Data recovery after Ransomware DeadBolt

25. March, 2022

Recover Script für Ransomware DeadBolt

Back in January, the ransomware DeadBolt caused a considerable wave of infections among QNAP, Asustor and TerraMaster users. The ransomware, which specialises in backup media, mainly targets private individuals and small businesses.

DeadBolt used a vulnerability to make the files on the NAS drives inaccessible using a customised AES128 encryption. The ransom demanded for the encrypted files was 0.03 bitcoins (about 1,200 euros). Firmware updates helped to stop DeadBolt.

New wave of attacks on QNAP users

The current wave of attacks is very similar to the one in January. DeadBolt attacks QNAP network storage and overwrites the original files with the encrypted version, which reduces the chance of recovery.

It is still unclear whether the current wave uses new attack paths or is only targeting unpatched systems. We strongly recommend installing available updates immediately to close known exploits, use strong passwords and change default ports and accesses.

The criminals behind the ransomware are once again demanding the same ransom amount of 0.03 Bitcoins and are continuing to try to extort QNAP as well: They are demanding 5 Bitcoin for information about the exploited vulnerability and 50 Bitcoin for a master key to restore all encrypted data.

Recover script and instructions for QNAP and Asustor

Two Austrian security researchers have written a script that can help QNAP and Asustor users get at least some of their data back. “By matching the size and file extension of the original and the non-deleted files, some of the information can be recovered,” said the researchers, who had already written a recover script for the ransomware Qlocker: “Note, however, that in most cases you can only recover a small part of your files!”

In one test case, 10% of the encrypted files could be recovered and an additional 30% that had not been encrypted could be found.

Download zip-file (description: DeadBolt Recover Manual, q-recover script: DeadBold Recover Script)

Worth reading:
Ransomware Qlocker: How to restore your data (for the most part)

Sources:
https://censys.io/deadbolt-ransomware-is-back/

MSSP of the Year 2024

SIEM

What is a SIEM?

Nozomi Guardian Air
HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung
Indicators of Attack
Gefahren durch vertrauenswürdige Services

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download