Yes, ransomware is still a thing.
No, not all ransomware attacks unfold in the way you might expect.
Most contemporary ransomware attacks involve two groups of criminals: a core gang who create the malware and handle the extortion payments, and “members” of a loose-knit clan of “affiliates” who actively break into networks to carry out the attacks.
Once they’re in, the affiliates then wander around the victim’s network, getting the lie of the land for a while, before abruptly and often devastatingly scrambling as many computers as they can, as quickly as they can, typically at the worst possible time of day.
The affiliates typically pocket 70% of the blackmail money for any attacks they conduct, while the core criminals take an iTunes-ike 30% of every attack done by every affiliate, without ever needing to break into anyone’s computers themselves.
That’s how most malware attacks happen, anyway.
But regular readers of Naked Security will know that some victims, notably home users and small business, end up getting blackmailed via their NAS, or networked attached storage devices.
Plug-and-play network storage
NAS boxes, as they are colloquially known, are miniature, preconfigured servers, usually running Linux, that are typically plugged directly into your router, and then act as simple, fast, file servers for everyone on the network.
No need to buy Windows licences, set up Active Directory, learn how to manage Linux, install Samba, or get to grips with CIFS and other network file system arcana.
NAS boxes are “plug-and-play” network attached storage, and popular precisely because of how easily you can get them running on your LAN.
As you can imagine, however, in today’s cloud-centric era, many NAS users end up opening up their servers to the internet – often by accident, though sometimes on purpose – with potentially dangerous results.
Notably, if a NAS device is reachable from the public internet, and the embedded software, or firmware, on the NAS device contains an exploitable vulnerability, you could be in real trouble.
Crooks could not ony run off with your trophy data, without needing to touch any of the laptops or mobile phones on your network, but also modify all the data on your NAS box…
…including directly rewriting all your original files with encrypted equivalents, with the crooks alone knowing the unscrambling key.
Simply put, ransomware attackers with direct access to the NAS box on your LAN could derail almost all your digital life, and then blackmail you directly, just by accessing your NAS device, and touching nothing else on the network.
The infamous DEADBOLT ransomware
That’s exactly how the infamous DEADBOLT ransomware crooks operate.
They don’t bother attacking Windows computers, Mac laptops, mobile phones or tablets; they just go straight for your main repository of data.
(You probably turn off, “sleep”, or lock most of your devices at night, but your NAS box probably quietly runs 24 hours a day, every day, just like your router.)
By targeting vulnerabilities in the products of well-known NAS vendor QNAP, the DEADBOLT gang aims to lock everyone else on your network out of their digital lives, and then to squeeze you for several thousands dollars to “recover” your data.
After an attack, when you next try to download a file from the NAS box, or to configure it via its web interface, you might see something like this:
In a typical DEADBOLT attack, there’s no negotiation via email or IM – the crooks are blunt and direct, as you see above.
In fact, you generally never get to interact with them using words at all.
If you don’t have any other way to recover your scrambled files, such as a backup copy that’s not stored online, and you’re forced to pay up to get your files back, the crooks expect you simply to send them the money in a cryptocoin transaction.
The arrival of your bitcoins in their wallet serves as your “message” to them.
In return, they “pay” you the princely sum of nothing, with this “refund” being the sum total of their communication with you.
The “refund” is a payment worth $0, submitted simply as a way of including a bitcoin transaction comment.
That comment consists of 16 apparently random data bytes, seen encoded as 32 hexadecimal characters in the screenshot below, which constitute the AES decryption key you will use to recover your data:
Source: DEADBOLT ransomware rears its head again, attacks QNAP devices
