Qnap Deadbolt

DeadBolt ransomware attacks

Censys discovered that a number of QNAP devices globally were infected by DeadBolt ransomware in January.
  • Around 5,000 exposed QNAP NAS devices—out of 130,000 exposed—were targeted by ransomware.
  • QNAP enacted a forced firmware update in February, which gave rise to a new set of issues.
  • In recent, experts have noted a rise in the number of infections in the last few days.
  • They reported 1,146 hacked devices on March 19, and the number increased up to nearly 1,500 on March 22.
  • Most of the devices were identified running the QNAP QTS Linux kernel version 5.10.60.
Besides, the Taiwanese manufacturer has warned against a severe bug, Dirty Pipe, in the Linux kernel.
  • Most QNAP NAS appliances are exposed to the Dirty Pipe (CVE-2022-0847) flaw. The flaw exists in all major distros that may lead to root access with local access.
  • The local privilege escalation vulnerability affects the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x. If exploited, an attacker may inject malicious code.
  • Further, the Dirty Pipe vulnerability doesn’t just impact Linux machines. Since Android OS is based on the Linux kernel, any device running version 5.8 or later is vulnerable.
At present, there are no mitigations available for this bug.


DeadBolt ransomware attacks are still ongoing and QNAP NAS users should update their systems as soon as possible. As for the Dirty Pipe flaw, experts suggest using granular privilege management. Further, implement multi-factor authentication to avoid falling prey to attacks.