QNAP DeadBolt Decryptor v3.1 is available on the App Center or downloadable directly.
  • Feb-March 2022+ builds: The key rotation update randomized keys; decryption therefore depends solely on restoring backups or paying ransom (not recommended).
  • Essential Tools/Patches:
  • QNAP Security Advisory QSA-22-02 – contains lv0-3 patches for CVE scores 9.8–10.0 used by DeadBolt.
  • DeadBolt Decryptor v3.1 – download directly via wget https://download.qnap.com/QPKG/QTS-DeadBolt_Decrypt-3.1.qpkg.
  • Asustor Download Center – offers Asustor ADM 4.0.0.RRS1 hotfix that permanently disables the vulnerable service name “Photo Gallery 3”.

4. Other Critical Information

  • Ransom Demand & Dead-Man Switch:
    Ransom note sets a 7-day timer after which decryption supposedly expires; however, paying on-chain yields mixed customer-support—many victims report no decryption keys delivered.
  • Ticker Algebra:
    Threat actors code-static message “FIGHTING FOR THE USERS” into ransom notes—probably pop-culture reference rather than meaningful group attribution.
  • Unusual Payload Behavior:
  • Attacker renames NAS device via SNMP SysDescr & SSID to DeadBolt-1.0.
  • On patched devices, DDNS service fails silently due to DNS black-holing of the attacker’s command-and-control domain; this gives a visible SCADA alert that allows quicker containment.

Stay safe: keep firmware updated, use network segmentation, and test your backups.