-250x250.jpg "Asus Zenbook Duo 14 OLED UX8406C-APZ052WS 14\" 3K Touch Laptop Inkwell Gray ( CU9-285H, 32GB, 2TB, Intel Arc, W11, HS+M365 )")
-250x250.jpg "Asus Zenbook Duo 14 OLED UX8406C-APZ052WS 14\" 3K Touch Laptop Inkwell Gray ( CU9-285H, 32GB, 2TB, Intel Arc, W11, HS+M365 )")
Asustor is urging users to disable EZ-Connect as reports come in that Asustor NAS units are falling prey to the DeadBolt ransomware.
Asustor forums and social media are filled with users complaining that they have fallen prey to the attack and getting locked out of their devices. Right now, most fingers are being pointed at Asustor’s EZ-Connect service as the main culprit.
Asustor has issued the following statement and recommendation for those who are (or believe they have been affected by the Deadbolt ransomware):
In response to Deadbolt ransomware attacks affecting ASUSTOR devices, ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and ezconnect.to will be disabled as the issue is investigated. For your protection, we recommend the following measures:
Change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443.
Disable EZ Connect.
Make an immediate backup.
Turn off Terminal/SSH and SFTP services.For more detailed security measures, please refer to the following link below:
https://www.asustor.com/en-gb/online/College_topic?topic=353If you find that your NAS has been affected by Deadbolt ransomware, please follow the steps listed below.
1. Unplug the Ethernet network cable
2. Safely shut down your NAS by pressing and holding the power button for three seconds.
3. Do not initialize your NAS as this will erase your data.
4. Fill out the form listed below. Our technicians will contact you as soon as possible.https://docs.google.com/forms/d/e/1FAIpQLScOwZCEitHGhiAeqNAbCPysxZS43bHOqGUK-bGX_mTfW_lG3A/viewform
Regarding filling out the technical support form, this is likeLy to help the brand identify the scale of the issue, but also allow a faster sharing (to those affected) of any recovery tools that might be possible. However, the culprit is looking increasingly like the EZ Connect Asustor Remote service. This has been further backed up by the fact that the official Asustor ADM demo page has also been hit by the Deadbolt ransomware (now taken offline). Additionally, many users who powered down their device during the deadbolt attack, upon rebooting their NAS system have been greeted with the message in the Asustor Control Center application that their system needs to be ‘re-initialized’. The most likely reason for this is that during the encryption processes, the core system files are the first files that get targeted and if the system was powered down/powered off immediately during this process, it may have corrupted system files. We are currently investigating if a recovery via mounting a drive in a Linux machine is possible (in conjunction with roll-back software such as PhotoRec).
Deadbolt, which was the same ransomware that targeted QNAP devices last year, secures remote access to a victim's NAS, encrypts the data, and then demands a bitcoin ransom. QNAP users were told to pay 0.03 BTC (MYR 4736.20 ) to unlock their devices with an additional offer of a universal decryptor to QNAP for 50 BTC.
You may try to do this, if your NAS being attacked by death bolt ransomware to change the index
If your Asustor NAS is in the process of being hit (even if you simply suspect it) as your HDDs are buzzing away unusually (and the HDD LEDs are flickering at an unusual hour), then it is recommended that you head into the process manager and see if the encryption process has been actioned by Deadbolt. The following suggestion of action was suggested by NAScompares commenter ‘Clinton Hall’ :
My solution so far, login vis ssh as root user
cd /volume0/usr/builtin
lsyou will see a 5 digit binary executable file For me it was 22491. I use that in the following command to get the process ID
ps | grep 22491from this I got the Process id 25624. I kill that process
kill 25624I then remove the binary file
chattr -i 22491
rm -f 22491Now, restore the index as above
cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgiNow for the fun part…. a LOT of file had been renamed (not encrypted) to have .deadbolt appended to the end of the filename… So rename them back
(note, you may want to do this folder by folder and check it is working). The following will do for the entire /volume1
cd /volume1
find . -type f -name "*.deadbolt" -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//.deadbolt/}"; done' _ {} +After these are all renamed, everything should work. Probably a good idea to reboot to restart the services etc.
Also, I’m not sure if the above will definitely traverse the .@plugins etc… so I did this manually
cd /volume1/.@plugins
find . -type f -name "*.deadbolt" -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//.deadbolt/}"; done' _ {} +
If you have not been hit, I would recommend you action the following from within your Asustor NAS (or better yet, where possible) power the device down until an official statement and a possible firmware patch is issued.
- Disable EZ Connect
- Turn off automatic updates
- Disable SSH (if you do not need it for other services)
- Block all NAS ports of the router, and only allow connections from inside the network
Basic solution to prevent attack from ransomware
- Use strong password and disable main Administrator account.
- Ensure firmware is Up-To-Date
- Turn on firewall / Defender
- Disabling Unnecessary Service like SSH/SFTP
- Avoid using Preset Ports for Web Access like 8000/8001, 5000/5001
- Securing your NAS with an HTTPS Certificate
- Disable guest account from the user account, brutes attack always start from there.
- Remember always tick SSL sign in for login page to protect your password explore.
- Update antivirus database in your NAS if installed.
- Backup, backup and backup!!!
- Always manually backup your important data to external drive or remote nas.
- Snapshot backup
- Backup to public cloud like Google Drive, Microsoft OneDrive, Dropbox
- Owning multiple NAS devices where one is a main NAS and the other is a backup
- Remote sync
For more inquiry, please contact 1700-81-8170 to get more details on NAS.
- We are NAS Specialist
- We supplies NAS Storage
- We are authorized reseller for Synology, Asustor, QNAP.