DeadBolt Ransomware

Taiwanese company QNAP has warned customers to secure network-attached storage (NAS) appliances and routers against a new ransomware variant called DeadBolt.

"DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users' data for Bitcoin ransom," the company said. "QNAP urges all QNAP NAS users to […] immediately update QTS to the latest available version."

A query on IoT search engine Censys shows that at least 3,687 devices have been encrypted by the DeadBolt ransomware so far, with most NAS devices located in the U.S., Taiwan, France, Italy, the U.K., Hong Kong, Germany, the Netherlands, Poland, and South Korea.

In addition, QNAP is also urging users to check if their NAS devices are public-facing, and if so, take steps to turn off the port forwarding function of the router and disable the Universal Plug and Play (UPnP) function of the QNAP NAS.


The advisory comes as Bleeping Computer revealed that QNAP NAS devices are being encrypted by the DeadBolt ransomware by exploiting a supposed zero-day vulnerability in the device's software. The attacks are believed to have started on January 25.

The ransomware strain, which locks the files with a ".deadbolt" file extension, demands that victims pay a ransom of 0.03 bitcoins (approximately $1,100) to a unique Bitcoin address in exchange for a decryption key.

On top of that, the operators of the ransomware claimed they are willing to offer complete details of the alleged zero-day flaw if QNAP pays them five bitcoins (~$186,700). It's also ready to sell the master decryption key that can be used to unlock the files for all affected victims for an extra 45 bitcoins (~$1.7 million).

While it's not immediately clear if QNAP heeded to the extortion demand, the company, on Reddit, acknowledged that it had silently force-installed an emergency firmware update to "increase protection" against the ransomware, adding "It is a hard decision to make. But it is because of DeadBolt and our desire to stop this attack as soon as possible that we did this."


QNAP devices have emerged a frequent target of ransomware groups and other criminal actors, prompting the company to issue numerous warnings in recent months. On January 7, it advised customers to safeguard their NAS devices from ransomware and brute-force attacks, and ensure that they are not exposed to the internet.

When reached for a response, QNAP said the update was triggered as part of a QTS Auto Update feature. "QNAP PSIRT leveraged the feature updating QTS to prevent from DeadBolt ransomware or other malwares' attack," the company told The Hacker News, adding the "malware exploited one of the vulnerabilities fixed in this release in QSA-21-57."

The company also said the vulnerability relates to a flaw affecting QTS and QuTS hero operating systems that, if successfully exploited, could allow attackers to run arbitrary code in the affected system. The issue has been addressed in the following versions —

  • QTS build 20211221 and later
  • QTS build 20211223 and later
  • QuTS hero h5.0.0.1892 build 20211222 and later
  • QuTScloud c5.0.0.1919 build 20220119 and later

Update: QNAP, in a new statement shared today, disclosed that ransomware attacks involving DeadBolt exploited a vulnerability it patched in December, noting the updates will be applied automatically if the auto update option is toggled on. This is to "enhance security and protection of your QNAP NAS, mitigating the attack from criminals," the company said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.