What should I do if I found the NAS encrypted by Deadbolt?
Applicable Products
- Security
- Malware Remover
You may have received the following message:
Detected high-risk malware. To protect your device, please immediately update the firmware to the latest version, restart the device, and then perform a malware scan to remove the malware.
After investigation, we believe that the attack is related to QSA-21-57.
We strongly recommend performing the following steps:
Take a screenshot of deadbolt ransomware page and save the file to your PC.
Upgrade the NAS firmware to the latest version using one of the following methods, and reboot the NAS:
- Use Qfinder to upgrade the NAS firmware.
Use QTS web interface to upgrade NAS firmware
- Access the QTS web interface by adding /cgi-bin/index.cgi after the URL https://NAS_IP or http://NAS_IP:8080. (for example the NAS has IP address has 192.168.0.2 , using https://192.168.0.2/cgi-bin/index.cgi or http://192.168.0.2:8080/cgi-bin/index.cgi)
- Log on to QTS as administrator and perform firmware upgrading via Control Panel > Firmware Upgrade.
Log on to QTS as administrator, go to myQNAPcloud app > Auto Router Configuration, disable Auto Router Configuration.
Go to Malware Remover, click "Scan", you should receive the messages Detected and quarantined the DEADBOLT portal and Removed high-risk malware then reboot the NAS again.
Important: If you have a decryption key and need to access the portal, please try Restore deadbolt page to decrypt files if I have correct password | QNAP
To maximize security, disable port forwarding to stop exposing the NAS to the internet and follow the best practice of enhancing NAS security.
