QNAP NAS Attacked By Deadbolt AGAIN - What, When, How and Why?

My QNAP is in the trash. They suck. I get constant email advertising new products, but not one email about ransomware that infected QNAP. Had they warned me, maybe I could have updated my QNAP before it was infected. Be careful how you back up your data. My QNAP was set up to automatically backup to a second QNAP NAS. The infected files overwrote the good files on the backup NAS. My third backup was Dropbox. Those files were over written too. Thankfully Dropbox has the ability to go back in time and all of my data on Dropbox was recovered. The bulk of my data on the NAS are movies in the MKV format, thankfully those were not infected.
Any NAS or computer can be infected, but QNAP in particular suck as a company because of ow poorly they handled it. It as if they tried to hide it. DO NOT BUY QNAP.

I've been git by the last attack so I've followed your advice and isolated my Qnap from the internet as best as I could, I'm backing up my data as up for now, haven't checked but I'm pretty sure I'm good to go. Your the best man

Perhaps QNAP is not for those of us who are not computer experts. Some of my files have been corrupted by DEADBOLT and I now have to recover them from lots of backup discs which will be a day's work. Suggestion about uPnP Auto config tools, disable SSH and Telnet services appear daunting to those of us not well versed in computer jargon. I would certainly "radomize port numbers" if only I knew how. I have tried to follow the advice given by QNAP and on this video but must confess, that for me, it is not easy to find the controls that will disable these things.

For many years now Why is NASCompares still always running defence and public relations for QNAP incompetence?

I think this video, fails to address the elephant in the room - Everything on the QNAP runs under a single SU account... meaning, all apps, have access to all data. A fundamental security feature on Linux (and modern OSs) is the running of processes under separate account, which allows us to restrict what data they can access - meaning, if an app does have a vulnerability, the impact of an attack is minimised... but because QNAP do not use this, the fallout is basically nuclear!
Synology know this, and have implemented this application segregation.. and the ridiculous thing is, QNAP also know this, they spoke about implementing it 4 years ago, they also spoke about moving to containers to provide application isolation... neither of these have seen the light of day.

Thank you for providing well-needed information to the general public...

This dude is on point and honest in the first 60 seconds! I admire his perspective and knowledge, keep it up brother.

I generally like QNAP's products -- but as a NAS user, I would not expose my equipment to external access for any reason and for any purpose. It may be an occasional hassle but, IMO, it's a big hassle to discover that your NAS has been taken over by a hacker. The other thing is that I am a former IT guy who has experienced a few situations where entire workplaces were shut down due to virus attacks. And I learned early on the hard way that the "that can't happen to me because I'm not a big corporation" factor is a big fallacy. Because it can and it did happen to me. Which brings me to this -- QNAP as well as all NAS manufacturers should do everything they can to ensure that end users understand the importance of securing their equipment. As well, there should be proper measures to ensure proper security measures are set up on a NAS -- like preventing use of a default admin account by forcing users to create a admin account which will have a less likelihood of being attacked.

The defaults need to be biased towards security instead of ease of access. If qnap wants these security issues to be the users fault they should force the users to explicitly misconfigure their systems. Rather than misconfiguring the system on the users behalf and then blaming the user for the fallout.

My understanding is that even if you follow all the security guidelines and update everything daily you would have fell into the attack prior to Sept 3rd. Assuming you are using Photostation through the internet.

Awesome as always! Thank you! 💘

just recently got the qnap love it its been amazing, was wondering if i take all the precautions you say can i use the qlink?

There is some merit in saying "NAS should remain storage appliance, not as webserver / media server", but since virtually all NAS vendors market their products as such, I think it should be reasonable to expect they are hardened as such. System vendors should really restore the old way of calling software bug a bug and FIX it, not some 'vulnerability' that sounds like job for security experts to discover.
I got hit myself in this wave, still I must respectfully disagree that "using well known port is dangerous". This is blaming victim at best and misleading at worst. Everyone connect to youtube on port 443, and no one should underestimate the scale of challenge this site is facing every second. To continue the analogy, it won't offer extra you security by moving the front door to face the back street, or give it a camouflage paint. What matters is a quality door and lock, as well as to close & lock it properly in daily routine.
Well I get the argument that thieves pick easy target to begin with, yet lowering the chance of being attacked does not replace the need to get prepare for up coming attacks.
Technically the question is how is QNAP handle traffic to port 443, or 80 or 8080 etc. Is it using the battle tested httpd to listen, to authenticate, and to reverse proxy request to actual apps? Why does it need a separate firewall app that is not turn on by default? I was surprised to see different QTS apps happens to be separate FCGI threads spawning off cgi-bin/ directly, and handle authentication individually. These imply each app running, and each app update, introduce new risk.
Bottom line: I pay a premium for NAS appliance in exchange of peace of mind. This is a major let down.

It should be clear to everyone now that qnap is not up to the task for external access. It is just not worth it.

This has been said before on similar videos, but it is not good security practice to connect any device to an open internet connection. If the device or applications running on the device have vulnerabilities, or poor coding, then an external threat actor could exploit and compromise the device. My suggestion would be to enable the device firewall. Do regular patching, inc routers/modems/NAS, Disable UPNP, which can cause issues with online games services, but can help.

Great video. At 27:25 you mentioned a video you did on security settings/randomising ports. Please can you post link. TY

For security reasons I blocked every internet-traffic in my QNAP VLAN using my firewall. When there are update available I either put them in manually or change the firewall rules for some minutes. I am operating a cloud in a different VLAN, I never wanted my QNAP to be available thru the internet.

am I safe again if I delete or stop the photo app? on older drive NAS.

Thank you for this I was hit in Sept and my photos mostly traditional formats but most of my RAW files were not.
EVERYTHING said here is accurate and correct . I travel on the months sept -Jan and enable MyQnap for remote access. When I went in to access files for Xmas photo book for family I found out I had been hit
Also because I was running daily virus checks with Malware … it saw scanned the problem at 3am Sept 8 2022 and quarantined the virus… so make sure you have this running. I also had auto updates on firmware
I have ripped out photo station for time being until I can get back to physical hardware. I hope this help
But this Video is exactly correct

Is there a way to not expose my nas to the internet but have it on my local area network?

Do Qnap Os have Reverse Proxy?

I only use my QNAP NAS to store videos so I can watch them via Plex on my internal network. The router must have some open ports since it is needed for my security cameras (port 80 and 6036). It has taken me weeks to rip my DVDs to the QNAP and because of deadbolt, they are all useless now. So I can start again. I have a large house with IoP devices throughout. Any useful suggestions?

That sucks. I was leaning this way over Synology due to the proprietary crap they seem to be missing ing to. I'm also looking to use this as an alternative to Google Photos and Amazon but it sounds like it isn't even close to secure.

My PhotoStation was not exposed to the internet but I still got hit by this wave. AND I had just updated my firmware a couple days before the attack. I do not think PhotoStation was at an older version at the time of the attack either (I cannot remember and be 100% sure, but I do not recall updating PhotoStation recently, and there is no pending update in AppCenter).
Could it be Transmission from QNAP Club app source? The only ports open are Transmission and OpenVPN server.
I did briefly open management web over 443 and forgot to turn it off. But that is not PhotoStation and at the time the firmware had already been updated to the latest version.
Also the malware remover tool cannot find any malware. The anti-virus scan could not find anything related to DeadBolt.

My Asustor was hit the first time around here in Australia. Before this time I HAD locked down my 6510T by IP address, was assisted by an Asustor tech to do so, ezconnect & unused services were not activated. After some investigation an Asustor tech admitted one of the attack vectors discovered was through their own automatic update system! You CANT protect against that!

27:00 most of that is default and requires user to enable insecure setup (like you said have a backup like another nas that isn't a qnap or bunch of USB external hdds ideally 2 separate )

qnap has auto update on the os and on the applications. but is disabled as default. I use it on my nas to keep my data more save.

And I just ordered QNAP TS-251D today :(

Synology should buy Qnap for their hardware. And by combining the best hardware with the best software you get the killer combo…

What about the snapshot functionality that Synology has? Other than a HW failure would you consider it as an extra point of defence in case of data alteration?

As a long QNAP user, I remember when I was on a holiday and saw first Russian IP trying to breach the NAS, as a former IT guy I was watching all logs almost on a daily basis... In 10min I turned off NAS from the Internet and moved everything to local VPN gate closing all ports which were exposed to the internet... Not even 1 problem anymore. If somebody needs an access from the Internet I turn on ports for the time of the access, and immediately turn them off once this person got what he wanted. I still can't believe in current environment people risk exposing NAS to full internet access... Regular QNAP patching to recommended software versions and regular router (Mikrotik) patching.

i have both qnap and synology 2 units each. They crash and i mainly purchased to store data. Many headaches, moving forward it is cheaper to just buy a wd 20tb drive for $400ish. The unit with good drives is 1k+ . having a difficult time seeing the value. An old server is also cheaper.

I think most folks need to educate themselves a bit more, bit it's not all on the user.
Also, using a VPN as the only way into your network is really the way to go IMO

I got hit today as I only found out when my plex server didn't show my library :(
now all my files are encrypted by .deadbolt I contacted qnap support and got nothing.
any way to decrypt my files or some one or firm that can help?

I found the txt files in my /home folders for each user. Luckily my Nasbook wasn't encrypted. I setup firmware updates to check at 6am every morning and auto update all apps. I also deleted every app I don't use and have it set so that the NAS reboots every morning at 5:30am. I deleted the HelpDesk app. For some reason the latest firmware doesn't start the app automatically anymore, sounds suspect to me. My Nasbook seems to be ok. The only thing that bothers me is that the OS will randomly shut down but the router ports still active, maybe once a month. I'll have to unplug the Nasbook twice to get it running again.

btw I like the first 30 seconds!!!! I wish you could just add.....more info explaining the responsibility of the major brands! why should I be having to pentest.....neways

When he says "any NAS should not be ''directly'' connected to the internet" does that mean it is not behind a router? Also, I don't need SSL if I only connect to my NAS while I'm at home, connected to the NAS with my own wifi, right? I have telnet, ssh, etc., all disabled.

I´ve got a TS-653D not running any QNap apps whatsoever. External access possible but no standard usernames or passwords, no standard ports, 2FA, SSL cert etc pp.

I'm about to outmode my three redundant Drobo NASs (none have ever given me an issue, but it's time to move on). I have QNAPs in my shopping cart because I'm moving to a fast network.
All I want is a simple NAS. How secure am I if I disable everything but basic functions?

Why not simply access the nas through a local vpn needed to gain access?

Does the upgrade to the photo application in question actually require a reboot? If it does, that sounds like it's completely unnecessary.
I'd add that the recommendation to create a low-privilege account to host individual apps sounds sounds like it ought to be a QNAP recommendation-if it's their app, shouldn't their installers do that by default?

The solution could be to split up updates in different categories ("Security", "Perfomance" and "Apps", for example) or based on their importance ("Critial", "Moderate" and "Optional"). And force the user to download the most important ones (following the examples, "Security" and "Critical"). And allow the user to choose the time he/she wants the NAS to reboot to apply the updates ("As soon as downloaded", "At 1AM", etc). I have a NAS for personal use and I would apply all of them and reboot as soon as possible. Besides, I think it would be a great idea if QNAP opens a Beta Program so people like me with a personal NAS can join it and get beta versions. Regards!

Can you do a video of your thoughts on TrueNAS and it's place in this torrent of ransomware attacks? (see what I did with the word 'torrent' there ;)
Also, could you share your thoughts of replacing OS in a QNAP box to TrueNAS?
Thanks!

Some really good points were made here. However, while the default Admin account should obviously be disabled the neophytes among us won’t necessarily know this. So it’s a fair point to suggest that it’s on QNAP for not forcing the user to change it at initial setup. They may do this now with the latest version of QTS / QuTS Hero but they didn’t always and as such they share some of the responsibility.

Snapshots should give us the ability to rollback in time and retrieve our data before it was encrypted by ransomware. Is taking snapshots regularly a reliable safety-net against ransomware. If a hacker has root access to the nas couldn’t he just delete all snapshots before and after encrypting all data?

I would also advise upping TLS to the highest version on your NAS or homebuilt, I don't agree with buying VPN, setup your own all vendors have OpenVPN (QVPN for QNAP) that way you don't rely on a third-party company

I have been hit. Is there a way to fix this without ruining or losing all my data? Admittedly, I am a noob who thought of QNAP as a plug and play with all the appropriate security built in. Any help, would be very much appreciated.

QNAP user here who has not been attacked by Deadbolt or any other ransomware as of yet. My devices are not accessible from the internet, and I have no QNAP cloud features turned on. And UPnP is always disabled everywhere.
Just in case, however, I do have all my data backed up.

I wonder if most NAS units were just being used as a simple SAMBA file server if we would have all these attacks and vulnerabilities??

In the age of VPN technologies such as used by Tailscale, I think all NAS vendors from now on should integrate Tailscale or similar and offer an easy solution for remote access. Like what was said in this video, allow users to set up remote access with open ports, but warn them several times before allowing. Tailscale does not require any open ports on your router to the outside world, and even works through carrier grade NAT.

Unfortunately I must admit that I have not deactivated the default admin and don‘t have 2-step verification active. I once tried 2-step and it somehow stopped working after a few days and I was locked out. That‘s the reason why I fear disabling the default admin. Based on QNAPs software quality I fear losing access to my data due to messed up access rights. What is your advise. Start over again from scratch?

Great Video content. Fire your editor though. You need to use the "clap" method if he's struggling sync the audio to the video.

Qnap make amazing kit. I’ve been running them for over ten years without any major issues - the minor ones being due to the hardware slowly getting older and associated problems with that such as firmware updates requiring manual steps to install (although big kudos for them still releasing security updates for my ancient systems), and lack of support for larger drives. Yes, I’ve recently bought another one.
I am impressed with what you can do with their NAS systems *but* as much as it is tempting to use these extras I never would. Years before this deadbolt etc thing happening I was recommending people not to use the remote features. That is not because I specifically don’t trust QNAP to get things right. I would not trust any third party to be able to ensure that there are no holes or backdoors. That includes, by the way, systems such as Teamviewer. Responsibility for the security of my data on my network is up to me - if I hand any of that over to anyone else then that is an act of faith that I am not willing to take. The risk vs reward does not add up.
My recommendation is yes to ensure that your devices are patched and kept up to date, but I would also recommend to not directly expose anything like that to the internet. Rather, I use a VPN to get to my network and from then on it is like I am at home. For a ‘hacker’ to get to my data, they would need to be able to get in through that one hole that is as secure as I can possibly make it.
The other recommendation is to not focus on backups to prevent loss of data due to a hack. That is a concern of course, but there is also a big risk of loss of data due to hardware failure. I have seen total data loss due to two disks failing in a RAID, data loss due to corruption, even a direct lightning strike (although in that case I was able to recover the data through some miracle). Backup because bad stuff happens - like insurance, you may not need it but it is really good to have just in case. Also make sure there is an air gap between at least one of your backups - I have seen data loss due to the corrupted data being backed up over good. Minimum I would suggest would be to have two backups - one where all the data is regularly backed up to a second device on site (maybe an old NAS with drives in a RAID0 array) that is usually physically disconnected when the backups are not running, and the other to a remote site such as a cloud service. Note that you may have a huge amount of data that could be backed up - and to do that to a cloud service might take an inordinate amount of time as well as cost a fortune - but you can also structure your backups so you only backup what you really need eg family photos and important documents that cannot be replaced. Local copies of most movies, for example, can always be ripped again from the originals or simply watched from streaming services.
Finally, I would note that I do like being able to install updates based on my own schedule. If they are forced by default (and I agree that is a good setting for most people) at least provide me with the option to turn off forced updates and perhaps just pester me. This enables me to ensure I have backed up my data before an update is applied. Yes the updates should be applied, but I have seen issues - not with Qnap, but that doesn’t mean it couldn’t happen - where a device is basically bricked after a failed update. I know that I should have a fairly recent backup, but I would rather do it when I know I have a valid and current backup just in case. :-)

Question:
Is there a way to completely remove QTS from the QNAP server and install something else such as TrueNAS on the metal even if that means having to install a new DOM or is the BIOS so propitiatory it can't be done without a board swap? Yes it would no longer be QNAP but I feel it would be much more secure and I could at least keep the servers updated without having to buy all new hardware.
The QNAP systems should be forbidden from access to and from the cloud, remote access of any kind or via the internet in any way such as api's, by out of the box default. The administrator should have to manually configure any setups after acknowledging warnings and security should be enforced period.
I try to keep all my equipment up to date on firmware (including routers, switches, etc.) but QNAP makes even this hard by deciding to not support older enterprise (their term for rack mount) systems and I really don't believe their reasoning on this either. I have a rack mount sever 4.36.2050 (5-26-2022) which they rarely update firmware on; only doing so as an after thought. The other is newer and still gets the newest updates. I have removed most of the remote access apps from both servers and have done QNAPS suggested disabling of stuff, changing settings etc.. I do have a few cloud apps still in use, but am thinking of moving away from those too to an external program I use.

Starting to think qnap is skimping out and not paying top dollar in their security department. Maybe increase ur expenses in the security department and this type of crap will happen less frequently or non at all

When you have 80tb of data to back up its not cheap to back up either locally or in a cloud service.

Fingers crossed that I did my backup properly...I just got hit. What a pain in the a$$!!!! And yes...firmware updated...just forgot my new router had upnp enabled.

It would be perfect if they had an option of 'file storage only' . I could sell 25 a year if that was an actual option. Locking everything down is nearly impossible

Always update if the update is security related at all.

I can confirm that this deadbolt attack occurred at 9pm on Saturday night Australia EST, I was at work. I agree with you but there are issues with their firmware updates....my NAS was telling me there were no firmware updates when there actually was in August. You are correct there are several simple solutions but the ultimate protection is the 321 backup. I also found that it's probably a good idea to reinitialise your NAS after a deadbolt attack and restore from a backup.....this is because there are issues with to Qnap operating software.

It’s a pity. There are some really robust older QNAP NAS models (Rack mountable too) that have better specs then many of the newer retail models going for a song on eBay,……but aren’t upgradable to the latest QTS version. Practically criminal it is, real shame that. What with QNAP venerabilities as they are, you might as well pay the ransomware attackers in advance,….

It's all good sitting in the ivory tower surround by free NASs however if someone spends 2k plus on a NAS e.g. 8 12 16 Bay you not going to have USB hdd to backup to as your invested in a beast system which one would hope has security features to block or apps to under scans etc. Qnap need to work better with the Linux distributior or change the flavour or OS they use.

What if the NAS manufacturers created an auto update that Only access their site, but otherwise disallows internet access altogether. ?

I feel so desperate for QNAP for their products which are frequently subject to ransomware attacks with no solution. I think it's the right time to shift to other brand NAS for better protection of NAS data..

How about a good video class (Long and lots of detail) on Secure https connections ssl Certs and the like?
I know Qnap installed a default secure certificate but that's all I know. I did not do anything to set it up. 100% Lost on that stuff.

But thanks for the update.

A backup is not a backup if it is online

I got hit with DEADBOLT on Saturday night. I was patched up to the most recent patch and thought that my QNAP was not able to be seen from the outside world. I had my data on another USB hard drive as backup and a number of snapshots on the QNAP.
I reverted to the most recent snapshot on a volume level, as thought that this was the best way to recover and was able to get back in and files were back. Changed my password and reinstated 2 factor authentication.
The 2 factor came in clutch as on Monday afternoon my phone pinged and it was the 2 factor pinging with an authentication code, which they weren't getting.
Do you have a video of how to setup a QNAP NAS so it is total on your home network...????

can encrypted files be unencrypted?

I'm not convinced this latest wave was using photostation. I don't have this installed and managed to get caught by 0xxx virus but based on this exact situation.i used it for media storage and I did have 443 exposed to web so I can access remotely via qfile app. Upnp disable on both qnap / router.
I only had 1 account and actually had my usb still plugged in with all my backup data. I left it transferring and forgot to unplug it and still the attackers didn't or couldn't encrypt it. Based on this I feel thqis may have been dnla/media server related as multimedia is the only folder the media servers are restricted to.

Unsecured external access to the NAS and Photostation,…….who in their right mind would ever,….???

After getting hit with qlocker I haven't had my nas connected online since. Recently connected it again just this week and I hear about this deadbolt stuff. Thankfully i sind be fine because I connected after all these new updates.
I have backups of my data om external drives. Heck my nas is no longer a backup means really I just want it to be able to access my data remotely as my own personal cloud storage with terabytes of data.
But now I'm worried I can't do this without possible future hacks.

I was hit... thank goodness that I found it early and I have offsite backup. Nothing permanently lost, but it took a WEEK of personal effort to recover it back to normal (re-downloading lost data + removing the ransom note/malware, which QNAP's updates do not yet handle, outside of halting the file locking itself). Others will surely have a worse time.
Good moment to update my backup strategy (offsite backup was great, but slow... I need local backup... now I get that whole 3-2-1 backup thing 😅). And yeah, lock it the F down from outside access! I'm surprised this isn't the default state of the Nas out of the box, given what I know now... Live and learn.

Make sure PnP is turned off on your router. You don’t want something being made public without your knowledge. If you make it public at least you know you did it. If PnP did it, you might be unaware.
I agree about forced updates. At the very least set a reboot window time. 3am in the morning. I know that won’t work for everyone, but it should work for the majority.

I just got hit by this ransomware few days ago. Without knowing what happened, I updated the firmware and ran Malware remover and they removed my ransom note. I have thousands of photos and videos got encrypted and i'm doomed now.

brilliant video. accountability works both ways

No photo station and no wan access to my nas

I agree the owner should have total power over their equipment. Forced updates and forced restrictions do not sit well with me. I am responsible for my data and my device security. That said Qnap is totally at fault for producing insecure apps, and not notifying users in a reasonable time.

I have been hit on the 3d of September .. F***g QNAP not checking these holes! now I have some stuff that was not backed up.
BTW I followed almost all the recommendations and have automatic updates.. this is how the deadbolt was stopped before all the NAS was ecripted, but not fast enough.

Absolutely pro forced security and critical updates.

I guess we can put FreeNAS on our QNAPs?

im getting a DAS as NAS is not safe

Put the NAS behind a NAT router at the minimum.

What I don't get is how someone can be knowledgeable enough to research and buy a NAS but dumb enough to leave it exposed. Even a turnkey solution like most Synology's and QNAP NAS's can be, require some knowledge on how computers work. Before I am attacked, almost all novice computer users think backing up is using a simple external HD solution, so if you are using a NAS you have more knowledge than the majority.

DEADBOLT hit my files by adding a suffix to the file names, that's it. Weird

Yeah right. AS soon as I have a good solution to backup 92TB of data.....I'll do it. upload speed is 40mbit a second. (Thanks shitcast....like I care about the gig download speed.) and 100TB external storage is expensive AF. I looked at tape......5K for a tape drive.

Ransomware sucks

This video is like payed by QNAP:
"It's customers fault that they allow QNAP apps to run".
It's better to say it simply:
- QNAP apps are unusable gimmicks
- The entire QNAP platform is not usable for internet access.
(previous hack was trough their cloud accounts, so nothing related to local user setup could help)
It's ridiculous to blame user, routers, protocols (like UPnP) etc. as NONE of the hacks were because of them.
ALL of the hacks were due POOR security (like hardcoded passwords in the source) in QNAP own software and platform.

I mean, I don't have enought money to backup my 120TB

Simple Solution "Do Not Give People The Choice" No Bypass, Nothing.

NAS for Lan only

QNAP are damned if they do and damned if they don't on warning, big scary warnings upset alot of people, some from the "Mah Freedom" view where they just want to do what they like and dont want to be told otherwise by some sort of nanny, and others from the "Thats scary im going to return it/call support and complain" QNAP are behind on the security aspect but they are moving alot faster now than they were, alot of systems are now asking users to configure updates automatically now, Unifi as an example do it on setup, it should be on by default and if you want to manage it then you can turn it off

Qnap is AIDS. I've never known an operating system on any other platform to be as weak, or vulnerable as QNAPs operating system. If you're interested in protecting your files buy a Synology or use some open source software. I'm sick of getting vulnerability notifications online about QNAPs, it makes me sick to my stomach.

You talk to much and say to little

17:00m FORCED UPDATES TO EAT YOUR MEAT OR YOU CAN'T HAVE ANY PUDDING
The minority but visible issue of RANSOMWARE points to the same conclusion of managed time only on the internet and a different access and use infrastructure, harking back to CompuServe and even military peer to peer access only to break the back of the Time Jack and Slave issue.