Tuesday, February 22nd 2022
Asustor NAS Products Hit by Deadbolt Ransomware Attack - Unplug Them Now
If you've deployed an Asustor-made NAS (Network Attached Storage) to access your treasure trove of files across the wires of the Internet, you should disconnect it it from the Internet as soon as possible. A number of Asustor users have taken to Reddit and the company's forums, claiming their Asustor-bound files have been claimed and encrypted by a ransomware attack through a Deadbolt payload. This is the same ransomware that wreaked havoc with QNAP's NAS devices a while back.
The attack infects the user's NAS and proceeds to encrypt its contents, leaving each user with a message pointing towards a unique Bitcoin address. The offer: receive the decryption key in exchange for 0.03 Bitcoin (~$1,102, ~€976) - the same value asked at the time of the QNAP attack. Interestingly, Asustor doesn't seem to have received the same offer the perpetrators put forward to QNAP: 5 Bitcoin (~$183,906, ~€162,267) in return for information for the exploit data (€162,799) - or a universal decryption key for all affected users for 50 Bitcoin (~$1,8 million). That last bit there serves to put pressure on the company to pay up for the affected users, which could themselves pressure the company to take the deal.
For now, Asustor hasn't issued any guidance to affected users other than safely powering-off and disconnecting their NAS from the networks until the company releases a fix (which form exactly this fix will take is a mystery). Users should also be contacted by an Asustor technician after they fill out a web form. It's speculated that the hackers gained access to the Asustor NAS products via their EZ Connect utility. And apparently Asustor's own product demo was hosted in a now compromised storage solution, as its Asustor Data Master (ADM) Live Demo has been brought down.
An official listing of affected products isn't currently available. However, affected users have collated a listing of sorts according to their own reports. In them, affected models so far seem to be restricted to the AS5304T, AS6204T, AS6404T, AS5104T and AS7004T NAS devices. Others, such as the AS5004T, AS6602T, AS-6210T-4K and AS6102T, are (at least so far) free of infection reports. Users within the forums are recommending that other Asustor-deploying consumers disable the EZ Connect utility, automatic updates and SSH, alongside blocking all NAS ports and only allowing connections from within the users' network. In this case, it's better to be safe than sorry: until a list of vulnerable devices is shared by Asustor, it's best to assume all models are vulnerable.
For users who had their 2-bay NAS setup in RAID-1, there's now an unofficial tutorial requiring a Linux-bound PC that aims to help you recover your encrypted files.
Sources:
Reddit, Asustor Forums, via Tom's Hardware
The attack infects the user's NAS and proceeds to encrypt its contents, leaving each user with a message pointing towards a unique Bitcoin address. The offer: receive the decryption key in exchange for 0.03 Bitcoin (~$1,102, ~€976) - the same value asked at the time of the QNAP attack. Interestingly, Asustor doesn't seem to have received the same offer the perpetrators put forward to QNAP: 5 Bitcoin (~$183,906, ~€162,267) in return for information for the exploit data (€162,799) - or a universal decryption key for all affected users for 50 Bitcoin (~$1,8 million). That last bit there serves to put pressure on the company to pay up for the affected users, which could themselves pressure the company to take the deal.
An official listing of affected products isn't currently available. However, affected users have collated a listing of sorts according to their own reports. In them, affected models so far seem to be restricted to the AS5304T, AS6204T, AS6404T, AS5104T and AS7004T NAS devices. Others, such as the AS5004T, AS6602T, AS-6210T-4K and AS6102T, are (at least so far) free of infection reports. Users within the forums are recommending that other Asustor-deploying consumers disable the EZ Connect utility, automatic updates and SSH, alongside blocking all NAS ports and only allowing connections from within the users' network. In this case, it's better to be safe than sorry: until a list of vulnerable devices is shared by Asustor, it's best to assume all models are vulnerable.
For users who had their 2-bay NAS setup in RAID-1, there's now an unofficial tutorial requiring a Linux-bound PC that aims to help you recover your encrypted files.
27 Comments on Asustor NAS Products Hit by Deadbolt Ransomware Attack - Unplug Them Now
I don't have to beg for some updates as streamlined Linux is really the right answer to feeling secure and it does fixes fast.
Also... you don't have backup if you don't have a backup of your backup.
"In them, affected models so far seem to be restricted to the AS5304T, AS6404T, AS5104T, and AS7004T NAS devices. Others, such as the AS6602T, AS-6210T-4K, AS5304T, AS6102T, or AS5304T, are (at least so far) free of infection reports."
I do not get it. Its copy-pasting without ever read. Four your information, all devices are affected. I have AS6604T and AS6204T, both were encrypted.
Personally, i have an off-site cold storage thing. Simple as an Openmediavault box at my mother's place which turns on schedule once a week, syncs the home NAS and turns off again. Not the cheapest solution - hard drives are expensive - but works well for my needs.
Also, don't put your important data on an Internet-connected device. Firewall your NAS and get a Raspberry Pi to host your Owncloud if you really need such a thing.
Cloud services are not cheap either. If you have data over 1Tb then things also get expensive, not even touching the topic about what they do with it. Seconds, most clouds are slow.
I have reused a lot of my old HW, so it cost me under 150e to get it run.
But anyway I lost all trust for Asustor. Asustor VPN, excellent password, 2-factor authentication and still my devices were hacked. Most probably thru supply chain attack on "EZ Connect" service. Still no conclusive details how it was spreading.
QNAP is out, Asustor is out ... Synology will be the next one?
I just turned off my AS6210T with 8TBx10 Disks. The data is still safe.
Hopefully there will be update to mitigate the attract soon.
Just saw all my files got hit.
QNAP has had it too.
I guess Thecus might not, so far, as they're too small...
Maybe TerraMaster? But their OS is apparently pants.
Asustor is the same company as ASUS
They're actually closer to ASRock than Asus, if we're talking about HQ.
ASMedia is also not part of Asus, but they are part of the same group of companies.
It was back in 2010.
I banned them, closed all opened routes, and swear to never open a route on my local system.
It's damn too dangerous out there. My NAS will never be out there in the open.
Sorry for those who suffered from this attack, these blood-sucker can't get a proper activity as a job, they have to feed on others ...
They are talented ? Use it to make this shitty world a better place
And everything behind my router is closed to the internet. If I need to have access I then open a VPN server on the router and access can be granted that way. However I have no need for my NAS to have internet access so general security focus has me not worry about this at all.
Using a Asus NAS AS1004T V2
All I have to do is add the country code and it blocks the whole range for me. And this is done through the Skynet Firewall Add on for Asus merlin firmware couple clicks and its done.
If so doing it from the router sounds much more efficient since its covers everything that is on the network.