QNAP's forced security update stopped ransomware, but some users are angry

Daniel Sims

Posts: 525   +20
Staff
Why it matters: Last month, QNAP faced a security crisis when a ransomware group targeted its customers' network-attached storage (NAS) devices. It issued a security update that remediated the problem. However, the fix caused unexpected side effects for some.

Taiwan-based QNAP Systems has had to explain how and why it forced some of its customers to update the software for their NAS systems. While there was a clear need to stop ransomware that had already reached thousands of QNAP storage systems, many users felt they should have been given a choice due to each one’s unique situation.

The issues started in January when the Deadbolt ransomware group began infecting QNAP devices with encryption malware. According to Malwarebytes, Deadbolt offered each affected user a decryption key for 0.03 bitcoin (about $1100). At the same time, it also tried to sell QNAP a universal decryption key and the details of the zero-day exploit Deadbolt used for 50 bitcoins (almost $2 million).

Towards the end of January, after issuing a warning to its users, QNAP issued an automatic security update that addressed the exploit. However, it did it in a way that updated some users’ systems even if they had disabled auto-update, which angered some.

Some users may have been running crucial processes, which the auto-update might have interrupted. Some of the ransomware victims who had paid the ransom but got the update before decrypting their files could no longer use the keys they got from Deadbolt. More recent versions of QNAP’s software may have also broken other functionalities.

The global updating was allowed because QNAP has two levels of auto-updates: a setting to keep a system updated to the latest build and one to keep it updated to a “recommended version.” The company issued the security update by changing which iteration was recommended. Some users who went through multiple system updates in succession may have disabled auto-updating to the latest version but not known about the auto-updates to the recommended build.

This system is designed to provide flexibility, but tech companies usually respond to similar problems by simply telling users about a security update and strongly recommending they apply it. At least in that way, users would have retained control of how and when the software was updated.

Permalink to story.

 

BadThad

Posts: 1,108   +1,304
WOW! I can only image the frustration of having a NAS system getting encrypted by criminals, buying a key and then having the key worthless and all your data gone.

DEATH PENALTY FOR HAXORS!
 

Bullwinkle M

Posts: 709   +601
I think it's very funny when you lose all your data due to a closed source / backdoor'd system created by the manufacturer of your garbage

Whenever you lose time, money and data because of a backdoor created by Microsoft, Cisco, QNAp or any other Company, I find it hysterically funny that you continue to blame "Haxors" for taking advantage of the very same backdoor that those Companies use to take advantage of you, yet you never blame the real perpetrators who caused this mess in the first place

Keep buying that backdoor'd garbage
I Love this show!

Hahahahhahahahhahhahahhahahha
 

theruck

Posts: 548   +345
"before decrypting their files could no longer use the keys they got from Deadbolt."
I guess they can open a ticket to get support from Deadbolt on that
 

Puiu

Posts: 5,644   +4,608
TechSpot Elite
WOW! I can only image the frustration of having a NAS system getting encrypted by criminals, buying a key and then having the key worthless and all your data gone.

DEATH PENALTY FOR HAXORS!
It happened at work on 2 of these NAS devices... one is still encrypted and for the other we got a key for (paid the ransom) but nobody has time to decrypt all of the thousands of files so we just do it when we need them.
 

Burty117

Posts: 4,507   +2,733
It happened at work on 2 of these NAS devices... one is still encrypted and for the other we got a key for (paid the ransom) but nobody has time to decrypt all of the thousands of files so we just do it when we need them.
I'm unaware of the details but did this only affect devices that are externally facing? Or just having an internet connection was enough?

Out of our rather large client base and we didn't get a single one but I also don't think any are externally facing.
 

Puiu

Posts: 5,644   +4,608
TechSpot Elite
I'm unaware of the details but did this only affect devices that are externally facing? Or just having an internet connection was enough?

Out of our rather large client base and we didn't get a single one but I also don't think any are externally facing.
I don't remember all of the details, but yes, they were also accessible from the outside since back then we had some people working from home. And the attacks were from two different attackers that worked differently (hence why we only recovered one of them).
 

Raytrace3D

Posts: 342   +420
A good company policy would be, whatever value the ransoming group demands is the amount of money the company puts toward capturing the hacking group. I'd post that on the company's website. I hear 2M is a nice bounty and I'm sure a member of the group would be willing to turn his buddies in for that amount.
 

hwertz

Posts: 146   +81
Damned if you do and damned if you don't. I feel like a lot of the people who are complaining about a forced update would probably also be complaining if they didn't update and got ransomwared. (I do feel for those who apparently bought a key, then the key became invalid due to software update.)
 

Danny101

Posts: 2,026   +838
Talk about being between a rock and a hard place. Both sides are right. 1. No software vendor needs to have an inordinate share of the market. 2. Backups, backups, backups. 3. I prefer something I would call a chain-of-web security. With each web designed to inspect a portion of the network, capture the malware that it finds, logs, and pass the rest of the traffic through. With each succeeding web inspecting, cleansing, and logging its portion and on and on. Ideally, each web can communicate while all of this is happening and do Smart Filtering. You won't get 100% of speed, but hopefully close enough that it would be difficult to tell it. Any internet user can use free DNS filters to at least clean some of the traffic coming to them. Some are better or worse than others of course.