Any Network Attached Storage (NAS), and particularly those from QNAP, should not be exposed to the Internet. QNAP has issued a warning about allowing remote access to NAS systems, as a new type of ransomware, named DeadBolt, is actively seeking them out.
QNAP has issued a statement in response to DeadBolt ransomware. It is hunting for NAS systems that have “over the internet” access. The ransomware isn’t complicated and relies on NAS systems that aren’t updated. Moreover, improperly configured storage systems are generally easy to compromise.
Usually, NAS is preferred for local storage over LAN. However, many users either intentionally or inadvertently allow remote access. The Deadbolt ransomware seems to be scanning for any unsecured NAS systems. If a NAS is exposed to the internet and is unsecured, the ransomware encrypts the data stored on them.
It is not clear how, but the ransomware then communicates with the victims, informing them that their data has been encrypted. It is quite likely that the ransomware creators might be leaving a note in plaintext on one of the compromised hard drives. QNAP has confirmed that the Deadbolt ransomware is demanding ransom in Bitcoins.
The QNAP web console is fairly simple to navigate. The company is asking users to look out for the statement:
“The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP” on the dashboard.
If this statement appears anywhere on the dashboard, it is a clear indicator that the NAS is exposed to the Internet. QNAP is currently advising all NAS owners to take their NAS off the Internet. This would render the storage media unavailable over the Internet. However, local access will still be available. QNAP NAS devices run on the QTS operating system.
The company is even advising to disable all port forwarding on the main router to which the NAS is connected, and also disable the UPnP function entirely. While taking such drastic steps might not be necessary, it is important to keep the NAS OS updated, and recheck authentication as well as usage policies.