QNAP Warns of Ransomware Attack on Storage Devices

QNAP Systems has detected a new ransomware attack on its network attached storage (NAS) devices. It’s urging all users to take immediate action.

QNAP said the new attack is by Deadbolt ransomware. The ransomware damages all the files available on the devices, adding the . deadbolt extension to each file during encryption.

“According to the investigation by the QNAP product security incident response team, the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series,” QNAP said in its alert. “QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the internet.”

QTS is the operating system for the NAS devices.

Based in Taiwan, QNAP offers NAS appliances used for file sharing, virtualization, storage management and surveillance applications. It works with resellers.

Several QNAP Storage Vulnerabilities This Year

Vulcan Cyber’s Mike Parkin

Mike Parkin is senior technical engineer at Vulcan Cyber.

“QNAP has seen several vulnerabilities surface this year, and this latest one reinforces two things,” he said. “First, stay up to date on your patches. And second, be very cautious about exposing your network storage devices to the open internet. Fortunately, patches are available and organizations that followed the previous guidance on mitigating internet exposure are at much lower risk.”

Digital Shadows’ Chris Morgan

Chris Morgan is senior cyber threat intelligence analyst at Digital Shadows.

“QNAP NAS devices have been a frequent target of ransomware groups, including by the QLocker and ech0raix ransomware,” he said. “The latest activity, which has been attributed to the Deadbolt ransomware, follows similar activity from Deadbolt in targeting QNAP devices in January 2022.”

Much of this activity surrounds the use of Universal Plug and Play (UPnP) protocol, Morgan said. It allows apps and other devices on a network to open and close ports automatically to connect with each other.

UPnP is used for a variety of purposes, including gaming and streaming content, he said. The protocol allows the convenience of quickly connecting devices to a network, but at a security cost.

“QNAP have clarified that in the wake of attacks targeting their NAS devices, UPnP should be disabled,” Morgan said. “Port forwarding, which also assists users in direct communication requests, should also be disabled. Other sensible steps for this attack, and other similar ransomware variants, can be achieved simply by ensuring devices are not internet facing and are routinely patched with the most regular updates.”