Asustor NAS Products Hit by Deadbolt Ransomware Attack - Unplug Them Now

[Raevenlord]

If you've deployed an Asustor-made NAS (Network Attached Storage) to access your treasure trove of files across the wires of the Internet, you should disconnect it it from the Internet as soon as possible. A number of Asustor users have taken to Reddit and the company's forums, claiming their Asustor-bound files have been claimed and encrypted by a ransomware attack through a Deadbolt payload. This is the same ransomware that wreaked havoc with QNAP's NAS devices a while back.

The attack infects the user's NAS and proceeds to encrypt its contents, leaving each user with a message pointing towards a unique Bitcoin address. The offer: receive the decryption key in exchange for 0.03 Bitcoin (~$1,102, ~€976) - the same value asked at the time of the QNAP attack. Interestingly, Asustor doesn't seem to have received the same offer the perpetrators put forward to QNAP: 5 Bitcoin (~$183,906, ~€162,267) in return for information for the exploit data (€162,799) - or a universal decryption key for all affected users for 50 Bitcoin (~$1,8 million). That last bit there serves to put pressure on the company to pay up for the affected users, which could themselves pressure the company to take the deal.





For now, Asustor hasn't issued any guidance to affected users other than safely powering-off and disconnecting their NAS from the networks until the company releases a fix (which form exactly this fix will take is a mystery). Users should also be contacted by an Asustor technician after they fill out a web form. It's speculated that the hackers gained access to the Asustor NAS products via their EZ Connect utility. And apparently Asustor's own product demo was hosted in a now compromised storage solution, as its Asustor Data Master (ADM) Live Demo has been brought down.

An official listing of affected products isn't currently available. However, affected users have collated a listing of sorts according to their own reports. In them, affected models so far seem to be restricted to the AS5304T, AS6204T, AS6404T, AS5104T and AS7004T NAS devices. Others, such as the AS5004T, AS6602T, AS-6210T-4K and AS6102T, are (at least so far) free of infection reports. Users within the forums are recommending that other Asustor-deploying consumers disable the EZ Connect utility, automatic updates and SSH, alongside blocking all NAS ports and only allowing connections from within the users' network. In this case, it's better to be safe than sorry: until a list of vulnerable devices is shared by Asustor, it's best to assume all models are vulnerable.

For users who had their 2-bay NAS setup in RAID-1, there's now an unofficial tutorial requiring a Linux-bound PC that aims to help you recover your encrypted files.

View at TechPowerUp Main Site | Source

 

[Ferrum Master]

One of the reasons I build my own NAS.

I don't have to beg for some updates as streamlined Linux is really the right answer to feeling secure and it does fixes fast.

Also... you don't have backup if you don't have a backup of your backup.

 

[arroyo]

Quote:
"In them, affected models so far seem to be restricted to the AS5304T, AS6404T, AS5104T, and AS7004T NAS devices. Others, such as the AS6602T, AS-6210T-4K, AS5304T, AS6102T, or AS5304T, are (at least so far) free of infection reports."

I do not get it. Its copy-pasting without ever read. Four your information, all devices are affected. I have AS6604T and AS6204T, both were encrypted.

 

[Raevenlord]

Quote:
"In them, affected models so far seem to be restricted to the AS5304T, AS6404T, AS5104T, and AS7004T NAS devices. Others, such as the AS6602T, AS-6210T-4K, AS5304T, AS6102T, or AS5304T, are (at least so far) free of infection reports."

I do not get it. Its copy-pasting without ever read. Four your information, all devices are affected. I have AS6604T and AS6204T, both were encrypted.

I'm sorry to know you got hit by the ransomware attack, and I have corrected the affected models. However, there is no way as of yet to confirm that all models were affected.

 

[TheUn4seen]

There are two types of peopla in this world. Ones who have a backup and ones who will.
Personally, i have an off-site cold storage thing. Simple as an Openmediavault box at my mother's place which turns on schedule once a week, syncs the home NAS and turns off again. Not the cheapest solution - hard drives are expensive - but works well for my needs.
Also, don't put your important data on an Internet-connected device. Firewall your NAS and get a Raspberry Pi to host your Owncloud if you really need such a thing.

 

[Ferrum Master]

There are two types of peopla in this world. Ones who have a backup and ones who will.
Personally, i have an off-site cold storage thing. Simple as an Openmediavault box at my mother's place which turns on schedule once a week, syncs the home NAS and turns off again. Not the cheapest solution - hard drives are expensive - but works well for my needs.
Also, don't put your important data on an Internet-connected device. Firewall your NAS and get a Raspberry Pi to host your Owncloud if you really need such a thing.

OMV is really great for SOHO. My NAS consumes around 25W while idling. 5W of that are fans, keeping cool is the key to longevity. But I also my personal image host atop the Debian.

Cloud services are not cheap either. If you have data over 1Tb then things also get expensive, not even touching the topic about what they do with it. Seconds, most clouds are slow.

I have reused a lot of my old HW, so it cost me under 150e to get it run.

 

[arroyo]

I got my files on offline backup once a month, so it was not a big drama for me.
But anyway I lost all trust for Asustor. Asustor VPN, excellent password, 2-factor authentication and still my devices were hacked. Most probably thru supply chain attack on "EZ Connect" service. Still no conclusive details how it was spreading.
QNAP is out, Asustor is out ... Synology will be the next one?

 

[comtek]

Thank you for the information since I haven't received any email regarding the incident from asus.
I just turned off my AS6210T with 8TBx10 Disks. The data is still safe.
Hopefully there will be update to mitigate the attract soon.

 

[BSim500]

Also... you don't have backup if you don't have a backup of your backup.

Indeed. NAS's are about redundancy of uptime vs drive failure, not redundancy of data in the event of whole NAS loss / compromise. Always backup your backup.

 

[JFuller]

Device AS5004T
Just saw all my files got hit.

 

[TheLostSwede]

Thank you for the information since I haven't received any email regarding the incident from asus.
I just turned off my AS6210T with 8TBx10 Disks. The data is still safe.
Hopefully there will be update to mitigate the attract soon.

Asustor ≠ Asus

 

[Solaris17]

Lololol man. The amount of people that expose storage to the internet is bewildering.

 

[Makaveli]

I have an Asustor nas but all external access is already turned off.

 

[zlobby]

Quote:
"In them, affected models so far seem to be restricted to the AS5304T, AS6404T, AS5104T, and AS7004T NAS devices. Others, such as the AS6602T, AS-6210T-4K, AS5304T, AS6102T, or AS5304T, are (at least so far) free of infection reports."

I do not get it. Its copy-pasting without ever read. Four your information, all devices are affected. I have AS6604T and AS6204T, both were encrypted.

Don't you run them behind a firewall? Or this attack vector relies on cloud connectivity?

Asustor ≠ Asus

Same sh!t anyway.

I got my files on offline backup once a month, so it was not a big drama for me.
But anyway I lost all trust for Asustor. Asustor VPN, excellent password, 2-factor authentication and still my devices were hacked. Most probably thru supply chain attack on "EZ Connect" service. Still no conclusive details how it was spreading.
QNAP is out, Asustor is out ... Synology will be the next one?

Trust me, you don't want Synology either.

There are two types of peopla in this world. Ones who have a backup and ones who will.
Personally, i have an off-site cold storage thing. Simple as an Openmediavault box at my mother's place which turns on schedule once a week, syncs the home NAS and turns off again. Not the cheapest solution - hard drives are expensive - but works well for my needs.
Also, don't put your important data on an Internet-connected device. Firewall your NAS and get a Raspberry Pi to host your Owncloud if you really need such a thing.

Everything that will be missed deserves cold backup.

 

[TheLostSwede]

I got my files on offline backup once a month, so it was not a big drama for me.
But anyway I lost all trust for Asustor. Asustor VPN, excellent password, 2-factor authentication and still my devices were hacked. Most probably thru supply chain attack on "EZ Connect" service. Still no conclusive details how it was spreading.
QNAP is out, Asustor is out ... Synology will be the next one?

Synology was the first NAS maker to end up having ransomware issues.
QNAP has had it too.
I guess Thecus might not, so far, as they're too small...
Maybe TerraMaster? But their OS is apparently pants.

 

[DeeJay1001]

Asustor ≠ Asus

Asustor is a sub brand of ASUStek.

Asustor is the same company as ASUS

 

[TheLostSwede]

Asustor is a sub brand of ASUStek.

Asustor is the same company as ASUS

No, not the same company. They're part of the same group of companies, but they're a separate entity.
They're actually closer to ASRock than Asus, if we're talking about HQ.
ASMedia is also not part of Asus, but they are part of the same group of companies.

 

[DeeJay1001]

I have an AS3304T just recently setup. I did not have SSH or EZconnect enabled and WAS NOT affected by the attack. SO far I have not seen any user on an ARM based system affected only x86. That being said, I got a fresh full back up of all files on the NAS to an external device and the NAS has been powered down until there is more clarity around the situation.

 

[Renald]

The first time I opened a port on my firewall to the Internet for a simple game server, I got hit by 2 Chinese backbones 60.0.0.0 and 61.0.0.0 in less than a week, having around 5000 connections scanning for ports and admin access of whatever they can find.
It was back in 2010.

I banned them, closed all opened routes, and swear to never open a route on my local system.
It's damn too dangerous out there. My NAS will never be out there in the open.

Sorry for those who suffered from this attack, these blood-sucker can't get a proper activity as a job, they have to feed on others ...
They are talented ? Use it to make this shitty world a better place

 

[Makaveli]

The first time I opened a port on my firewall to the Internet for a simple game server, I got hit by 2 Chinese backbones 60.0.0.0 and 61.0.0.0 in less than a week, having around 5000 connections scanning for ports and admin access of whatever they can find.
It was back in 2010.

I banned them, closed all opened routes, and swear to never open a route on my local system.
It's damn too dangerous out there. My NAS will never be out there in the open.

Sorry for those who suffered from this attack, these blood-sucker can't get a proper activity as a job, they have to feed on others ...
They are talented ? Use it to make this shitty world a better place

China and a few other countries I have their whole IP address range blocked on my router.

And everything behind my router is closed to the internet. If I need to have access I then open a VPN server on the router and access can be granted that way. However I have no need for my NAS to have internet access so general security focus has me not worry about this at all.

Using a Asus NAS AS1004T V2

 

[DeathtoGnomes]

PeerBlock is a IP block utility with some control of ports. Its an ancient program, not sure how useful it is for anything now, but I imagine its easier than manually entering IPs into a router. I've used it since XP, and was happy with it.

 

[Makaveli]

PeerBlock is a IP block utility with some control of ports. Its an ancient program, not sure how useful it is for anything now, but I imagine its easier than manually entering IPs into a router. I've used it since XP, and was happy with it.

Who said anything about manually adding IP's

All I have to do is add the country code and it blocks the whole range for me. And this is done through the Skynet Firewall Add on for Asus merlin firmware couple clicks and its done.

 

[DeathtoGnomes]

All I have to do is add the country code and it blocks the whole range for me.

That works! wish peerblock had that option, I'd use it again.

 

[Makaveli]

That works! wish peerblock had that option, I'd use it again.

Peerblock sounds like an app you need to load on each device?

If so doing it from the router sounds much more efficient since its covers everything that is on the network.

 

[WhitetailAni]

Opening up your NAS to the whole Internet is like saying "'here's my address, but the door's locked haha you can't get' in surprise Pikachu face when someone breaks down the door"