{
	"id": "394bcf8d-c1a5-4fd9-bf99-9e21950b02ad",
	"created_at": "2026-04-06T00:06:17.080576Z",
	"updated_at": "2026-04-10T13:11:48.529838Z",
	"deleted_at": null,
	"sha1_hash": "322e7dd1285f948963c16116903448c2b23566b1",
	"title": "New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3326321,
	"plain_text": "New DeadBolt ransomware targets QNAP devices, asks 50 BTC for\r\nmaster key\r\nBy Lawrence Abrams\r\nPublished: 2022-01-26 · Archived: 2026-04-05 22:40:07 UTC\r\nA new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide using what they claim is a zero-day\r\nvulnerability in the device's software.\r\nThe attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended\r\nwith a .deadbolt file extension.\r\nInstead of creating ransom notes in each folder on the device, the QNAP device's login page is hijacked to display a screen\r\nstating, \"WARNING: Your files have been locked by DeadBolt,\" as shown in the image below.\r\nhttps://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nRansom note on the hijacked QNAP login page\r\nSource: Twitter\r\nThis screen informs the victim that they should pay 0.03 bitcoins (approximately $1,100) to an enclosed Bitcoin address\r\nunique to each victim.\r\nAfter payment is made, the threat actors claim they will make a follow-up transaction to the same address that includes the\r\ndecryption key, which can be retrieved using the following instructions.\r\nhttps://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/\r\nPage 3 of 8\n\nDecryption key instructions\r\nSource: landski at BleepingComputer\r\nThis decryption key can then be entered into the screen to decrypt the device's files.\r\nQNAP has told BleepingComputer that users can bypass the ransom screen and access their admin page by using\r\nthe http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi URLs.\r\nBleepingComputer is aware of at least fifteen victims of the new DeadBolt ransomware attack, with no specific region being\r\ntargeted.\r\nAs with all ransomware attacks against QNAP devices, the DeadBolt attacks only affect devices accessible to the Internet.\r\nAs the threat actors claim the attack is conducted through a zero-day vulnerability, it is strongly advised that all QNAP users\r\ndisconnect their devices from the Internet and place them behind a firewall.\r\nQNAP further told us that their Product Security Incident Response Team (PSIRT) is investigating the attack vectors now\r\nand that owners should follow these steps to protect their data and NAS.\r\nWith QNAP owners being targeted by ongoing attacks from two other ransomware families known\r\nas Qlocker and eCh0raix, all owners should follow these steps to prevent future attacks.\r\nBleepingComputer has created a DeadBolt ransomware support topic that can be used to discuss the attacks and potentially\r\nreceive help from other QNAP owners.\r\nAttackers demand 50 bitcoin for master key\r\nOn the main ransom note screen, there is a link titled \"important message for QNAP,\" that when clicked, will display a\r\nmessage from the DeadBolt gang specifically for QNAP.\r\nhttps://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/\r\nPage 4 of 8\n\nOn this screen, the DeadBolt ransomware gang is offering the full details of the alleged zero-day vulnerability if QNAP pays\r\nthem 5 Bitcoins worth $184,000.\r\nThey are also willing to sell QNAP the master decryption key that can decrypt the files for all affected victims and the zero-day info for 50 bitcoins, or approximately $1.85 million.\r\n\"Make a bitcoin payment of 50 BTC to bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8,\" the threat actors wrote in a\r\nmessage to QNAP.\r\n\"You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files.\r\nAdditionally, we will also send you all details about the zero-day vulnerability to security@qnap.com.\"\r\nMessage from threat actors for QNAP\r\nSource: Twitter\r\nThe ransomware gang further states that there is no way to contact them other than through Bitcoin payments.\r\nThis method of communication is a very different approach than other ransomware attacks that usually provide some form\r\nof communication, whether through a dedicated Tor website, email, or messaging platforms.\r\nQNAP force updates to\r\nOn January 26th, QNAP began force-updating customers' NAS devices to firmware version 5.0.0.1891, which is the latest\r\nuniversal firmware released on December 23rd, 2021.\r\nQNAP told BleepingComputer that they forced-installed this update as they believe the threat actors are using a remote code\r\nexecution vulnerability fixed in the 5.0.0.1891 firmware version.\r\nHowever, a customer posted to the QNAP forum stating that they were encrypted even when they had this firmware version\r\ninstalled, indicating that the threat actors are likely exploiting a different vulnerability.\r\n\"Confirmed getting hit with deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3,\" the NAS owner posted to the\r\nQNAP forums.\r\nAfter asking for a comment on this, QNAP conceded that it could be another vulnerability exploited by the threat actors.\r\nhttps://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/\r\nPage 5 of 8\n\n\"All the information we have shows DEADBOLT could be prevented with the build. Theoretically, we cannot exclude the\r\npossibility that there is the other vulnerability exploited. We are also interested in the user's observation,\" QNAP told\r\nBleepingComputer.\r\n\"If possible, we would suggest users with similar situation could submit a ticket to Technical Support.\"\r\nQNAP also told BleepingComputer that the update should only have been installed by those with the 'Recommended\r\nversion' setting enabled in the Auto Updates settings, as shown below.\r\nQNAP auto update settings\r\nQNAP asks customers to contact technical support if they are still receiving updates with that setting unchecked.\r\nDeadBolt technical details\r\nWhen a QNAP NAS device is compromised, the threat actors will install the DeadBolt malware executable as a randomly\r\nnamed file in the /mnt/HDA_ROOT/ folder. For example, the DeadBolt ransomware executable could be located at\r\n/mnt/HDA_ROOT/27855.\r\nRansomware expert Michael Gillespie told BleepingComputer that ransomware is initially launched with a config file,\r\nwhich likely contains various data, including an encryption key used to encrypt files.\r\nThe initial command to encrypt files is:\r\n[random_file_name] -e [config] /share\r\nThe /share folder is where QNAP NAS devices store user folders and files.\r\nWhen encrypting files, the ransomware will only target files with the following file extensions:\r\n.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .ab4, .accdb, .accdc, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .a\r\nGillespie says the files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.\r\nFor example, test.jpg will be encrypted and renamed to test.jpg.deadbolt.\r\nDeadBolt will also replace the /home/httpd/index.html file so that when victims access the device, they will see the ransom\r\nscreen demanding a ransom of 0.03 bitcoins to a specified bitcoin address.\r\nIf a ransom is paid, the threat actors will create a bitcoin transaction to the same bitcoin ransom address that contains the\r\ndecryption key for the victim. The decryption key is located under the OP_RETURN output, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/\r\nPage 6 of 8\n\nBitcoin transaction's OP_RETURN output containing decryption key\r\nSource: BleepingComputer\r\nWhen you enter this key into the ransom note screen, the web page will convert it into a SHA256 hash and compare it to the\r\nSHA256 hash of the victim's decryption key and the SHA256 hash of the master decryption key.\r\nThe SHA256 hash for the master decryption key\r\nis 93f21756aeeb5a9547cc62dea8d58581b0da4f23286f14d10559e6f89b078052.\r\nIf the decryption key matches either SHA256 hash, it will decrypt the files using the following command:\r\n/mnt/HDA_ROOT/[encryptor_name] -d \"[decryption_key]\" /share\r\nMultiple victims have reported paying the ransom and receiving a decryption key that has successfully decrypted their files.\r\nHowever, QNAP's forced firmware updates are causing the executable and index.html ransom screen to be deleted from the\r\ndevice, which prevents the decryption of files.\r\nGillespie has created a free Windows decryptor that can be downloaded from Emsisoft and decrypt files without needing the\r\nransomware executable. However, users will still need a valid decryption key, which QNAP owners can only obtain at this\r\ntime by paying a ransom.\r\nUpdate: Added further information on how the decryption key will be retrieved.\r\nUpdate 1/26/22: Added further information from QNAP\r\nUpdate 1/28/22: Added technical details, information on exploited vulnerabilities, and number of victims.\r\nhttps://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/\r\nhttps://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/\r\nPage 8 of 8\n\nHowever, a customer installed, indicating posted to the that the threat QNAP forum stating actors are likely exploiting that they were encrypted a different vulnerability. even when they had this firmware version\n\"Confirmed getting hit with deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3,\" the NAS owner posted to the\nQNAP forums.      \nAfter asking for a comment on this, QNAP conceded that it could be another vulnerability exploited by the threat actors.\n   Page 5 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/"
	],
	"report_names": [
		"new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key"
	],
	"threat_actors": [],
	"ts_created_at": 1775433977,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/322e7dd1285f948963c16116903448c2b23566b1.pdf",
		"text": "https://archive.orkl.eu/322e7dd1285f948963c16116903448c2b23566b1.txt",
		"img": "https://archive.orkl.eu/322e7dd1285f948963c16116903448c2b23566b1.jpg"
	}
}