Attacked By Deadbolt Ransomware

-

Deadbolt Out of the Blue

Slightly after my father went back home from work on May 13, his QNAP NAS server at his company was attacked by Deadbolt Ransomware.

He noticed the extensions of all the files on the server were turned into .deadbolt next morning. Because it was Saturday morning, his securiy management company was not operating, so he gave me a call. He asked me to come to check it up and fix it. 

Then I thought his vendor should take care of the incident because I was not in charge of the security management of the server any longer. So I asked him to wait for their support.

Next week, the person in charge of my father's server from the vendor visited his company and explained how they could recover the files. He told us the server had been set up so that backup files would be made when they were stored at the same time, and they would be able to restore the files from the backup. My father made them take the server to their place then.

It took them quite a few days to estimate how much it would be necessary to pay them to recover the files. After the long wait, they told us it would cost around 400 thousand yen to recover the files.

Because my father had already paid more than 4 million yen for the security systems including the server, firewall equipment and setup, he didn't want to pay any more money to them. So my father decided to ask me to try to recover the files instead.

My Investigation

After checking the server, I found out the vendor only made backup folders but did no particular setting to actually make any backups at at all.

At first, I searched for information on the Internet, mainly in English, to find out whether there are any ways to recover the files without paying the ransom. Some websites suggest we use file recovery software.

Trial to Recover File without Decryption Key

I wondered why it could be feasible when the extensions of all the files had been turned into .deadbolt. Some people on the forums mentioned the fact that the criminals didn't change the file names directly, but made new files with the extension of .deadbolt and deleted the remaining original files afterward. So that's why some people believe they can recover the files in this method.

I found a very helpful tool on the following website. It uses ubuntu and PhotoRec on Windows. It recovers the deleted files though the file names are lost, and tries to match the size and extensions of the files to recover the file names.

Data recovery after Ransomware Deadbolt

I tried this tool spending quite a lot of time, but the result did not come as expected. Though many files whose file names were lost were recovered, many of them were broken and didn't open. And the matching process broght back only a limited number of files in the right place of the folder structure. I suppose it happens because the encryption process also changed the file size. The criminals seem to have known this kind of recovery method and taken measures somehow.

They deleted the files so that they would not be able to recovered, and they even changed the file size. 

After trying various kinds of decryption tools, I realized there were no decryption tools I could use unless I had the decryption key, partly because Deadbolt was relatively a new kind of ransomware.

I hope some genius will create a tool to enable us to decrypt files, in the future,  if we have a pair of files, an original file and its encrypted file. 

After giving up recovering files without the decryption key, I asked my father to introduce EaseUS Data Recovery. I could recover the deleted files with their file names remained. In some cases, the criminal seemed to have even deleted .deadbolt files. So I tried to recover those deleted files as well.

I also tried to find the traces of the criminals, such as all kinds of log files and others. As far as I could see, all the prominent ones were completely destroyed so that the file size would turn out 0KB. 

Report to the Police

My father reported this incident to the police, and told them his daughter was trying to recover the files. Then, they asked him to explain the situation for them at his office. So he asked me to come over for that.

The problem was, the ransom note, which was supposed to be displayed when I access the server through the browser, was not displayed. I was under pressure for the demand to get the ransom note displayed by all means by the time the policemen visited.

Recovering Ransom Note

The method, which was provided by the webpage of QNAP Support, to recover the ransom note did not work. It seemed the ransom note is automatically deleted if we reboot the server because of their malware remover. I even contacted the Helpdesk of QNAP and asked for their help, but their response was slow.

So in order to recover the ransom note, I had to execute the program file which the criminal left on the server myself.

/mnt/HDA_ROOT/update_pkg/SDDPd.bin

This is the location and the name of the file.
I could execute this file after loging in my server through SH using command prompt.

ssh admin@<Server IP Adress>
Enter Password: *******
cd /mnt/HDA_ROOT/update_pkg
sh SDDPd.bin

Then it returned some error like this.

SDDPd.bin: line 6: chattr: command not found

It seems QNAP NAS doesn't have several commands installed, so I copied the file chattr from ubuntu to the server using the tool called WinSCP, which enables me to operate the files on the server in the form of an explorer through the SH port. 

Then the error changed.

SDDPd.bin: line 6: /bin/chattr: Permission denied

So I changed the permission setting of the file chattr using WinSCP.

Then another error was returned.

chattr: symbol lookup error: chattr: undefined symbol: fsetproject

I tried installing various kinds of packages to solve the error, but suddenly I noticed the ransom note had been displayed on the browser. They say it is also displayed when the connection with the server is terminated automatically. So it seems the fsetproject error did not have to be solved. So I'm not sure when the ransom note became available.




To bypass the ransom note page and access the setting page of the server, we can still use this link.

https://<Server IP Address>/cgi-bin/index.cgi

The criminal left the program files for the victim to be used for decryption, too. There are two files with file names consisting of 4 to 5 numbers. 

/mnt/HDA_ROOT/#####

The one with smaller file size is the program tool to be used for decryption once the decryption key is gained after paying the ransom.

Even if the button on the ransom note does not work because the effect of the QNAP malware remover, we can execute this file manually to decrypt the files.

Explaining Situations to the Police

And two policemen visited my father's company at last. I explained how I had been tring to recover the files in detail, and showed them the ransom note and the content of the program files the criminal left on the server. They told me my explanation was easier to understand than any other people.

Also, they told me the fact that they had never met any victims who had paid the ransom. That is why they believed in the 'hearsay' that only 30% of the files can be recovered even if they paid the ransom. I told them the percentage was groundless, and most of the files would be recovered if we get the decryption key. On English forums, I found quite a few reports that they paid ransom and got back their files. 

The reason why Japanese people believe in this kind of hearsay is that there is a moralistic believe among Japanese people that paying ransom means to encourage criminals to proceed with another crime. When I visited the websites of Japanese file recovery companies, they say we should never pay ransom first of all. I thought it was very strange because most of Western file recovery companies offer file recovery plans on the assumption that the victims should pay ransom. In terms of a devastating ransomeware type like Deadbolt, we have no choice but to pay the ransom if we want to recover data. So I wonder how Japanese file recovery companies could recover data as for Deadbolt. 

The police also told me that we should avoid paying the ransom if possible, but if retrieving back data is a matter of life and death for the victims, they also understand paying ransom would be unavoidable.

So my father decided to pay the ransom because he believed in the result of my investigation. 

Paying Ransom

I used my account with Binance, which I usually use for cryptocurrency trading.


After paying the ransom, the decryption key was publicized so that everyone can see on the Internet like this.



The decryption key is the characters which are displayed in the field of "SCRIPTPUBKEY (ASM)" after "OP_RETURN OP_PUSHBYTES_16".

By searching for the bitcoin address of the wallet of the criminal, we can see how many people paid ransom like this.


Decrypting with Third-Party Tool

Because I could not trust the decryption tool the criminal had left, I used the decryption tool provided by Emsisoft.


Although most of the files were recovered, the function of the tool was not perfect. I suppose the criminals also anticipated there would be such a tool. They sometimes left the encrypted file with the original file name and the encrypted file with the extension of .deadbolt attached. So something like an 'avatar', files without extensions were sometimes made during the decryption process.

Also, there were some files which were encrypted but left without their extensions changed. The tool of Emsisoft sometimes failed to decrypt such files, too.

Using Decryption Program Provided by Criminal

So after recovering all the files, including deadbolt ones and others, in external drives, I eventually decided to try using the tool the criminal left.

As I had expected, the button on the ransom note did not work and it said the decryption was complete without recovering the files in the share drive at all.


But excecuting the program file manually actually worked.


The support page of QNAP provides the details on how to do this:

It is understandable that the program file which the criminal used to encrypt the files was the most suitable for decrypting the files. Although there might be some files which are lost, all the files seem to have been recovered more appropriately than any other methods I had used before. So I recommend you use this method to decrypt your files anyway, though I don't mean to praise the technique of the criminals at all. They are just clever enough to make such a program file.

Recovery Rate

I should say we can get back 95% of your data, because there might be some files which were lost during the encryption and decryption process. I don't know what the server looked like before the attack, so I cannot say it is 100%. But I believe paying the ransom was not a waste at least.

So I'm now copying the recovered files on the server to the external drive. My father asked me to initialize the server, cooperating with the vendor. He would like to continue to use the server as his internal server only.

Lesson Learned

This case made me realize I should not rely on the vendor of the internet security system so much. I wish I had made sure to have the backup copies of the files on the server at least, though I am not the staff of my father's company now. I hope I can make sure we have backup copies of the files periodically from now on.

コメント

コメントを投稿

このブログの人気の投稿

My New Year's Resolution for 2019

-
イメージ
Quit speculation Last year I went through a hard time in tackling my depression. The worst side appeared when I was engaged in investment in a speculative way. I also bought expensive information for sale and investment tools, which didn't work well. My doctor admits depression may lead us to spend much money. So I hope I can control my zest for investment more wisely this year. Keep balancing work and life Toward the end of last year I could barely manage to retrieve concentration in my day job, though I still feel drowsy while I'm at desk and my boss looks grumpy when he finds me idling. I'm doing my best anyway. I think I had better limit my working hours to work more efficiently and to have some rest enough to get over depression, but it seems difficult for some reasons. My work load as a mother and office worker is quite heavy when I have to get over depression. I hope I can handle the problem better this year. Become a successful giver I'd li...
続きを読む

Scammer related with deadbolt ransomware

-
イメージ
I have a video on YouTube talking in English about recovering from this ransomware deadbolt attack, and there were a lot of posts made in the comments section of that video. I have blocked them now, but most of them were posts by bots advertising hackers who promised to recover files which were encrypted by ransomwares. I was trying to support a Japanese consulter whose ransom note couldn’t be restored. He didn’t know the bitcoin address to transfer the ransom to. I couldn’t help asking this hacker to help us. Then the hacker deceived me into believing that the decryption key would be obtained by having OP_RETURN output to the blockchain in the same way as when paying the ransom, but at a lower price than the ransom. However, there was one thing I was not convinced of. That was, how could they write out the decryption key to OP_RETURN without the ransom note, which has bitcoin address? My understanding was that the bitcoin address assigned to each NAS and the decryption k...
続きを読む