ASUSTOR NAS Devices Compromised by Deadbolt Ransomware
In a troubling development for cybersecurity, ASUSTOR network-attached storage (NAS) devices have become the latest targets of Deadbolt ransomware. This attack comes on the heels of recent incidents that affected QNAP NAS appliances, highlighting a worrying trend in cyber threats targeting storage solutions. The specific strain known as Deadbolt employs sophisticated methods to compromise systems, leading to full encryption of stored data and substantial ransom demands.
The ongoing threat has primarily impacted users of ASUSTOR NAS models that run the ADM operating system. Products including the AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, and AS1104T are particularly vulnerable when exposed to the internet. Cybercriminals are reportedly exploiting a zero-day vulnerability to facilitate their attacks, further raising concerns about the security of these devices. Victims are pressured to pay approximately 0.03 bitcoins, which equates to roughly $1,150, in order to regain access to their data.
In a separate communication, ransomware operators stated they could provide details of the underlying exploit if a payment of 7.5 BTC is made, revealing the complex negotiation strategy often employed in such incidents. They are also prepared to sell a universal decryption key for a staggering total of 50 BTC. Although the exact nature of the vulnerability remains unclear, it is suspected to be linked to the EZ Connect feature, which is designed for remote access. ASUSTOR has advised users to disable this feature as a precautionary measure.
In response to the rising threat, ASUSTOR has rolled out firmware updates aimed at resolving critical security issues. The company is urging users to fortify their defenses by changing passwords to strong alternatives, altering default HTTP and HTTPS ports—typically set to 8000 and 8001—and disabling unnecessary services, including Terminal/SSH and SFTP. They stress the importance of regular backups, advocating that users maintain up-to-date copies of their data to minimize potential loss.
It is essential to understand the potential tactics and techniques that adversaries may have applied in this attack. According to the MITRE ATT&CK framework, initial access is a likely tactic employed by the attackers through exploiting vulnerabilities. This may have included persistence techniques, ensuring ongoing access to the compromised systems, and possible privilege escalation tactics to gain deeper control over the devices once infiltrated.
For users whose ASUSTOR NAS devices have already fallen victim to this ransomware, immediate action is necessary. Disconnecting the device from the network and safely powering it down are critical steps to prevent further damage. Importantly, users are advised against initializing their NAS, as this action would lead to irreversible data loss. Instead, they should seek assistance through official channels to navigate the recovery process.
This incident serves as a stark reminder of the growing threats against NAS devices and the persistent need for enhanced cybersecurity measures. Business owners must stay informed and proactive to secure their data against evolving cyber threats. Continued vigilance and adherence to best practices in cybersecurity will be crucial in mitigating the risks posed by ransomware and other malicious activities targeting storage systems.
