Hacked by Deadbolt!

**Jayess64** · 12-06-2022, 12:02 PM

We were warned about this, and I thought I would be OK, but no...

On Friday evening my Asus Asustor NAS was hacked by Deadbolt and most (not all) files on it were locked. My use of the NAS is fairly basic - Windows system and data files (ie everything else) on my desktop, laptop and my wife's laptop are backed up to it, and it is also used for files that are shared among the the different PCs, including music, photo and video libraries. Because I am a bit paranoid about backups, the NAS itself is regularly backed up to a USB HD attached to the desktop - I am now glad to be paranoid. The NAS is never used to connect directly to the internet, and that led me to believe I was safe.

Interestingly, only the backup files (stored in a single "Backup" folder with subfolders for the different devices) were locked. The shared files are still accessible. The net result is that I have not lost anything that can't be recovered.

The real problem is that I am locked out of the set-up screens for the NAS. I am faced with a full screen telling me the data have been locked and to unlock it I must pay 0.03 Bitcoin to the hackers. By my reckoning that comes to a couple of thousand $NZ, and there is no way I will give them that. It would be cheaper to buy a new NAS.

My question is, is there any way of unlocking NAS setup? I realise that it is probably not simple, otherwise the hackers would not bother, but I would like to know what my options are.

**linw** · 12-06-2022, 12:31 PM

Interesting, as the warnings were for devices 'exposed to the internet'.

**zqwerty** · 12-06-2022, 12:37 PM

Have a read of this:

https://www.emsisoft.com/ransomware-...tools/deadbolt

**dugimodo** · 12-06-2022, 01:11 PM

Does yours have a reset button on the back ? should reset the password and network settings. See 2nd option here https://itenterpriser.com/how-to/how...r-asustor-nas/ worth a try maybe.

Edit: I see the reset button can be disabled so might not be any use

I had no Idea about this so thanks, my Asus NAS is currently updating to the latest firmware with a whole lot of security patches included.

I also have a QNAP NAS that hasn't been turned on in more than a year, at least I know it's secure

Replaced it with the Asus and never decided what to do with it.

**Jayess64** · 12-06-2022, 01:23 PM

Originally Posted by zqwerty

Have a read of this:

https://www.emsisoft.com/ransomware-...tools/deadbolt

Thanks, I had a look at that link. Problem is, it seems it will unlock the encrypted files, but that is not the issue for me. I need to be able to access the NAS setup software.

**Jayess64** · 12-06-2022, 01:28 PM

Thanks. Yeah, I thought of that about 15 minutes ago.

Problem solved? Unfortunately no, the reset button does a soft reset of the system, but does not affect the ransomware sitting there. I think need a factory reset, and this is provided for, but first you must log into the NAS and that is just what I can't do!

**Jayess64** · 12-06-2022, 01:30 PM

Originally Posted by dugimodo

Does yours have a reset button on the back ? should reset the password and network settings. See 2nd option here https://itenterpriser.com/how-to/how...r-asustor-nas/ worth a try maybe.

Edit: I see the reset button can be disabled so might not be any use

I had no Idea about this so thanks, my Asus NAS is currently updating to the latest firmware with a whole lot of security patches included.

I also have a QNAP NAS that hasn't been turned on in more than a year, at least I know it's secure

Replaced it with the Asus and never decided what to do with it.

Thanks. Yeah, I thought of that about 15 minutes ago.

Problem solved? Unfortunately no, the reset button does a soft reset of the system, but does not affect the ransomware sitting there. I think need a factory reset, and this is provided for, but first you must log into the NAS and that is just what I can't do!

**dugimodo** · 12-06-2022, 01:42 PM

Trying to make sense of the Asus help pages here https://www.asustor.com/en/knowledge...=&group_id=628
and here https://www.asustor.com/en/knowledge...6&group_id=630

They make no mention of log in issues, just tell you to unplug the ethernet and power down by holding the power button for 3 seconds, then the next page walks you through the initialization and update of the NAS, maybe powering it down triggers that ?

There is this farther down the second link

If the ransomware page remains after you connect to a network:

Please turn off your NAS, remove all hard drives and reboot.
When the initialization page appears, reinsert the hard drives.
Please follow the instructions above to update your NAS.

this will wipe everything by the looks

**Jayess64** · 12-06-2022, 04:43 PM

Originally Posted by dugimodo

Trying to make sense of the Asus help pages here https://www.asustor.com/en/knowledge...=&group_id=628
and here https://www.asustor.com/en/knowledge...6&group_id=630

They make no mention of log in issues, just tell you to unplug the ethernet and power down by holding the power button for 3 seconds, then the next page walks you through the initialization and update of the NAS, maybe powering it down triggers that ?

There is this farther down the second link

this will wipe everything by the looks

Thanks for that information. I looked at the links that you supplied, and my first impression was that were pretty opaque. I followed the procedures they mention (or at least my interpretation of them), and I must say that what I saw on my screen bore no relation to their diagrams. It was all to no avail, I'm afraid. Then I tried uninstalling the NAS controller software and reinstalling from the original CD. That came to halt when it asked me for a user-name and password - the name is 'admin', but I have no record of the default password (I wiped the password that I set yonks ago when I did the software reset earlier) and my attempts to guess it got nowhere.

I see no point in flailing around any further. The NAS is 5 years old, so I will replace it and be bit more aggressive with the protection settings.

One question that intrigues me is "Why me?" I don't really think I was targeted, so do the characters behind these events simply flood the web with their product that searches IP addresses for tell-tale signs that identify potential victims? Now, if Christopher Luxon wants to get tough on someone...

Thanks to all who showed interest in this situation.