Asustor NAS units getting hit by ransomware (updated)

After QNAP the turn now goes towards ASUSTOR NAS users. if you have an ASUSTOR unit connected to the web, please close down all ports at router level.

Ever since yesterday, many reports have been posted on social media that their NAS unit is encrypted with Deadbolt and payment in bitcoin is mandatory to unlock your files. Currently, the issues seem to stem froM ASUSTOR's EZ-Connect service. 

ASUSTOR has shut down that service on their side for now as well.

DeadBolt attacker secures remote access to the victim's NAS, encrypts the data, and then demands a bitcoin ransom. Each victim is given a distinct Bitcoin address to which the funds should be transferred, 0.03 bitcoin, which is worth around $1,200 at the current market rate. Asustor users who sync their data from their NAS to a cloud service such as Microsoft OneDrive or Google Drive should immediately stop the connection. According to one Redditor, the encrypted data was immediately transferred to his OneDrive and Google Drive accounts by his infected PC. While he was successful in recovering the files from the former, he was unsuccessful in recovering the files from the latter.

The current recommendation is to unplug the NAS system from the Internet and wait for Asustor to address the problem. Owners believe DeadBolt obtained access using Asustor's EZ Connect software, which enables customers to connect to their NAS systems from anywhere in the globe. Even the live demo of ADM (Asustor Data Master (ADM), the operating system for Asustor NAS systems, was not rescued from the DeadBolt.

Update: Asustor confirms that it is aware of the ransomware attacks and is looking into the matter. Tomorrow, the business hopes to provide recovery firmware that will allow impacted consumers to resume usage of their NAS. However, unless the user has a backup, lost files cannot be retrieved. It isn unclear if the recovery firmware addresses the potential issue as well.

In response to Deadbolt ransomware attacks affecting ASUSTOR devices,the myasustor.com DDNS service will be disabled as the issue is investigated. ASUSTOR will release more information with new developments as we investigate and review the causes to ensure this does not happen again. We remain committed to helping affected customers in every way possible.

For your protection, we recommend the following measures:

Change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443.

Disable EZ Connect.

Make an immediate backup.

Turn off Terminal/SSH and SFTP services.

 

For more detailed instructions on protecting your security, please refer to the following link below:

https://www.asustor.com/en-gb/online/College_topic?topic=353

If you find that your NAS has been affected by Deadbolt ransomware, please follow the steps listed below.

1.    Unplug the Ethernet network cable

2.    Safely shut down your NAS by pressing and holding the power button for three seconds.

3.    Do not initialize your NAS as this will erase your data.

4.    Click on the link below for more information and instructions to contact ASUSTOR for help with recovery.

https://www.asustor.com/en-gb/knowledge/detail/?id=&group_id=628

It is uncertain if all Asustor NAS devices are vulnerable to the DeadBolt attack. Assume you were one of the unlucky owners who did not become infected. In such a situation, one Redditor suggests taking certain precautions, such as removing EZ Connect, automatic updates, SSH, blocking all NAS ports from your router, and allowing connections only from within your network.