Deadbolt
DeadBolt is a ransomware strain known for targeting internet-exposed network-attached storage (NAS) devices, especially QNAP NAS systems, and it has also been reported in attacks affecting ASUSTOR NAS devices. Multiple sources in the provided content state that DeadBolt specifically exploited vulnerabilities, including zero-day vulnerabilities, in QNAP NAS hardware/software to encrypt publicly exposed devices. QNAP has warned customers about DeadBolt repeatedly and has spent more than a year responding to this threat. The malware is described as one of several ransomware operations historically associated with NAS targeting, alongside Checkmate, Qlocker, and ech0raix. Chainalysis analysis cited in the content estimated that DeadBolt generated more than $2.3 million in ransom payments during 2022 from approximately 4,923 victims, with an average payment of $476. The content also notes that DPRK state-sponsored actors have been observed using or possessing publicly available encryption tools including DeadBolt, but it does not attribute DeadBolt itself to DPRK. DeadBolt is also referenced as part of prior successful operations supported by the Dutch public-private Project Melissa collaboration. High-confidence behavioral detail in the content is limited to ransomware encryption of internet-exposed NAS devices and exploitation of vulnerable QNAP systems.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
1 technique"...a remote attacker can exploit to execute commands via a network."
Persistence
1 techniqueLateral Movement
1 techniqueQNAP said it is “urgently” fixing two vulnerabilities that allow hackers to remotely access systems... A malicious actor could use those problems to get full access to a QNAP device.
Impact
1 technique"...cybercriminals are often looking for new targets to steal and/or encrypt sensitive data... demand a ransom..."
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware referenced as having previously impacted ASUSTOR NAS devices (used to encrypt/deny access to data and demand payment).
Ransomware used to encrypt Internet-exposed NAS devices in recent attack waves.
Ransomware operation known for targeting QNAP NAS devices for data extortion.
Ransomware used to encrypt QNAP NAS devices, historically leveraging (including zero-day) vulnerabilities to compromise internet-exposed systems and lock data for ransom.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.