Researchers at the cybersecurity firm Trend Micro have published an interesting report detailing the inner workings of the DeadBolt ransomware family known for a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices developed by QNAP Systems and Asustor.
The group behind DeadBolt leverages multitiered extortion scheme aimed at both the vendors and their victims, providing multiple cryptocurrency payment options.
“DeadBolt is peculiar not only for the scale of its attacks but also for several advanced tactics and techniques that its malicious actors have implemented, such as giving multiple payment options, one for the user and two for the vendor,” the researchers wrote.
It appears, however, that the payment options provided to the vendor are not usable due to the way the files are encrypted.
“Essentially, this means that if vendors pay any of the ransom amounts provided to them, they will not be able to get a master key to unlock all the files on behalf of affected users,” Trend Micro explains.
DeadBolt uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, as well as a web UI that can decrypt victim data after ransom is paid and a decryption key is provided, which eliminates the need for a victim to contact ransomware actors.
The payment schemes allow either the victim to pay for a decryption key, or for the vendor to pay for a decryption master key that would decrypt data for all victims.
“It should be noted that we were not able to verify how the alleged master key decryption works. In our tests, we found no evidence that such a decryption is even possible for files encrypted by DeadBolt. This is because AES is a symmetric encryption scheme and we have not seen any other data being added to the encrypted files. Notably, that the “master key” supplied via the configuration file is never used in the encryption process,” the researchers said.
The report notes that less than 10% of DeadBolt victims actually paid the ransom. According to Trend Micro, the number of infections has been steadily declining since March 2022.
“However, with an increasing number of ransomware families being used to attack NAS devices, the number of NAS devices exposed to the internet is becoming even more alarming. At the time of this writing, we found that there are over 2,500 ASUSTOR and over 83,000 QNAP internet-exposed services,” the company has warned.