Any Network Attached Storage (NAS), especially QNAP’s, should not be exposed to the Internet. QNAP has issued a warning about allowing remote access to NAS systems as a new type of ransomware called DeadBolt is actively looking for it.
QNAP has released a statement in response to the DeadBolt ransomware. It is on the hunt for NAS systems that can access “over the Internet”. The ransomware is not complicated and relies on NAS systems that are not updated. In addition, misconfigured storage systems are generally easy to compromise.
Usually NAS is preferred for local storage over LAN. However, many users intentionally or accidentally allow remote access. The Deadbolt ransomware appears to scan for unsecured NAS systems. If a NAS is exposed to the Internet and is unsecured, the ransomware encrypts the data stored on it.
It is not clear how, but the ransomware then communicates with victims and informs them that their data is encrypted. It is quite likely that the creators of the ransomware leave a plain text note on one of the compromised hard drives. QNAP has confirmed that the Deadbolt ransomware demands ransom in Bitcoins.
The QNAP web console is quite easy to navigate. The company asks users to look out for the statement:
“The System Administration Service can be accessed directly from an external IP address using the following protocols: HTTP” on the dashboard.
If this statement appears anywhere on the dashboard, it is a clear indication that the NAS has been exposed to the Internet. QNAP currently advises all NAS owners to get their NAS from the Internet. This would make the storage media unavailable over the Internet. However, local access remains available. QNAP NAS devices run on the QTS operating system.
In fact, the company recommends disabling all port forwarding on the main router to which the NAS is connected, as well as disabling the UPnP function completely. While it may not be necessary to take such drastic steps, it is important to keep the NAS operating system up to date and recheck authentication and usage policies.