No Ransom Demands at the Moment
Several affected users took to Reddit and the official Asustor forum to share details of their ordeal with Deadbolt ransomware. Many of them reported high disk activity as a result of the ransomware encrypting their files. Last month, Deadbolt infected QNAP NAS devices, with hackers demanding a ransom of 0.03 Bitcoin (about $1,150 at the time of writing) from each victim. They also tried to sell the vulnerability of the QNAP devices for three Bitcoin (about $115,000) and a master decryption key at a price of 50 Bitcoin (around $1.9 million). At this time, it is not clear if Asustor users have received a similar ransom demand.
Attack Vector Unknown as Asustor Remains Silent on Details
At this time, Asustor has not put out a specific advisory about the attack. Neither has it revealed any information about the possible vulnerability. Furthermore, it has not announced any plans to issue a software patch or a confirmed list of affected models. Based on the information out there, Reddit users acknowledge that it is currently difficult to pinpoint a configuration that is safe from the ransomware. However, the EZ Connect and Plex Remote Access ports appear to be the likeliest vulnerable access points.
List of Known Vulnerable Asustor Devices
Currently, it is unclear if all of Asustor’s NAS devices are vulnerable to Deadbolt. Thanks to user feedback on Reddit and the Asustor forum, we know that the following models are unaffected:
AS6602T AS-6210T-4K AS5304T AS6102T AS5304T
On the flip side, users confirmed the following devices are infected, therefore remain vulnerable:
AS5304T AS6404T AS5104T AS7004T
Precautionary Measures from Asustor Users
Much to the relief of its user base, Asustor has put out a list of recommendations to help device owners protect themselves. This involves measures such as:
Changing default ports. This includes the default NAS web access ports of 8000 and 8001, and the remote web access ports of 80 and 443. Disabling their EZ Connect Creating an immediate library backup Switching off Terminal or SSH, and SFTP services
Furthermore, if a user finds that their NAS is infected, they should follow these steps:
First, remove the Ethernet network cable. Safely shut down their infected NAS. To do so, press and hold down the power button for 3 seconds. Refrain from initializing the NAS. Doing so will erase the stored data. Fill out this form which will go to Asustor’s technicians, who will contact affected customers as soon as possible.
If you want to learn more about ransomware and how you can secure your devices, check out our full explainer here.