{
	"id": "0adf402c-6456-4667-be0f-fb4286287362",
	"created_at": "2026-04-06T01:29:28.037944Z",
	"updated_at": "2026-04-10T03:21:14.541117Z",
	"deleted_at": null,
	"sha1_hash": "ee32b85d2296da43cfd5f6356695c1fe3a7420ba",
	"title": "Closing the Door DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1074267,
	"plain_text": "Closing the Door DeadBolt Ransomware Locks Out Vendors With\r\nMultitiered Extortion Scheme\r\nBy Trend Micro ( words)\r\nPublished: 2022-06-06 · Archived: 2026-04-06 00:37:00 UTC\r\nBy Stephen Hilt, Éireann Leverett, Fernando Mercês\r\nThe DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached\r\nStorage (NAS) devices. It was first seen targeting QNAP Systems, Inc. in January 2022. According to a report from\r\nattack surface solutions provider Censys.io, as of Jan. 26, 2022, out of 130,000 QNAP NAS devices that were\r\npotential targets, 4,988 services showed signs of a DeadBolt infection. A few weeks later, ASUSTOR, another NAS\r\ndevices and video surveillance solutions vendor, also experienced DeadBolt ransomware attacks that targeted an\r\nunknown number of its devices. In March, DeadBolt attackers once again targeted QNAP devices; according to\r\nCensys.io, the number of infections reached 1,146 by March 19, 2022. Most recently, on May 19,2022, QNAP\r\nreleased a product security updatenews article stating that internet-connected QNAP devices were once again been\r\ntargeted by DeadBolt, this time aiming at NAS devices using QTS 4.3.6 and QTS 4.4.1.\r\nIt’s interesting to note that the number of DeadBolt-infected devices is considerably high for a ransomware family that\r\nis exclusively targeting NAS devices. Earlier in 2022, we discussed the evolving landscape of attacks waged on the\r\ninternet of things (IoT) and how cybercriminals have added NAS devices in their list of targeted devices. Our\r\nreportnews article detailed the ransomware families that cybercriminals used to target NAS devices, which include\r\nQlocker, eCh0raixnews- cybercrime-and-digital-threats, and even bigger ransomware families such as REvil (aka\r\nSodinokibi).news article\r\nDeadBolt is peculiar not only for the scale of its attacks but also for several advanced tactics and techniques that its\r\nmalicious actors have implemented, such as giving multiple payment options, one for the user and two for the vendor.\r\nHowever, based on our analysis, we did not find any evidence that it’s possible for the options provided to the vendor\r\nto work due to the way the files were encrypted. Essentially, this means that if vendors pay any of the ransom amounts\r\nprovided to them, they will not be able to get a master key to unlock all the files on behalf of affected users.\r\nConsider this example to understand this particular DeadBolt tactic: A crime group changes every lock in an entire\r\napartment complex. The group then informs the apartment complex owner that they can give the apartment complex\r\nowner a master key that would allow the owner to successfully unlock all the apartment doors for his tenants if he pays\r\nthem a certain amount. But in reality, the locks that the crime group installed are not master-keyed locks, making it\r\nimpossible for the apartment complex owner to open the locks with one master key.\r\nNAS devices typically contain sensitive files for both personal users and organizations. And the never-before-seen\r\nvolume of NAS devices that this ransomware family has infected in a short period has led us to an investigation of\r\nDeadBolt. In this report, we investigate the reasons that the DeadBolt ransomware family is more problematic for its\r\nvictims than other ransomware families that previously targeted NAS devices. We also used pertinent data to check if\r\nany user or vendor paid ransom, and how much the ransomware actors made from these attacks.\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 1 of 14\n\nResearch highlights\r\nThe DeadBolt ransomware family targets QNAP and Asustor NAS devices.\r\nThis ransomware uses a configuration file that will dynamically choose specific settings based on the vendor\r\nthat it targets, making it scalable and easily adaptable to new campaigns and vendors.\r\nDeadBolt offers two different payment schemes: either a victim pays for a decryption key, or the vendor pays\r\nfor a decryption master key that would theoretically work to decrypt data for all victims. However, as of this\r\nwriting, we have yet to find evidence that decryption via a master key is possible.\r\nNo more than 8% of DeadBolt victims paid the ransom amount.\r\nBased on our analysis, DeadBolt actors have notable web and operating system development skills.\r\nTechnical analysis\r\nOn the technical side, DeadBolt is reasonably interesting: It combines both encryption and decryption functionalities\r\nin a single executable that parses a JSON-based configuration file that includes ransom prices and contact details. It\r\nalso creates a nicely formatted webpage so that victims can have easy access to the ransom message and instructions.\r\nDeadBolt samples are 64-bit Linux Executable and Linkable Format (ELF) files that have been compiled using the Go\r\nprogramming language. The malware is meant to be run manually by an attacker, or at least in a post-compromised\r\nenvironment. If one tries to execute a DeadBolt sample in a new, uncompromised environment, it just tells the user\r\nhow to use it and then exits:\r\n$ ./444\r\nencrypt usage: ./444 -e \u003cconfig\u003e \u003cdir\u003e\r\ndecrypt usage: ./444 -d \u003ckey\u003e \u003cdir\u003e\r\nThe two supported operation modes are encrypt (-e) and decrypt (-d). For encrypting, DeadBolt expects a JSON\r\nconfiguration file that we have yet to find in the wild. However, by reversing the file, we can infer a valid\r\nconfiguration file expected to be passed as an argument to the DeadBolt main executable:\r\n{\r\n\"key\": \"5da2297bad6924526e48e00dbfc3c27a\",\r\n\"cgi_path\": \"./cgi.sh\",\r\n\"client_id\": \"fb2e2de57fb405512f539a1c302e2b4f\",\r\n\"vendor_name\": \"Testing Vendor\",\r\n\"vendor_email\": \"contact@testingvendor\",\r\n\"vendor_amount\": \"0.5\",\r\n\"payment_amount\": \"0.1\",\r\n\"vendor_address\": \"3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5\",\r\n\"master_key_hash\": \"2dab7013f332b465b23e912d90d84c166aefbf60689242166e399d7add1c0189\",\r\n\"payment_address\": \"1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX\",\r\n\"vendor_amount_full\": \"1.0\"\r\n}\r\nThe parameters are explained as follows:\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 2 of 14\n\nParameter name Description\r\ncgi_path\r\nThis is the path where a Bash Common Gateway Interface (CGI) script will be written.\r\nThis script is later used to replace a legitimate script used in the device administration\r\nweb interface.\r\nclient_id This ID will be added to the encrypted files.\r\nKey A 128-bit Advanced Encryption Standard (AES) key used for encrypting individual files\r\nmaster_key_hash The SHA-256 hash master key\r\npayment_amount The ransom amount that the victim would need to pay to get a decryption key\r\npayment_address A Bitcoin wallet ID that the victim will use to pay the ransom amount\r\nvendor_amount\r\nThe ransom amount that the actors will try to charge the vendor for disclosing\r\nvulnerability details\r\nvendor_amount_full\r\nThe ransom amount that a vendor would need to pay to get the decryption master key\r\nand vulnerability details\r\nvendor_address A Bitcoin wallet ID that the vendor will use to pay the ransom amount\r\nvendor_name Should contain the vendor name of the victim’s device, such as QNAP\r\nvendor_email Contains the vendor’s email address\r\nBesides a valid JSON configuration file, the DeadBolt executable expects to receive a directory to start encrypting or\r\ndecrypting files. This is one of the first times during our analysis that we discovered how DeadBolt differs from other\r\nNAS ransomware families before it: It has an amount that the vendor, such as ASUSTOR or QNAP, could\r\ntheoretically pay to get all of the victims' information back. Additionally, this is one of the first times that we have seen\r\ntwo ransoms in one attack — one for the victims so that they can regain access to their files and data and one for the\r\nNAS vendor. This two-pronged ransom demand tactic could also be highly effective in the case of a service provider\r\nin a supply chain compromise. In fact, the REvil group implemented a similar approach in its attack on Kaseya, in\r\nwhich an intrusion set that Trend Micro dubbed “Water Marenews article” was deployed. The approach involves an\r\nattacker taking over a software company and then pushing out a backdoored software update that installs embedded\r\nmalware. The victims can choose to pay the ransom amount themselves, but they are also more likely to put pressure\r\non the vendor to pay the ransom on their behalf.\r\nDeadBolt actors demand individual victims to pay 0.03 bitcoin (US$1,159.56 as of this publishing) to get their data\r\nback, which is quite a lot of money to demand for encrypted NAS devices . Meanwhile, the vendors are given two\r\nransom payout options: one is for just the information about the exploit, with the ransom demand starting at 5 bitcoins\r\n(US$ 193,259.50 as of this publishing), while the other is for the exploit information and the master decryption key,\r\nwith a ransom demand of 50 bitcoins (US$1,932,595.00 as of this publishing).\r\nWe ran a test to see if DeadBolt can encrypt test files in a $HOME/test folder:\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 3 of 14\n\n$ mkdir test\r\ncp /bin/ls test/document.docx\r\ncp /bin/top test/spreadsheet.xls\r\nEntropy, a numeric indication of the degree of randomness, suggests that the higher the number, the more random it is.\r\nHigher numbers, or numbers with an entropy value greater than 7.0, also often indicate that a file is encrypted,\r\ncompressed, or packed if the file is an executable. Finding the entropy of a file is a simple test to ensure that the\r\nransomware is properly encrypting files. Here is an example that shows the entropy of some test files:\r\n$ entropy test/*\r\n5.85 test/document.docx\r\n5.83 test/spreadsheet.xls\r\nAfter providing the JSON configuration file and running DeadBolt on the test files, the files were encrypted, a\r\n.deadbolt extension was appended to them, and a ransom note was created:\r\n$ ./444 -e deadbolt.json test/\r\ndone\r\n$ ls test/\r\ndocument.docx.deadbolt  '!!!_IMPORTANT_README_WHERE_ARE_MY_FILES_!!!.txt'  \r\nspreadsheet.xls.deadbolt\r\n$ entropy test/*deadbolt\r\n8.00 test/document.docx.deadbolt\r\n8.00 test/spreadsheet.xls.deadbolt\r\nAfter we ran DeadBolt on our test files, the entropy values increased from 5.8 to 8.0.\r\nEncryption\r\nDeadBolt uses AES-128-CBC to encrypt files with a provided key from the configuration file. After encrypting the\r\nfile’s content, it appends the following data to the encrypted file in binary format:\r\nA “DeadBolt” string\r\nThe original file size\r\nA 16-byte client (victim) ID\r\nThe AES initialization vector (IV) that is different for each file\r\nThe SHA-256 of the AES 128-bit key\r\nThe SHA-256 of the “master” key\r\n16 null-bytes\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 4 of 14\n\nFigure 1. An example of a DeadBolt-encrypted file in binary\r\nRansom Note\r\nA file named “!!!_IMPORTANT_README_WHERE_ARE_MY_FILES_!!!.txt” is created on the infected device’s\r\ntarget root directory. A ransom note is also shown when victims try to access the web administration page of their NAS\r\ndevices. This is because DeadBolt replaces the legitimate CGI script to show this ransomware page. It is important to\r\npoint out here that the prices, vendor names, and contact information were all manually crafted in our JSON\r\nconfiguration file, and such values do not reflect the actual values that DeadBolt victims will see in their systems:\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 5 of 14\n\nFigure 2. The DeadBolt ransom note that appears onscreen when victims try to access the web\r\nadministration page of their NAS devices\r\nThe links included in the ransom note open the following pop-up pages:\r\nFigure 3. A pop-up message that provides more information about DeadBolt’s decryption key\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 6 of 14\n\nFigure 4. A pop-up message for the NAS device vendor.\r\nDecryption\r\nWe verified that the decryption can be done with the correct key that was provided via the JSON file when the\r\nransomware executable is run. Additionally, the previously shown web page has a feature that calls the ransomware\r\nexecutable by passing the provided key to it:\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 7 of 14\n\nFigure 5. Code that shows how the ransomware executable is called using the correct key\r\nBy using the correct key, victims can decrypt their files using the infected device’s web user interface (UI):\r\nFigure 6. DeadBolt victims can decrypt data on the DeadBolt web UI by encoding the correct key.\r\nThis is another example of how much effort DeadBolt actors have put into the development of this ransomware family.\r\nWhile other ransomware families use hard-to-follow steps that victims would need to take to get their data back,\r\nDeadBolt creators built a web UI that can decrypt victim data after ransom is paid and a decryption key is provided. \r\nThe OP_RETURN field of the blockchain transaction automatically provides the decryption key to the victim once the\r\nransomware payment is done. . This is a unique process wherein victims do not need to contact the ransomware actors\r\n— in fact, there is no way of doing so. Other ransomware families (such as CTB-Locker) have previously used this\r\ntechnique in its campaigns.\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 8 of 14\n\nIt should be noted that we were not able to verify how the alleged master key decryption works. In our tests, we found\r\nno evidence that such a decryption is even possible for files encrypted by DeadBolt. This is because AES is a\r\nsymmetric encryption scheme and we have not seen any other data being added to the encrypted files. Notably, that the\r\n“master key” supplied via the configuration file is never used in the encryption process.\r\nDeadBolt over time\r\nCensys stated that they originally saw almost 5,000 infected services from DeadBolt. We looked into this data and saw\r\nthat the number of infected DeadBolt systems has been decreasing. According to our data, the highest number of\r\ninfections in March 2022. However, we observed that some systems replied with multiple HTTP titles. This indicates a\r\nransomware infection, so it is possible to have more than one infection noted per device. For example, if a NAS device\r\nhas both HTTP port 80 and HTTPS port 443 open, this single device would count for two infections. \r\nFigure 7. The total number of DeadBolt-infected services between January 1, 2022 and April 30, 2022\r\nbased on our telemetry\r\nAs we kept looking into the data, although both QNAP and ASUSTOR were targeted by DeadBolt, we found that most\r\nof the infections were on QNAP devices. There were only around 350 devices that were infected on ASUSTOR\r\ndevices at the peak of the infections, and this number had gone down to 95 ASUSTOR internet-connected devices that\r\nare currently infected by DeadBolt. It’s worth remembering that a NAS infection does not equate to an endpoint\r\ninfection. NAS devices frequently hold significant amounts of storage for their users, much of which might not be\r\nrecoverable in the event of an attack.\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 9 of 14\n\nFigure 8. The number of DeadBolt infections by vendor SSL certificate from Jan. 1, 2022, to April 30,\r\n2022\r\nEven with at least 2,300 infected QNAP and ASUSTOR devices that are still connected to the internet, it should be\r\nnoted that the number of infected devices is going down. This is probably because users are either taking their systems\r\noffline or are paying the ransom amount to get their files back. However, with an increasing number of ransomware\r\nfamilies being used to attack NAS devices, the number of NAS devices exposed to the internet is becoming even more\r\nalarming. At the time of this writing, we found that there are over 2,500 ASUSTOR and over 83,000 QNAP internet-exposed services. \r\nWhat can the economics and statistics tell us?\r\nOne unique facet of DeadBolt operations is that when victims pay the ransom, the decryption information is\r\nautomatically put into the blockchain as part of the OP_RETURN section of a transaction. This is interesting because\r\nit allows us to see exactly when and for how much these payments were made.\r\nFor example, we observed DeadBolt actors charging 0.03 bitcoins for individual keys, 5 or 7.5 bitcoins for giving out\r\nvulnerability details, and 50 bitcoins for full vulnerability information and the master key. We also observed that\r\nunlike the more targeted business model of “big-game hunting” that most well-known ransomware families use,\r\nnegotiating a ransom amount is not possible with Deadbolt. This is more common among other volume-focused\r\nransomware because it’s simply not economical to directly interact with many victims. While the economics might be\r\na bit dry, the amounts are worth detailing because they give us an idea of how these groups operate.\r\nThe fact that the price of 50 bitcoins (around US$1.9 million as of this publishing) is listed shows us the price that the\r\nransomware group is aiming to obtain for this operation. This reveals that they never expected to make the US$4.4\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 10 of 14\n\nmillion maximum amount that Censys projected. Let's take that logic a bit further and analyze DeadBolt’s success in\r\npure business terms.\r\n1,900,000 ÷ 4,400,000 = 0.43\r\nNote: This percentage was calculated using the bitcoin to US dollar rate at the time of Deadbolt's peak in January.\r\nIt therefore appears that DeadBolt actors would have been more than happy if 43% of their victims paid ransom — or\r\nthey never expected more than 40% of their victims to pay. In reality, only 8% of victims have paid to date. Based on\r\nour analysis, victims who paid DeadBolt’s ransom did so within the first 20 days, and the number of victims who paid\r\nthe ransom tapered off during the last 80 days. This data shows that the chances of people paying ransom decreases\r\nover time, so it is increasingly unlikely that more DeadBolt victims will pay the ransom amount after a certain period. \r\nFigure 9. DeadBolt ransom payment proportion curve over time\r\nThe dark blue line in the survival analysis in Figure 8 shows the date range when victims paid the ransom amount. In\r\nthis analysis, the victims that do not pay the ransom amount are referred to as survivors, while those who do are\r\nreferred to as terminal. This analysis allows us to better understand the science of ransomware and ransom payout\r\nprevention.\r\nWe can go further and say that for about 5 to 7.5 bitcoins (roughly US$200,000 to US$300,000 as of this publishing),\r\nthey would be willing to give away their methods — we are, however, only taking them for their word, which\r\nadmittedly is on the charitable side. On the other hand, the charitable assumption on our end allows for this analysis.\r\nIt’s also possible that DeadBolt actors think that a conversion ratio of 6% (300,000 divided by 4,400,000) is substantial\r\nenough to cash out. They obviously know a lot more about payment ratios than we do, because they eventually topped\r\nout at 8%.\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 11 of 14\n\nIt’s also clear that they knew in advance that US$300,000 would have been a good, low-risk deal. That in turn suggests\r\nthat the entire operation cost them less than US$150,000, otherwise their profit margins would be undesirable.\r\nHowever, it’s worth noting that the fact that 92% of victims have chosen not to pay ransom is an enormous success in\r\ncybersecurity — one that we often choose to ignore; instead, we tend to focus on how much ransomware actors have\r\nearned in their attacks.\r\nLet’s try to understand the economic damage that DeadBolt has caused as best as we can. Presumably, for those who\r\npaid ransom, their financial losses would have been greater than 0.03 bitcoins (roughly US$1,000 at that time of\r\npublishing). For those who didn’t pay ransom, we can reasonably assume that their losses were lower, between zero to\r\nUS$1,000. We can simplify the matter and suggest that their financial losses could be US$500 on the average.\r\n(0.08 4,988 × 1,000) + (0.92 × 4,988 × 500) = 2,693,520\r\nBased on this calculation, DeadBolt causes about US$2,693,520 worth of economic damage to earn US$300,000. It’s\r\nalso interesting to think that the US$300,000 amount that they are asking for in exchange of the vulnerability details\r\nwould probably be split among multiple members of the DeadBolt operation. Based on these numbers, DeadBolt\r\nactors are running the risk of incarceration for demanding millions of dollars from their victims, for a chance to earn\r\nonly thousands, which doesn’t seem to be a sensible risk quantification.\r\nIs it about the money, therefore, or about the damage caused? Are DeadBolt actors punishing society at large or just\r\nspecific vendors? Or does this represent a refined business model that focuses on automation and volume, along with a\r\nchance to get a large single payout from affected vendors? These are some of the questions that we are left with after\r\ninvestigating ransomware groups such as DeadBolt.\r\nSecurity recommendations\r\nUsers and organizations can keep their NAS devices secure by implementing the following security recommendations:\r\nRegularly update your NAS devices. Make sure that the latest patches have been installed as soon as they are\r\navailable.\r\nKeep NAS devices offline. If you need to access your NAS device remotely, do it securely by opting to use\r\neither your NAS vendor’s remote access services (which most major NAS vendors offer) or use a virtual\r\nprivate network (VPN) solutions.\r\nUse a strong password and two-factor authentication (2FA). Do not use weak passwords or default\r\ncredentials. If your NAS device supports 2FA, enable it to add an extra layer of protection against brute force\r\nattacks.\r\nKeep your connection and ports secure. Keep incoming and outgoing traffic secure by enabling HTTPs\r\ninstead of HTTP. Remember to close all unused communication ports and change default ports.\r\nShut down or uninstall unused and out-of-date services. Remove unused or out-of-date services to reduce\r\nthe risk of NAS device compromise.\r\nConclusion\r\nOverall, the total ransom amount that was paid was low in comparison to the number of infected devices, which led us\r\nto the conclusion that most people didn’t pay the ransom. It’s also worth pointing out that DeadBolt’s ransom amount\r\ncosts more than the price of a brand-new NAS device, which is possibly why majority of its victims were not willing\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 12 of 14\n\nto pay to keep their data. Presumably, if the cost was higher, even more victims would be less likely to pay. The goal\r\nof DeadBolt actors is to infect as many victims as possible to get a decent payout or to get a vendor to pay one of the\r\nransom options to get substantial financial payouts from its attacks.\r\nEven though the vendor master decryption key did not work in DeadBolt’s campaigns, the concept of holding both the\r\nvictim and the vendors ransom is an interesting approach. It’s possible that this approach will be used in future attacks,\r\nespecially since this tactic requires a low amount of effort on the part of a ransomware group.\r\nDeadBolt represents several innovations in the ransomware world: It targets NAS devices, has a multitiered payment\r\nand extortion scheme, and has a flexible configuration. But perhaps its main contribution to the ransomware\r\necosystem will be the legacy of its heavily automated approach. There is a lot of attention on ransomware families that\r\nfocus on big-game hunting and one-off payments, but it’s also important to keep in mind that ransomware families that\r\nfocus on spray-and-pray types of attacks such as DeadBolt can also leave a lot of damage to end users and vendors.\r\nIndicators of compromise (IOCs)\r\nSHA-256 Detection\r\n3c4af1963fc96856a77dbaba94e6fd5e13c938e2de3e97bdd76e1fca6a7ccb24 Ransom.Linux.DEADBOLT.YXCEP\r\n80986541450b55c0352beb13b760bbd7f561886379096cf0ad09381c9e09fe5c Ransom.Linux.DEADBOLT.YXCEP\r\ne16dc8f02d6106c012f8fef2df8674907556427d43caf5b8531e750cf3aeed77 Ransom.Linux.DEADBOLT.YXCEP\r\nacb3522feccc666e620a642cadd4657fdb4e9f0f8f32462933e6c447376c2178 Ransom.Linux.DEADBOLT.YXCEP\r\n14a13534d21d9f85a21763b0e0e86657ed69b230a47e15efc76c8a19631a8d04 Ransom.Linux.DEADBOLT.YXCEP\r\n444e537f86cbeeea5a4fcf94c485cc9d286de0ccd91718362cecf415bf362bcf Ransom.Linux.DEADBOLT.YXCEP\r\nYara rules\r\nrule deadbolt_cgi_ransomnote : ransomware {\r\nmeta:\r\ndescription = \"Looks for CGI shell scripts created by DeadBolt\"\r\nauthor = \"Trend Micro Research\"\r\ndate = \"2022-03-25\"\r\nhash = \"4f0063bbe2e6ac096cb694a986f4369156596f0d0f63cbb5127e540feca33f68\"\r\nhash = \"81f8d58931c4ecf7f0d1b02ed3f9ad0a57a0c88fb959c3c18c147b209d352ff1\"\r\nhash = \"3058863a5a169054933f49d8fe890aa80e134f0febc912f80fc0f94578ae1bcb\"\r\nhash = \"e0580f6642e93f9c476e7324d17d2f99a6989e62e67ae140f7c294056c55ad27\"\r\nstrings:\r\n$= \"ACTION=$(get_value \\\"$DATA\\\" \\\"action\\\")\"\r\n$= \"invalid key len\"\r\n$= \"correct master key\"\r\n$= \"'{\\\"status\\\":\\\"finished\\\"}'\"\r\n$= \"base64 -d 2\u003e/dev/null\"\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 13 of 14\n\ncondition:\r\nuint32be(0) != 0x7F454C46 // We are not interested on ELF files here\r\nand all of them\r\n}\r\nrule deadbolt_uncompressed : ransomware {\r\nmeta:\r\ndescription = \"Looks for configuration fields in the JSON parsing code\"\r\nauthor = \"Trend Micro Research\"\r\ndate = \"2022-03-23\"\r\nhash = \"444e537f86cbeeea5a4fcf94c485cc9d286de0ccd91718362cecf415bf362bcf\"\r\nhash = \"80986541450b55c0352beb13b760bbd7f561886379096cf0ad09381c9e09fe5c\"\r\nhash = \"e16dc8f02d6106c012f8fef2df8674907556427d43caf5b8531e750cf3aeed77\"\r\nstrings:\r\n$= \"json:\\\"key\\\"\"\r\n$= \"json:\\\"cgi_path\\\"\"\r\n$= \"json:\\\"client_id\\\"\"\r\n$= \"json:\\\"vendor_name\\\"\"\r\n$= \"json:\\\"vendor_email\\\"\"\r\n$= \"json:\\\"vendor_amount\\\"\"\r\n$= \"json:\\\"payment_amount\\\"\"\r\n$= \"json:\\\"vendor_address\\\"\"\r\n$= \"json:\\\"master_key_hash\\\"\"\r\n$= \"json:\\\"payment_address\\\"\"\r\n$= \"json:\\\"vendor_amount_full\\\"\"\r\ncondition:\r\nelf.type == elf.ET_EXEC\r\nand all of them\r\n}\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nhttps://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html"
	],
	"report_names": [
		"closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438968,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee32b85d2296da43cfd5f6356695c1fe3a7420ba.pdf",
		"text": "https://archive.orkl.eu/ee32b85d2296da43cfd5f6356695c1fe3a7420ba.txt",
		"img": "https://archive.orkl.eu/ee32b85d2296da43cfd5f6356695c1fe3a7420ba.jpg"
	}
}