What is DeadBolt Ransomware

DeadBolt is a ransomware virus that hacks QNAP and NAS devices using vulnerability issues to encrypt the stored data. It happens immediately not letting users prevent the process and save their files from strong encryption. Once distributed, the virus hijacks the QNAP login screen to feature a ransom note demanding victims to pay for decryption. This blocks infected users from going anywhere beyond the logging screen to access their admin page, for instance. Though, QNAP noted this can be bypassed by using the following URLs – http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi. In addition, all ransom note pop-ups are also contained within a single HTML file called index.html_deadlock.txt. DeadBolt also assigns the new .deadbolt extension to all data impacted within a system. To illustrate, a file like 1.pdf will change to 1.pdf.deadbolt becoming fully inaccessible. The same will happen to all files encrypted by DeadBolt Ransomware. You can expand the list of all file extensions targetted by this ransomware variant:

.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .ab4, .accdb, .accdc, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ait, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avhd, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkf, .bkp, .blend, .bpw, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfp, .cgm, .cib, .class, .cls, .cmt, .conf, .cpi, .cpp, .cr2, .craw, .crl, .crt, .crw, .csh, .csl, .csr, .csv, .dac, .dat, .db3, .db4, .db_journal, .dbc, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dev, .dgc, .disk, .djvu, .dng, .doc, .docm, .docx, .dot, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gdb, .git, .gray, .grey, .gry, .hbk, .hdd, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .iso, .jar, .java, .jpe, .jpeg, .jpg, .jrs, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m4v, .mail, .max, .mdb, .mdbx, .mdc, .mdf, .mef, .mfw, .mkv, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msi, .myd, .ndd, .nef, .nk2, .nop, .nrg, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nsn, .nwb, .nx2, .nxl, .nyf, .obj, .oda, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .ova, .ovf, .p12, .p7b, .p7c, .p7r, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pio, .piz, .plc, .pmf, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps1, .psafe3, .psd, .pspimage, .pst, .ptx, .pvi, .pvk, .pyc, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdb, .sdf, .sl3, .sldm, .sldx, .spc, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tex, .tga, .thm, .tiff, .tlg, .txt, .vbk, .vbm, .vbox, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmem, .vmfx, .vmsd, .vmx, .vmxf, .vob, .vsd, .vsdx, .vsv, .wallet, .wav, .wb2, .wdb, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xvd, .ycbcra, .yuv, .zip
Show more
Show less
index.html_deadlock.txt
WARNING: YOUR FILES HAVE BEEN LOCKED BY DEADBOLT
What happened?
All your files have been encrypted. This includes (but is not limited to) Photos, Documents and Spreadsheets.
Why Me?
This is not a personal attack. You have been targeted because of the inadequate security provided by your vendor (QNAP).
What now?
You can make a payment of (exactly) 0.030000 bitcoin to the following address: bc1qcdve3qn83g44gwrmqsces3rh2r6qm93j9jcul
Once the payment has been made we'll follow up with a transaction to the same address, this transaction will include the decryption key as part of the transaction details. [-more information] You can enter the decryption key below to start the decryption process and get access to all your files again.
important message for QNAP
Enter your decryption key here..

Frauds behind the ransomware attack blackmail their victims into paying a 0.03 (about 1136$) Bitcoin ransom. The payment has to be sent to the attached crypto address. Once done, victims will receive a message with their key that has to be copy-paste into a dedicated field inside of the ransom note displayed at the QNAP screen. Many users reported they received the necessary decryption key that successfully unlocked their data after paying the ransom. Note that decryption keys are unique to each victim meaning there is no way to access your data using a key of another victim. It is also less likely to handle successful manual decryption without cybercriminals. The ransomware ciphers are hard to decode since they are generated uniquely and stored on external servers. A better scenario, if you want to avoid paying the ransom, would be to delete the virus and restore your data using backup copies. Otherwise, decryption options might be limited only to retrieving the key from threat actors. DeadBolt Ransomware is new and keeps encryption more people each day. You can track updates related to this infection and possible recovery methods on this forum page. Our guide below will show you working removal instructions and third-party ways of recovering data.

deadbolt ransomware

How DeadBolt Ransomware infected your computer

As mentioned above, DeadBolt exploits vulnerabilities in the security of QNAP and NAS devices. The virus places its malicious executable to initiate the encryption process. It is also used to start the decryption of files once victims insert their retrieved key. You can confirm if DeadBolt attacked your system due to vulnerability issues by accessing QNAP command line history and checking if there is something similar to [random_file_name] -e. Even if you are unable to access the command history, it is still more likely you got infected due to the same security reason. The QNAP team is making everything sure this issue is fixed and no longer tempts cybercriminals into abusing it for the distribution of malware. Although this is the only justified way of how DeadBolt could spread into your system, there are many other channels abused by similar infections – trojans, backdoors, keyloggers, fake software cracking tools, forged updates/software installers, malicious e-mail attachments, and other compromised vectors like these. Unfortunately, DeadBolt Ransomware is one of those cases when system protection does not depend solely on you. Either way, we still advise you to read our guide below and learn more tips for protection against such threats in the future.

  1. Download DeadBolt Ransomware Removal Tool
  2. Get decryption tool for .deadbolt files
  3. Recover encrypted files with Stellar Data Recovery Professional
  4. Restore encrypted files with Windows Previous Versions
  5. Restore files with Shadow Explorer
  6. How to protect from threats like DeadBolt Ransomware

Download Removal Tool

Download Removal Tool

To remove DeadBolt Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of DeadBolt Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.

Alternative Removal Tool

Download Norton Antivirus

To remove DeadBolt Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of DeadBolt Ransomware and prevents future infections by similar viruses.

DeadBolt Ransomware files:


index.html_deadlock.txt
{randomname}.exe

DeadBolt Ransomware registry keys:

no information

How to decrypt and restore .deadbolt files

Use automated decryptors

Download EmsiSoft Decryptor for DeadBolt

IMPORTANT: Read this detailed guide on using EmsiSoft Decryptor for DeadBolt to avoid file corruption and time wasting.

emsisoft decryptor for deadbolt

Use following tool from EmsiSoft called Decryptor for DeadBolt, that can decrypt .deadbolt files. Download it here:

Decryptor for DeadBolt

There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

Dr.Web Rescue Pack

Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .deadbolt files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.

If you are infected with DeadBolt Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Data Recovery Professional to restore .deadbolt files

stellar data recovery professional

  1. Download Stellar Data Recovery Professional.
  2. Click Recover Data button.
  3. Select type of files you want to restore and click Next button.
  4. Choose location where you would like to restore files from and click Scan button.
  5. Preview found files, choose ones you will restore and click Recover.
Download Stellar Data Recovery Professional

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses, like DeadBolt Ransomware, in future

1. Get special anti-ransomware software

Use ZoneAlarm Anti-Ransomware

ZoneAlarm Anti-Ransomware Dashboard
ZoneAlarm Anti-Ransomware Alert
ZoneAlarm Anti-Ransomware Blocked

Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.

Download ZoneAlarm Anti-Ransomware

2. Back up your files

idrive backup

As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. DeadBolt Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.

3. Do not open spam e-mails and protect your mailbox

mailwasher pro

Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.

Download MailWasher Pro
Previous articleHow to remove Mynewtabs.com
Next articleHow to remove Elbie Ransomware and decrypt .elbie files
James Kramer
James Kramer
https://www.bugsfighter.com
Hello, I'm James. My website Bugsfighter.com, a culmination of a decade's journey in the realms of computer troubleshooting, software testing, and development. My mission here is to offer you comprehensive, yet user-friendly guides across a spectrum of topics in this niche. Should you encounter any challenges with the software or the methodologies I endorse, please know that I am readily accessible for assistance. For any inquiries or further communication, feel free to reach out through the 'Contacts' page. Your journey towards seamless computing starts here
Facebook Twitter Youtube