Earlier this week users of ASUSTOR NAS devices began reporting incidents of the Deadbolt ransomware affecting their hardware, locking their data behind a paywall that extorts the owners for money (in the form of cryptocurrency. The infections - which appear to have been made via the NAS's default web access ports of 8000, 8001, 80 and 443 - are at this time impossible to remove without compromising encrypted data, placing end-users in a bind.
In response to the reports ASUSTOR published the following press release, making recommendations for those who don't appear to have suffered a Deadbolt infection. A firmware fix to prevent infection should be released soon according to official posts on social media, but that won't help those already afflicted.
ASUSTOR Emergency Press Release
In response to Deadbolt ransomware attacks affecting ASUSTOR devices,the myasustor.com DDNS service will be disabled as the issue is investigated. ASUSTOR will release more information with new developments as we investigate and review the causes to ensure this does not happen again. We remain committed to helping affected customers in every way possible.
For your protection, we recommend the following measures:
- Change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443.
- Disable EZ Connect.
- Make an immediate backup.
- Turn off Terminal/SSH and SFTP services.
For more detailed instructions on protecting your security, please refer to the following link below: https://www.asustor.com/en-gb/online/College_topic?topic=353
If you find that your NAS has been affected by Deadbolt ransomware, please follow the steps listed below.
1. Unplug the Ethernet network cable
2. Safely shut down your NAS by pressing and holding the power button for three seconds.
3. Do not initialize your NAS as this will erase your data.
4. Click on the link below for more information and instructions to contact ASUSTOR for help with recovery.
https://www.asustor.com/en-gb/knowledge/detail/?id=&group_id=628
In response to Deadbolt ransomware attacks affecting ASUSTOR devices,the myasustor.com DDNS service will be disabled as the issue is investigated. ASUSTOR will release more information with new developments as we investigate and review the causes to ensure this does not happen again. We remain committed to helping affected customers in every way possible.
For your protection, we recommend the following measures:
- Change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443.
- Disable EZ Connect.
- Make an immediate backup.
- Turn off Terminal/SSH and SFTP services.
For more detailed instructions on protecting your security, please refer to the following link below: https://www.asustor.com/en-gb/online/College_topic?topic=353
If you find that your NAS has been affected by Deadbolt ransomware, please follow the steps listed below.
1. Unplug the Ethernet network cable
2. Safely shut down your NAS by pressing and holding the power button for three seconds.
3. Do not initialize your NAS as this will erase your data.
4. Click on the link below for more information and instructions to contact ASUSTOR for help with recovery.
https://www.asustor.com/en-gb/knowledge/detail/?id=&group_id=628
Deadbolt variants affected QNAP devices last month and Synology reported in September that a botnet was targetting their own NAS hardware, so the problem is hardly unique to ASUSTOR. Just as concerning to consumers should be that default configurations seem to have left users open to such attacks, even through proprietary software protocols such as EZ Connect.
At this point it seems unlikely that ASUSTOR users will be able to recover their data without stumping up the ransom, a fact that underscores why a NAS isn't necessarily a foolproof data backup solution.
SOURCES: Reddit via Tomshardware