DeadBolt has been in the wild for a while since then, infecting non-protected NAS systems that connect to the Internet. The ransomware has previously destroyed QNAP devices, and it appears that Asustor was next in line to be a victim.
DeadBolt’s method of operation hasn’t changed significantly. The attacker remotely enters the victim’s NAS and then encrypts their data and demands a ransom payment in bitcoins. Each victim is issued an individual Bitcoin address to transfer the money. After the payment is processed, the criminal will send the victim a decryption key that will decrypt the files on the affected NAS system. The perpetrators ask for 0.03 bitcoin, which according to the current exchange rate of $1,154. This is the exact amount the hijackers demanded from their QNAP victims. The group did not offer Asustor anything. With QNAP, the group offered to share the vulnerabilities with Asustor in exchange for 5 bitcoins ($184,000) or even sell the universal master key for decryption at 50 Bitcoins ($1.85 million).
Users of Asustor who synchronize the files on their NAS to cloud services such as Microsoft OneDrive or Google Drive must cut off the link as quickly as is possible. For example, a Redditor posted about how his infected system had pushed protected files onto the OneDrive and Google Drive accounts. Although he could retrieve these files using the first, he couldn’t find any success with the second.
Asustor hasn’t stated its response to the DeadBolt attack. The latest advice is to unplug your NAS device from the Internet and wait for Asustor’s solution. Owners suspect that the DeadBolt could access the system through Asustor’s Easy Connect utility which lets users access the NAS systems from any part of the globe. It’s also funny that the live demonstration of ADM (Asustor Data Master), which is the operating system used by Asustor NAS devices, wasn’t removed from the DeadBolt.
It’s unknown whether the majority of Asustor NAS devices are susceptible to the DeadBolt attack since users report that some models, including the AS6602T, AS-6210T-4K AS5304T, and AS6102T, as well as AS5304T, are not affected by the infection. However, the susceptible models are AS5304T, AS6404T, AS5304T, AS6404T, AS5104T, and AS704T and AS7004T.
Let’s say you’re one of those lucky ones who weren’t infected. If that’s the case, one Redditor suggests taking preventative measures like turning off EZ Connect, automatically updating SSH, blocking all NAS ports on your router, and permitting connections to your network.