What is DeadBolt ransomware?
DeadBolt is a relatively new ransomware that first emerged in January 2022. Initially it targeted QNAP network-attached storage (NAS) devices by exploiting vulnerabilities to gain access and encrypt files (1).
DeadBolt is known for using strong encryption algorithms to lock files and append the .deadbolt extension. Once encrypted, files become inaccessible without the decryption key (2).
Unlike some ransomware, DeadBolt does not spread on its own. It requires an attacker to gain access to systems first, often through exposed ports or credentials. Once inside the system, DeadBolt will encrypt all files it can access (3).
A notable aspect of DeadBolt is its “multitier” ransom demands. It will ask for increasing amounts of bitcoin based on how long the victim takes to pay. This puts extra pressure on victims to pay quickly before the ransom price increases (3).
In 2022, DeadBolt has continued to evolve, exploiting new vulnerabilities and expanding its targets. Recent campaigns have hit VMware ESXi servers, Linux systems, and other internet-facing devices (2,3).
How DeadBolt encrypts files
DeadBolt ransomware uses the AES-128 encryption algorithm to encrypt files on infected devices (https://www.trendmicro.com/en_ph/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html). AES-128 uses a 128-bit key to encrypt data, making it very difficult to crack. Once files are encrypted, the .deadbolt extension is added to the filenames.
DeadBolt targets a wide range of files for encryption, including documents, media files, databases, archives, and source code (https://resources.infosecinstitute.com/topics/malware-analysis/deadbolt-ransomware-the-real-weapon-against-iot-devices/). Some of the file extensions targeted include .doc, .xls, .pdf, .jpg, .mp4, .sql, .zip, and .java. DeadBolt encrypts files on both PC systems and connected network-attached storage (NAS) devices.
The impact of DeadBolt attacks
DeadBolt ransomware has severely impacted organizations across many industries since its emergence in late 2021. The cybercriminal group behind DeadBolt primarily targets internet-exposed QNAP network-attached storage (NAS) devices using compromised credentials or vulnerabilities (Chainalysis). Once access is gained, the malware encrypts all files on infected devices and connected networks.
Manufacturing and production companies have been especially hard hit, with DeadBolt disrupting operations at companies like Espathy and Appenzeller Druck. The ransomware has also impacted healthcare facilities, managed service providers, law firms, and public sector organizations globally. Affected entities often face high costs for incident response, business interruption, and restoring systems from backups.
The financial losses from DeadBolt campaigns are significant. Cybersecurity firm Coveware estimated in January 2022 that the average ransom demand was approximately $238,000. With hundreds of victims identified so far, the total extorted by DeadBolt likely reaches into the tens of millions of dollars. Sensitive data theft and leakage is also a risk if the cybercriminals follow through on threats to publish stolen files from non-paying victims.
Overall, DeadBolt presents an ongoing threat with the potential to severely disrupt business operations and cause costly damages across organizations. Its focus on critical NAS devices provides access to entire networks, magnifying its impact.
Is it possible to decrypt .deadbolt files?
Decrypting files encrypted by DeadBolt ransomware is very challenging. DeadBolt uses strong AES-256 and RSA-2048 encryption to lock files, making brute force decryption nearly impossible (Group IB). Additionally, each infection generates a unique encryption key stored only on the attacker’s server. Without access to this key, affected users have no direct method to restore their files.
Currently, there are no publicly available decryption tools or keys that can reliably decrypt .deadbolt files (Digital Recovery). Security firms like Emsisoft have had some success cracking DeadBolt variants, but often the criminals update the code to stay ahead. This makes developing a universal decryptor very difficult.
That said, all hope is not lost. Some alternatives to paying the ransom include:
- Restoring files from backups if available.
- Recovering previous versions of files like documents from cloud storage.
- Attempting to find a decryptor on sites like NoMoreRansom.org as they become available.
- Engaging an incident response firm to investigate other decryption options.
While DeadBolt infections remain very challenging to remediate, various recovery methods can help mitigate the damage without paying the ransom.
Preventing DeadBolt infections
The most effective way to prevent a DeadBolt infection is to practice safe cyber hygiene. This includes being cautious when browsing the web and opening email attachments or links. Attackers often use phishing emails with malicious links or attachments to initially infect systems with DeadBolt. Users should avoid downloading software from unofficial sites and exercise caution even when downloading from official sites. Keeping operating systems, software, firmware, and antivirus programs up-to-date with the latest patches is also critical to prevent DeadBolt from exploiting known vulnerabilities.
One of the most important preventative measures is maintaining current backups of critical data. DeadBolt encrypts files on networked devices and connected storage, attempting to force victims to pay the ransom to decrypt files. However, keeping regular backups that are disconnected from the main network provides the ability to restore encrypted files from backup rather than paying the ransom. Air-gapped, immutable backups provide the best protection against DeadBolt’s data encryption.
Implementing robust cybersecurity measures such as firewalls, intrusion prevention systems, and avoiding exposing devices directly to the internet can also help prevent DeadBolt infections. This ransomware often exploits insecure network devices like NAS appliances, routers, and VPNs to gain a foothold. While no single solution will completely eliminate the risk, practicing defense-in-depth security can significantly reduce the chances of a successful DeadBolt attack.
Detecting a DeadBolt Infection
There are a few warning signs that can indicate your system has been infected with DeadBolt ransomware:
The primary sign is finding that your files have been encrypted and renamed with the .deadbolt extension. DeadBolt will encrypt a wide range of file types including documents, images, videos, databases, and source code files. Checking for files renamed to .deadbolt is one of the clearest indicators of an attack.
DeadBolt will also leave ransom notes on the infected system with instructions for paying the ransom to allegedly decrypt the files. These notes are usually named DEADBOLT-README.txt.
Another sign can be application crashes or errors opening files, as the encryption process corrupts the original data. The ransomware aims to encrypt as many files as possible before being detected.
To check for signs of DeadBolt, scan your system with up-to-date antivirus software. Security programs can detect the presence of ransomware by identifying file encryption activities or matching known indicators of compromise. Make sure your antivirus definitions are fully updated to detect the latest ransomware strains.
Conducting regular antivirus scans is important for early detection before the infection can spread. If DeadBolt is detected, disconnect from networks immediately to prevent it from reaching shared drives or backups.
Responding to a DeadBolt Attack
If your system is infected with DeadBolt ransomware, it’s important to respond quickly and effectively to limit damage. Here are key steps to take:
Isolate infected devices – Once DeadBolt is detected, immediately isolate affected devices by disconnecting them from networks to prevent the ransomware from spreading. Power off devices if possible.
Consult security experts – Contact incident response experts who can analyze the attack, determine the extent of the infection, and provide guidance on containment and remediation.
Notify affected parties – Alert any internal and external parties whose data may have been compromised in the attack. This includes customers, partners, regulators etc. as applicable.
Restore from backups – Leverage clean backups to restore encrypted or compromised systems and data. Ensure backups are isolated from networks first. https://www.group-ib.com/blog/deadbolt-ransomware-decryption/
Following these steps can limit DeadBolt’s impact and help organizations recover critical systems and data without paying ransom.
Should you pay the DeadBolt ransom?
Paying the ransom demanded by DeadBolt attackers is highly controversial. There are ethical and legal implications, uncertainties around decryption, and the risk of funding criminal activity to consider.
Ethically, paying a ransom contributes money to cybercriminal groups and enables them to continue attacks against others. It is generally discouraged by law enforcement and cybersecurity experts as it incentivizes further criminal behavior. However, when faced with the potential loss of irreplaceable data, some individuals and organizations feel compelled to pay.
Legally, paying ransoms is not illegal in most countries. The U.S. Office of Foreign Assets Control advises that paying ransoms to sanctioned entities could violate regulations. Additionally, ransom payments made by organizations may need to be disclosed according to certain laws or regulations.
In terms of decryption, some DeadBolt victims report receiving working decryption keys after paying ransom demands. However, decryption is not guaranteed. Attackers do not always provide the keys, may only decrypt some files, or keys may fail to properly decrypt. There are also reports of scammers impersonating DeadBolt to collect fraudulent payments.
Finally, ransom payments directly enable cybercriminals to fund future DeadBolt operations and development. The cryptocurrency wallets associated with DeadBolt have received millions in ransom payments. Experts advise this money likely supports activities like purchasing access to compromised devices.
With no guarantee of recovering files, ethical concerns, and the goal of deterring attacks, most experts advise against paying DeadBolt ransoms. Careful consideration of all factors is advised for victims weighing this decision.
Ongoing DeadBolt developments
DeadBolt ransomware has continued to evolve since it first emerged in late 2021. New variants have been observed, incorporating changes to evade detection and strengthen encryption tactics. In May 2022, security researchers noted the ransomware had undergone modifications in an updated campaign targeting QNAP NAS devices (https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-upgraded-to-encrypt-qnap-devices-faster/).
Law enforcement agencies have also taken action against DeadBolt operations. In June 2022, the Dutch police obtained decryption keys for 155 victims by infiltrating the DeadBolt infrastructure (https://www.bleepingcomputer.com/news/security/police-tricks-deadbolt-ransomware-out-of-155-decryption-keys/). This allowed victims to recover files without paying the ransom. However, the main DeadBolt infrastructure remains active.
While some decryption tools have been released for specific victims, there are currently no universal decryptors that can recover all .deadbolt encrypted files. Researchers continue working to find a weakness that could enable broader decryption capabilities.
Summary
DeadBolt ransomware is a vicious new malware strain that encrypts all files on a computer or network with unbreakable .deadbolt extensions. Once encrypted, the only way to recover files is with the decryption key from the attackers. Unfortunately, DeadBolt uses robust AES and RSA encryption that makes decryption without the key essentially impossible.
The best protection against DeadBolt is preventing infection through safe computing practices. Be cautious of suspicious emails and links, keep software updated, use strong passwords, and maintain offline backups. If DeadBolt infiltrates your system, isolate the infection and consult incident response experts immediately. While tempting, avoid paying the ransom if possible, as it encourages and funds criminal operations.
In summary, DeadBolt presents a dangerous new digital extortion threat. But with vigilance and proper precautions, its impact can be minimized. This guide provided key facts about DeadBolt’s operations, defenses, and response options to help readers understand and combat this malware menace.