September 22, 2023

QNAP started warning its customers again to secure their Internet-exposed NAS devices to defend against ongoing and widespread attacks targeting their data with the new DeadBolt ransomware.

DeadBolt has been widely targeting the NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom. The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP’ on the dashboard. NAS makers urged immediately update QTS to the latest available version to block incoming DeadBolt ransomware attacks.


The attackers are not dropping ransom notes on encrypted devices but, instead, they are hijacking the login pages to display warning screens saying “WARNING: Your files have been locked by DeadBolt.”

The ransom screen asks the victims to pay 0.03 bitcoins (roughly $1,100) to a unique Bitcoin address generated for each victim, claiming that the decryption key will be sent to the same blockchain address in the OP_RETURN field once the payment goes through.

DeadBolt ransom note and instructions

The DeadBolt gang is also asking QNAP to pay 50 bitcoins (around $1.85 million) for the zero-day and a master decryption key to decrypt files for all affected victims.

The NAS maker also advises customers to immediately disable Port Forwarding on their router and the UPnP function of the QNAP NAS using the following steps:

  • Disable the Port Forwarding function of the router
  • Disable the UPnP function of the QNAP NAS

These ongoing DeadBolt ransomware attacks only impact exposed NAS devices and, given that the attackers also claim to use a zero-day bug, it’s advised to disconnect them from the Internet just as QNAP recommended in today’s warning.

Next to eCh0raix ransomware  and AgeLocker, DeadBolt seen attacking QNAP in recent times . This warning is the third one QNAP issued to alert customers of ransomware attacks targeting their Internet-exposed NAS devices in the last 12 months.

Leave a Reply

%d bloggers like this: