QNAP's forced security update stopped ransomware, but some users are angry

Daniel Sims

Daniel Sims

Posts: 1,374   +43
Staff
Why it matters: Last month, QNAP faced a security crisis when a ransomware group targeted its customers' network-attached storage (NAS) devices. It issued a security update that remediated the problem. However, the fix caused unexpected side effects for some.

Taiwan-based QNAP Systems has had to explain how and why it forced some of its customers to update the software for their NAS systems. While there was a clear need to stop ransomware that had already reached thousands of QNAP storage systems, many users felt they should have been given a choice due to each one’s unique situation.

The issues started in January when the Deadbolt ransomware group began infecting QNAP devices with encryption malware. According to Malwarebytes, Deadbolt offered each affected user a decryption key for 0.03 bitcoin (about $1100). At the same time, it also tried to sell QNAP a universal decryption key and the details of the zero-day exploit Deadbolt used for 50 bitcoins (almost $2 million).

Towards the end of January, after issuing a warning to its users, QNAP issued an automatic security update that addressed the exploit. However, it did it in a way that updated some users’ systems even if they had disabled auto-update, which angered some.

Some users may have been running crucial processes, which the auto-update might have interrupted. Some of the ransomware victims who had paid the ransom but got the update before decrypting their files could no longer use the keys they got from Deadbolt. More recent versions of QNAP’s software may have also broken other functionalities.

The global updating was allowed because QNAP has two levels of auto-updates: a setting to keep a system updated to the latest build and one to keep it updated to a “recommended version.” The company issued the security update by changing which iteration was recommended. Some users who went through multiple system updates in succession may have disabled auto-updating to the latest version but not known about the auto-updates to the recommended build.

This system is designed to provide flexibility, but tech companies usually respond to similar problems by simply telling users about a security update and strongly recommending they apply it. At least in that way, users would have retained control of how and when the software was updated.

Permalink to story.

https://www.techspot.com/news/93220-qnap-forced-security-update-stopped-ransomware-but-users.html

 
WOW! I can only image the frustration of having a NAS system getting encrypted by criminals, buying a key and then having the key worthless and all your data gone.

DEATH PENALTY FOR HAXORS!
 
I think it's very funny when you lose all your data due to a closed source / backdoor'd system created by the manufacturer of your garbage

Whenever you lose time, money and data because of a backdoor created by Microsoft, Cisco, QNAp or any other Company, I find it hysterically funny that you continue to blame "Haxors" for taking advantage of the very same backdoor that those Companies use to take advantage of you, yet you never blame the real perpetrators who caused this mess in the first place

Keep buying that backdoor'd garbage
I Love this show!

Hahahahhahahahhahhahahhahahha
 
"before decrypting their files could no longer use the keys they got from Deadbolt."
I guess they can open a ticket to get support from Deadbolt on that
 
  • Like
Reactions: Danny101
BadThad said:
WOW! I can only image the frustration of having a NAS system getting encrypted by criminals, buying a key and then having the key worthless and all your data gone.

DEATH PENALTY FOR HAXORS!
Click to expand...
It happened at work on 2 of these NAS devices... one is still encrypted and for the other we got a key for (paid the ransom) but nobody has time to decrypt all of the thousands of files so we just do it when we need them.
 
Puiu said:
It happened at work on 2 of these NAS devices... one is still encrypted and for the other we got a key for (paid the ransom) but nobody has time to decrypt all of the thousands of files so we just do it when we need them.
Click to expand...
I'm unaware of the details but did this only affect devices that are externally facing? Or just having an internet connection was enough?

Out of our rather large client base and we didn't get a single one but I also don't think any are externally facing.
 
Burty117 said:
I'm unaware of the details but did this only affect devices that are externally facing? Or just having an internet connection was enough?

Out of our rather large client base and we didn't get a single one but I also don't think any are externally facing.
Click to expand...
I don't remember all of the details, but yes, they were also accessible from the outside since back then we had some people working from home. And the attacks were from two different attackers that worked differently (hence why we only recovered one of them).
 
  • Like
Reactions: Burty117
A good company policy would be, whatever value the ransoming group demands is the amount of money the company puts toward capturing the hacking group. I'd post that on the company's website. I hear 2M is a nice bounty and I'm sure a member of the group would be willing to turn his buddies in for that amount.
 
  • Like
Reactions: Charles Olson
Damned if you do and damned if you don't. I feel like a lot of the people who are complaining about a forced update would probably also be complaining if they didn't update and got ransomwared. (I do feel for those who apparently bought a key, then the key became invalid due to software update.)
 
  • Like
Reactions: Charles Olson
Talk about being between a rock and a hard place. Both sides are right. 1. No software vendor needs to have an inordinate share of the market. 2. Backups, backups, backups. 3. I prefer something I would call a chain-of-web security. With each web designed to inspect a portion of the network, capture the malware that it finds, logs, and pass the rest of the traffic through. With each succeeding web inspecting, cleansing, and logging its portion and on and on. Ideally, each web can communicate while all of this is happening and do Smart Filtering. You won't get 100% of speed, but hopefully close enough that it would be difficult to tell it. Any internet user can use free DNS filters to at least clean some of the traffic coming to them. Some are better or worse than others of course.
 
You must log in or register to reply here.

Similar threads

A
Some QNAP NAS devices affected by a critical vulnerability, updates available right now
Replies
4
Views
180
Puiu
Puiu
A
Ransomware operations made more than $1 billion in 2023
Replies
1
Views
142
brucek
brucek
midian182
LockBit website seized, operations disrupted in joint international law enforcement operation
Replies
4
Views
193
erickmendes
erickmendes

Latest posts

Back