QNAP has warned owners of its popular NAS units to check whether their devices are exposed to the Internet or not, as there’s a new type of ransomware going around that could jeopardize all of their stored data.
Dubbed “DeadBolt,” the ransomware has the potential to infect any QNAP NAS unit that is exposed to the Internet and encrypt their data for Bitcoin ransom. An extensive thread on the official QNAP NAS Community Forum with nearly 300 posts includes stories from affected users who can no longer access their files.
“Hi, my QNAP NAS drive just got attacked by a ransonware that turned all my files to files with a .deadbolt extension,” reads the opening post. “Wondering if this is a new ransomware or if anyone has experience with this? I googled it and have not come up with anything as of yet. This seem more hardcore than qlocker, it seems to have taken over the NAS OS as well as encrypting my files, my drive login page has been hijacked by the ransomware into a page for inputting the decryption key.”
QNAP NAS owners can check whether their NAS units are exposed to the Internet by opening up the Security Counselor and checking whether there’s an entry that reads “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP.” If so, QNAP has provided the following two steps for severing them from the Internet:
Step 1: Disable the Port Forwarding function of the router
Go to the management interface of your router, check the Virtual Server, NAT or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 443 by default).
Step 2: Disable the UPnP function of the QNAP NAS
Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration”, and unselect “Enable UPnP Port forwarding”.