Asustor NAS reportedly under ransomware attack, owners asked to take their devices offline

Humza

Posts: 1,019   +171
Staff member
PSA: Asustor NAS owners are being warned about a nasty ransomware, DeadBolt, that's attacking cloud-connected/online NAS and asking for 0.03 BTC to decrypt users’ content. If you’re running an Asustor device, you’ll want to disable the EZ Connect utility suspected of being vulnerable to the exploit and physically disconnect your NAS from the internet.

The DeadBolt ransomware, which has previously taken QNAP drives hostage, is now after Asustor devices and is encrypting files on internet-connected instances. NAS Compares reports how multiple owners have been affected by DeadBolt while the ransomware’s attack vector remains unknown.

The Asustor community forum is also populated with similar experiences, with users reporting high disk activity triggered by DeadBolt encrypting their files. Reddit user u/kabe0, who also fell victim to this attack, shared how other owners can detect the presence of this ransomware by logging into their NAS and searching for all files with the .deadbolt extension by typing this command:

sudo find / -type f -name "*.deadbolt"

Compromised NAS drives will also fail to function properly as DeadBolt is targeting both system and personal files. For affected users, the recommended course of action is to salvage unencrypted content and assess damage by plugging their NAS into another Linux instance and taking an external backup.

Unaffected owners, meanwhile, have been asked to disable Asustor’s EZ Connect remote access software, prevent unauthorized access by disabling SSH, turn off auto updates and configure their firewall to only allow LAN communication and block all incoming traffic from outside.

The latest attack serves as yet another reminder of the importance of offline backups and the risk that comes with the convenience of having your personal storage remotely accessible. Although not a victim of ransomware, some internet-connected WD drives caused similar headaches last year due to malicious software causing them to wipe all data and factory reset.

Asustor is yet to issue an advisory or respond with its own investigation of this attack to reveal details around the possible vulnerability, an upcoming software fix and/or a complete list of affected models.

Permalink to story.

 

Dimitriid

Posts: 2,216   +4,268
I bet QNAP owners will take theirs offline too just in case.

Seriously though these personal/small NAS devices are getting compromised so often I wonder how they can have the testicular fortitude to still charge full price for them new.

And yet you can't really find a convenient case/barebones on these specific form factors: they're always 200 bucks just for a case or imports with multiple problems fitting itx case (Which as you can see on the pic are far bigger than they need to be for just a personal NAS) etc.

Even so if any one of these companies would start selling these without an OS so you can just install truenas on your own they'd be an instant hit.
 

Lionvibez

Posts: 2,676   +2,451
I have an Asustor NAS but all of that stuff is turned off already no need for internet access to my device.
 

Theinsanegamer

Posts: 3,406   +5,713
Unaffected owners, meanwhile, have been asked to disable Asustor’s EZ Connect remote access software, prevent unauthorized access by disabling SSH, turn off auto updates and configure their firewall to only allow LAN communication and block all incoming traffic from outside.
This should all be common sense to any NAS owner in the first place.
 

Squid Surprise

Posts: 5,335   +4,980
I have a Synology one... and it is REALLY convenient to be connected to the internet, as I run my PLEX server on it... as well as Calibre with my e-book library...

While I have a separate backup of truly important files, movies and books are easy - but time consuming - to replace (I have dozens of TB worth of them).

I'm really hoping that Synology systems don't have any major exploits released to the hacking public...