Tuesday, February 22nd 2022

Asustor NAS Products Hit by Deadbolt Ransomware Attack - Unplug Them Now

If you've deployed an Asustor-made NAS (Network Attached Storage) to access your treasure trove of files across the wires of the Internet, you should disconnect it it from the Internet as soon as possible. A number of Asustor users have taken to Reddit and the company's forums, claiming their Asustor-bound files have been claimed and encrypted by a ransomware attack through a Deadbolt payload. This is the same ransomware that wreaked havoc with QNAP's NAS devices a while back.

The attack infects the user's NAS and proceeds to encrypt its contents, leaving each user with a message pointing towards a unique Bitcoin address. The offer: receive the decryption key in exchange for 0.03 Bitcoin (~$1,102, ~€976) - the same value asked at the time of the QNAP attack. Interestingly, Asustor doesn't seem to have received the same offer the perpetrators put forward to QNAP: 5 Bitcoin (~$183,906, ~€162,267) in return for information for the exploit data (€162,799) - or a universal decryption key for all affected users for 50 Bitcoin (~$1,8 million). That last bit there serves to put pressure on the company to pay up for the affected users, which could themselves pressure the company to take the deal.
For now, Asustor hasn't issued any guidance to affected users other than safely powering-off and disconnecting their NAS from the networks until the company releases a fix (which form exactly this fix will take is a mystery). Users should also be contacted by an Asustor technician after they fill out a web form. It's speculated that the hackers gained access to the Asustor NAS products via their EZ Connect utility. And apparently Asustor's own product demo was hosted in a now compromised storage solution, as its Asustor Data Master (ADM) Live Demo has been brought down.

An official listing of affected products isn't currently available. However, affected users have collated a listing of sorts according to their own reports. In them, affected models so far seem to be restricted to the AS5304T, AS6204T, AS6404T, AS5104T and AS7004T NAS devices. Others, such as the AS5004T, AS6602T, AS-6210T-4K and AS6102T, are (at least so far) free of infection reports. Users within the forums are recommending that other Asustor-deploying consumers disable the EZ Connect utility, automatic updates and SSH, alongside blocking all NAS ports and only allowing connections from within the users' network. In this case, it's better to be safe than sorry: until a list of vulnerable devices is shared by Asustor, it's best to assume all models are vulnerable.

For users who had their 2-bay NAS setup in RAID-1, there's now an unofficial tutorial requiring a Linux-bound PC that aims to help you recover your encrypted files.
Sources: Reddit, Asustor Forums, via Tom's Hardware
Add your own comment

27 Comments on Asustor NAS Products Hit by Deadbolt Ransomware Attack - Unplug Them Now

#1
Ferrum Master
One of the reasons I build my own NAS.

I don't have to beg for some updates as streamlined Linux is really the right answer to feeling secure and it does fixes fast.

Also... you don't have backup if you don't have a backup of your backup.
Posted on Reply
#2
arroyo
Quote:
"In them, affected models so far seem to be restricted to the AS5304T, AS6404T, AS5104T, and AS7004T NAS devices. Others, such as the AS6602T, AS-6210T-4K, AS5304T, AS6102T, or AS5304T, are (at least so far) free of infection reports."

I do not get it. Its copy-pasting without ever read. Four your information, all devices are affected. I have AS6604T and AS6204T, both were encrypted.
Posted on Reply
#3
Raevenlord
News Editor
arroyoQuote:
"In them, affected models so far seem to be restricted to the AS5304T, AS6404T, AS5104T, and AS7004T NAS devices. Others, such as the AS6602T, AS-6210T-4K, AS5304T, AS6102T, or AS5304T, are (at least so far) free of infection reports."

I do not get it. Its copy-pasting without ever read. Four your information, all devices are affected. I have AS6604T and AS6204T, both were encrypted.
I'm sorry to know you got hit by the ransomware attack, and I have corrected the affected models. However, there is no way as of yet to confirm that all models were affected.
Posted on Reply
#4
TheUn4seen
There are two types of peopla in this world. Ones who have a backup and ones who will.
Personally, i have an off-site cold storage thing. Simple as an Openmediavault box at my mother's place which turns on schedule once a week, syncs the home NAS and turns off again. Not the cheapest solution - hard drives are expensive - but works well for my needs.
Also, don't put your important data on an Internet-connected device. Firewall your NAS and get a Raspberry Pi to host your Owncloud if you really need such a thing.
Posted on Reply
#5
Ferrum Master
TheUn4seenThere are two types of peopla in this world. Ones who have a backup and ones who will.
Personally, i have an off-site cold storage thing. Simple as an Openmediavault box at my mother's place which turns on schedule once a week, syncs the home NAS and turns off again. Not the cheapest solution - hard drives are expensive - but works well for my needs.
Also, don't put your important data on an Internet-connected device. Firewall your NAS and get a Raspberry Pi to host your Owncloud if you really need such a thing.
OMV is really great for SOHO. My NAS consumes around 25W while idling. 5W of that are fans, keeping cool is the key to longevity. But I also my personal image host atop the Debian.

Cloud services are not cheap either. If you have data over 1Tb then things also get expensive, not even touching the topic about what they do with it. Seconds, most clouds are slow.

I have reused a lot of my old HW, so it cost me under 150e to get it run.
Posted on Reply
#6
arroyo
I got my files on offline backup once a month, so it was not a big drama for me.
But anyway I lost all trust for Asustor. Asustor VPN, excellent password, 2-factor authentication and still my devices were hacked. Most probably thru supply chain attack on "EZ Connect" service. Still no conclusive details how it was spreading.
QNAP is out, Asustor is out ... Synology will be the next one?
Posted on Reply
#7
comtek
Thank you for the information since I haven't received any email regarding the incident from asus.
I just turned off my AS6210T with 8TBx10 Disks. The data is still safe.
Hopefully there will be update to mitigate the attract soon.
Posted on Reply
#8
BSim500
Ferrum MasterAlso... you don't have backup if you don't have a backup of your backup.
Indeed. NAS's are about redundancy of uptime vs drive failure, not redundancy of data in the event of whole NAS loss / compromise. Always backup your backup.
Posted on Reply
#9
JFuller
Device AS5004T
Just saw all my files got hit.
Posted on Reply
#10
TheLostSwede
News Editor
comtekThank you for the information since I haven't received any email regarding the incident from asus.
I just turned off my AS6210T with 8TBx10 Disks. The data is still safe.
Hopefully there will be update to mitigate the attract soon.
Asustor ≠ Asus
Posted on Reply
#11
Solaris17
Super Dainty Moderator
Lololol man. The amount of people that expose storage to the internet is bewildering.
Posted on Reply
#12
Makaveli
I have an Asustor nas but all external access is already turned off.
Posted on Reply
#13
zlobby
arroyoQuote:
"In them, affected models so far seem to be restricted to the AS5304T, AS6404T, AS5104T, and AS7004T NAS devices. Others, such as the AS6602T, AS-6210T-4K, AS5304T, AS6102T, or AS5304T, are (at least so far) free of infection reports."

I do not get it. Its copy-pasting without ever read. Four your information, all devices are affected. I have AS6604T and AS6204T, both were encrypted.
Don't you run them behind a firewall? Or this attack vector relies on cloud connectivity?
TheLostSwedeAsustor ≠ Asus
Same sh!t anyway.
arroyoI got my files on offline backup once a month, so it was not a big drama for me.
But anyway I lost all trust for Asustor. Asustor VPN, excellent password, 2-factor authentication and still my devices were hacked. Most probably thru supply chain attack on "EZ Connect" service. Still no conclusive details how it was spreading.
QNAP is out, Asustor is out ... Synology will be the next one?
Trust me, you don't want Synology either.
TheUn4seenThere are two types of peopla in this world. Ones who have a backup and ones who will.
Personally, i have an off-site cold storage thing. Simple as an Openmediavault box at my mother's place which turns on schedule once a week, syncs the home NAS and turns off again. Not the cheapest solution - hard drives are expensive - but works well for my needs.
Also, don't put your important data on an Internet-connected device. Firewall your NAS and get a Raspberry Pi to host your Owncloud if you really need such a thing.
Everything that will be missed deserves cold backup.
Posted on Reply
#14
TheLostSwede
News Editor
arroyoI got my files on offline backup once a month, so it was not a big drama for me.
But anyway I lost all trust for Asustor. Asustor VPN, excellent password, 2-factor authentication and still my devices were hacked. Most probably thru supply chain attack on "EZ Connect" service. Still no conclusive details how it was spreading.
QNAP is out, Asustor is out ... Synology will be the next one?
Synology was the first NAS maker to end up having ransomware issues.
QNAP has had it too.
I guess Thecus might not, so far, as they're too small...
Maybe TerraMaster? But their OS is apparently pants.
Posted on Reply
#15
DeeJay1001
TheLostSwedeAsustor ≠ Asus
Asustor is a sub brand of ASUStek.

Asustor is the same company as ASUS
Posted on Reply
#16
TheLostSwede
News Editor
DeeJay1001Asustor is a sub brand of ASUStek.

Asustor is the same company as ASUS
No, not the same company. They're part of the same group of companies, but they're a separate entity.
They're actually closer to ASRock than Asus, if we're talking about HQ.
ASMedia is also not part of Asus, but they are part of the same group of companies.
Posted on Reply
#17
DeeJay1001
I have an AS3304T just recently setup. I did not have SSH or EZconnect enabled and WAS NOT affected by the attack. SO far I have not seen any user on an ARM based system affected only x86. That being said, I got a fresh full back up of all files on the NAS to an external device and the NAS has been powered down until there is more clarity around the situation.
Posted on Reply
#18
Renald
The first time I opened a port on my firewall to the Internet for a simple game server, I got hit by 2 Chinese backbones 60.0.0.0 and 61.0.0.0 in less than a week, having around 5000 connections scanning for ports and admin access of whatever they can find.
It was back in 2010.

I banned them, closed all opened routes, and swear to never open a route on my local system.
It's damn too dangerous out there. My NAS will never be out there in the open.

Sorry for those who suffered from this attack, these blood-sucker can't get a proper activity as a job, they have to feed on others ...
They are talented ? Use it to make this shitty world a better place
Posted on Reply
#19
Makaveli
RenaldThe first time I opened a port on my firewall to the Internet for a simple game server, I got hit by 2 Chinese backbones 60.0.0.0 and 61.0.0.0 in less than a week, having around 5000 connections scanning for ports and admin access of whatever they can find.
It was back in 2010.

I banned them, closed all opened routes, and swear to never open a route on my local system.
It's damn too dangerous out there. My NAS will never be out there in the open.

Sorry for those who suffered from this attack, these blood-sucker can't get a proper activity as a job, they have to feed on others ...
They are talented ? Use it to make this shitty world a better place
China and a few other countries I have their whole IP address range blocked on my router.

And everything behind my router is closed to the internet. If I need to have access I then open a VPN server on the router and access can be granted that way. However I have no need for my NAS to have internet access so general security focus has me not worry about this at all.

Using a Asus NAS AS1004T V2
Posted on Reply
#20
DeathtoGnomes
PeerBlock is a IP block utility with some control of ports. Its an ancient program, not sure how useful it is for anything now, but I imagine its easier than manually entering IPs into a router. I've used it since XP, and was happy with it.
Posted on Reply
#21
Makaveli
DeathtoGnomesPeerBlock is a IP block utility with some control of ports. Its an ancient program, not sure how useful it is for anything now, but I imagine its easier than manually entering IPs into a router. I've used it since XP, and was happy with it.
Who said anything about manually adding IP's :)

All I have to do is add the country code and it blocks the whole range for me. And this is done through the Skynet Firewall Add on for Asus merlin firmware couple clicks and its done.
Posted on Reply
#22
DeathtoGnomes
MakaveliAll I have to do is add the country code and it blocks the whole range for me.
That works! wish peerblock had that option, I'd use it again.
Posted on Reply
#23
Makaveli
DeathtoGnomesThat works! wish peerblock had that option, I'd use it again.
Peerblock sounds like an app you need to load on each device?

If so doing it from the router sounds much more efficient since its covers everything that is on the network.
Posted on Reply
#24
WhitetailAni
Opening up your NAS to the whole Internet is like saying "'here's my address, but the door's locked haha you can't get' in surprise Pikachu face when someone breaks down the door"
Posted on Reply
#25
Makaveli
RealKGBOpening up your NAS to the whole Internet is like saying "'here's my address, but the door's locked haha you can't get' in surprise Pikachu face when someone breaks down the door"
This applies to most things even using RDP and leaving it on the default port very dangerous. I don't allow anything to remote in unless I'm doing it thru vpn these days.
Posted on Reply
Add your own comment
Dec 21st, 2024 23:13 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts