Customers of a popular network-attached storage (NAS) vendor appear to be caught in the middle of two ransomware campaigns.
Taiwanese manufacturer QNAP released an advisory late last week warning of a critical threat from the DeadBolt variant, which it said appeared to be targeting users running outdated versions of QTS 4.x.
“To secure your NAS, we strongly recommend updating QTS or QuTS hero to the latest version immediately,” it said.
“If your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then, upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page.”
Separately, security researchers have warned of a resurgent eCh0raix campaign targeting the same devices.
G Data malware analyst, Karsten Hahn, flagged the find on Twitter. According to Virus Total, the ransomware, also known as QNAPCrypt, is currently only being detected by 28 out of 58 vendors.
There was no news from QNAP at the time of writing, but this is certainly not the first time its devices have been targeted by both variants.
In fact, back in May, the vendor issued an advisory warning that devices using weak passwords or outdated QTS firmware may be susceptible to attack.
To avoid being compromised, it advised customers to use stronger passwords for admin accounts; enable IP access protection to mitigate the risk of brute force attacks; avoid using ports 443 and 8080; and update QTS and all associated apps to the latest versions.
In the same month, QNAP issued a separate advisory warning of an earlier DeadBolt campaign. DeadBolt also struck in January this year.
Bud Broomhead, CEO at Viakoo, explained that around 10 out of CISA’s 700+ listed known exploited vulnerabilities affect QNAP.
“QNAP devices are very attractive to cyber-criminals whose strategy is to ask a large number of victims for a small amount of money, as opposed to few victims being asked for large amounts,” he added.
“The $900 asked for as a ransom is at a level where many operators of the devices will choose to pay rather than get their IT or security teams involved, and potentially face internal consequences for not having properly onboarded and secured the devices.”