⚠️ Overview

DEADBOLT is a ransomware family first identified in August 2021 that exclusively targets QNAP network-attached storage (NAS) devices. It is categorized as ransomware and operates without any known affiliation to a specific threat group, though its developers demand Bitcoin ransom payments in exchange for decryption keys. The malware is believed to be the work of a financially motivated actor leveraging widespread vulnerabilities in QNAP’s software stack.

🔧 Technical Capabilities

DEADBOLT propagates by exploiting unpatched vulnerabilities in QNAP’s QTS operating system, particularly in the Photo Station and Multimedia Console applications. Attack vectors include CVE-2021-28799 (a command injection flaw in Photo Station) and CVE-2022-27593 (a SQL injection vulnerability in QTS), both of which allow remote code execution without user interaction. Once inside, the ransomware encrypts files using AES-256 and appends the .deadbolt extension, overwriting original data and leaving a ransom note in the root directory. DEADBOLT does not use a traditional command-and-control (C2) infrastructure; instead, it is self-contained, with encryption keys generated locally and then obfuscated. Persistence mechanisms include modifying system binaries and disabling the QNAP malware removal tool to prevent cleanup, while evasion is achieved by terminating running processes that could interfere with encryption (e.g., backup agents).

📜 History & Notable Incidents

DEADBOLT first appeared in August 2021, with a major campaign in January 2022 that infected thousands of QNAP devices worldwide, targeting both home users and small businesses. High-profile victims included European media companies and educational institutions inadvertently exposing NAS devices to the internet. No law enforcement actions have been publicly reported against the operators, and no master decryption tool has been released.

🔍 Detection Indicators

Known file hashes for DEADBOLT samples include MD5 e9c5f8a7b6d4c3e2f1a0b9c8d7e6f5 (example; actual hashes vary). Behavioral indicators include rapid encryption of .jpg, .docx, .qpk, and .conf files, and the creation of a ransom note named !README_DECRYPT! in each folder. Network indicators involve attempted outgoing connections on port 443 to cryptocurrency addresses posted in ransom notes, though no consistent C2 domains exist. User-Agent strings may include unusual patterns like Mozilla/5.0 (compatible; Deadbolt) during encryption.

☠️ Risk & Impact

DEADBOLT causes irreversible data loss if victims do not pay the ransom; the developers do not offer free decryption and have been known to increase ransom demands after payment deadlines. Financial losses are estimated at over $1 million in Bitcoin payments across all campaigns, primarily affecting the storage and media sectors where NAS devices are abundant. The ransomware also destroys backups by targeting connected drives and cloud sync folders.

🛡️ Mitigation

Mitigation requires updating QNAP firmware to the latest version (QTS 5.0.1 or later), applying security patches for CVE-2021-28799 and CVE-2022-27593, and disabling UPnP port forwarding on routers. Use endpoint detection rules from MITRE ATT&CK technique T1486 (Data Encrypted for Impact) and enable read-only access to shared folders to reduce exposure.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.