IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

QNAP users angry after NAS drives are updated to combat DeadBolt ransomware

Concerns mount over the powers the NAS manufacturer has over users' products as users report non-consensual forced security updates

QNAP customers have expressed anger towards the company after it forced a security update on large numbers of its users' network-attached storage (NAS) drives.

The NAS manufacturer announced on Wednesday that DeadBolt ransomware was "widely targeting" QNAP drives and locking out users until they paid a fee in Bitcoin. Numerous users began reporting that they had fallen victim to the ransomware campaign earlier this week after losing access to files.

A query sent to internet-facing device scanner Censys revealed 3,687 devices have already been encrypted by DeadBolt. In response, QNAP took the controversial step to force-update every users' firmware to the latest version on Thursday.

"We are trying to increase protection against DeadBolt," said an official QNAP support spokesperson in response to one complaint. "If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away.

"Back in the time of Qlocker, many people got infected after we had patched the vulnerability. In fact, that whole outbreak was after the patch was released. But many people don't apply a security patch on the same day or even the same week it is released. And that makes it much harder to stop a ransomware campaign. We will work on patches/security enhancements against DeadBolt and we hope they get applied right away.

"I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of DeadBolt and our desire to stop this attack as soon as possible that we did this."

QNAP's actions have been met with anger from the community. Some say users' NAS drives, many of which often have finely tuned and individualised configurations that break with certain updates, are just as vulnerable now as they were to DeadBolt if they didn't update to the latest, most secure firmware version.

"You may have had good intentions, but what you did was wrong," said one user in direct response. "You should have rolled out notifications for an emergency update or patch and let users decide.

"If users decide against the update and then get owned by Deadbolt, that is on them. By forcing the update, anyone who has lost data, as a result, is no better off than if Deadbolt had owned them, but worse you have opened QNAP up to legal liability for that loss."

Other users expressed concern over QNAP's ability to force a change on the hardware they own, without first asking permission. Users raised questions around what other powers QNAP has over users' NAS drives, and what the company can do with data stored on them.

For many, the only indication that an update was going to be applied was one short 'beep'. When users investigated what was happening, they found their drive in the middle of rebooting after downloading an update.

Despite the concern, many reports tell of positive experiences with the update, but given that NAS drives are notoriously laborious to update safely without compromising the intricate configurations users create for their individual environments, other users reported deliberately avoiding the update which was ultimately forced on them.

Timeline of .deadbolt attacks

On 10 January 2022, IT Pro reported QNAP's original security statement that it was aware of cyber attackers targeting its NAS drives with ransomware, urging users to update their firmware as soon as possible.

No details of the ransomware strain were reported at the time, nor was the scope of the attackers' targeting, but full details on how to secure drives from outside attacks were provided by the manufacturer.

On Tuesday 25 January 2022, individual and business users started reporting successful DeadBolt attacks with their files being replaced with DeadBolt versions of themselves. Among the victims was high-profile podcast host and MIT research scientist Lex Fridman, who provided screenshots of the messages displayed to users and ransom payments.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Users were asked for 0.3 Bitcoin (roughly £8,100) as a ransom demand. A separate message was also sent to QNAP itself, demanding a payment of 5 Bitcoin (roughly £136,500) for details of the supposed zero-day vulnerability used to exploit the NAS drives, or a total of 50 Bitcoin (roughly £1.3 million) for the universal decryptor and zero-day details.

"It makes me nauseous to say this, but this is real," said another user. "My first client just got hit. Files in File Station will have a .deadbolt extension on them. This client had a secure password, and 2 factor authentication set up. I have just reported this directly. I was expecting to have a nice week this week. I guess that won't be the case for me."

On Wednesday 26 January, QNAP release an official security statement urging users to update their devices and "fight ransomware together". The following day, reports started emerging of forced security updates.

A NASty trend

The targeting of QNAP's NAS drives is the latest episode in a recent trend of cyber attackers targeting internet-facing storage devices. In June 2021, Western Digital customers were similarly targeted with data-wiping malware.

Affected devices hadn't received security updates since 2015, at the time of the attack, with some users reporting total factory resets of their devices and others losing terabytes of data, IT Pro reported.

In response, Western Digital made the unorthodox recommendation to users that they simply unplug their storage devices to prevent from further malware attacks.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

QNAP NAS drives targeted by DeadBolt ransomware for the third time this year
ransomware

QNAP NAS drives targeted by DeadBolt ransomware for the third time this year

20 May 2022
Qnap TS-1264U-RP review: Space to spare
network attached storage (NAS)

Qnap TS-1264U-RP review: Space to spare

4 May 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
QNAP ransomware victims dealt double blow as firmware update hampers decryption
network attached storage (NAS)

QNAP ransomware victims dealt double blow as firmware update hampers decryption

1 Feb 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022