What is DeadBolt Ransomware
DeadBolt is a ransomware virus that hacks QNAP and NAS devices using vulnerability issues to encrypt the stored data. It happens immediately not letting users prevent the process and save their files from strong encryption. Once distributed, the virus hijacks the QNAP login screen to feature a ransom note demanding victims to pay for decryption. This blocks infected users from going anywhere beyond the logging screen to access their admin page, for instance. Though, QNAP noted this can be bypassed by using the following URLs – http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi. In addition, all ransom note pop-ups are also contained within a single HTML file called index.html_deadlock.txt. DeadBolt also assigns the new .deadbolt extension to all data impacted within a system. To illustrate, a file like
1.pdf will change to
1.pdf.deadbolt becoming fully inaccessible. The same will happen to all files encrypted by DeadBolt Ransomware. You can expand the list of all file extensions targetted by this ransomware variant:
WARNING: YOUR FILES HAVE BEEN LOCKED BY DEADBOLT
All your files have been encrypted. This includes (but is not limited to) Photos, Documents and Spreadsheets.
This is not a personal attack. You have been targeted because of the inadequate security provided by your vendor (QNAP).
You can make a payment of (exactly) 0.030000 bitcoin to the following address: bc1qcdve3qn83g44gwrmqsces3rh2r6qm93j9jcul
Once the payment has been made we'll follow up with a transaction to the same address, this transaction will include the decryption key as part of the transaction details. [-more information] You can enter the decryption key below to start the decryption process and get access to all your files again.
important message for QNAP
Enter your decryption key here..
Frauds behind the ransomware attack blackmail their victims into paying a 0.03 (about 1136$) Bitcoin ransom. The payment has to be sent to the attached crypto address. Once done, victims will receive a message with their key that has to be copy-paste into a dedicated field inside of the ransom note displayed at the QNAP screen. Many users reported they received the necessary decryption key that successfully unlocked their data after paying the ransom. Note that decryption keys are unique to each victim meaning there is no way to access your data using a key of another victim. It is also less likely to handle successful manual decryption without cybercriminals. The ransomware ciphers are hard to decode since they are generated uniquely and stored on external servers. A better scenario, if you want to avoid paying the ransom, would be to delete the virus and restore your data using backup copies. Otherwise, decryption options might be limited only to retrieving the key from threat actors. DeadBolt Ransomware is new and keeps encryption more people each day. You can track updates related to this infection and possible recovery methods on this forum page. Our guide below will show you working removal instructions and third-party ways of recovering data.
How DeadBolt Ransomware infected your computer
As mentioned above, DeadBolt exploits vulnerabilities in the security of QNAP and NAS devices. The virus places its malicious executable to initiate the encryption process. It is also used to start the decryption of files once victims insert their retrieved key. You can confirm if DeadBolt attacked your system due to vulnerability issues by accessing QNAP command line history and checking if there is something similar to [random_file_name] -e. Even if you are unable to access the command history, it is still more likely you got infected due to the same security reason. The QNAP team is making everything sure this issue is fixed and no longer tempts cybercriminals into abusing it for the distribution of malware. Although this is the only justified way of how DeadBolt could spread into your system, there are many other channels abused by similar infections – trojans, backdoors, keyloggers, fake software cracking tools, forged updates/software installers, malicious e-mail attachments, and other compromised vectors like these. Unfortunately, DeadBolt Ransomware is one of those cases when system protection does not depend solely on you. Either way, we still advise you to read our guide below and learn more tips for protection against such threats in the future.
- Download DeadBolt Ransomware Removal Tool
- Get decryption tool for .deadbolt files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like DeadBolt Ransomware
Download Removal Tool
To remove DeadBolt Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of DeadBolt Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.
Alternative Removal Tool
To remove DeadBolt Ransomware completely, we recommend you to use Combo Cleaner from RCS LT. It detects and removes all files, folders, and registry keys of DeadBolt Ransomware and prevents future infections by similar viruses.
DeadBolt Ransomware files:
DeadBolt Ransomware registry keys:
How to decrypt and restore .deadbolt files
Use automated decryptors
Download EmsiSoft Decryptor for DeadBolt
IMPORTANT: Read this detailed guide on using EmsiSoft Decryptor for DeadBolt to avoid file corruption and time wasting.
Use following tool from EmsiSoft called Decryptor for DeadBolt, that can decrypt .deadbolt files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .deadbolt files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with DeadBolt Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .deadbolt files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like DeadBolt Ransomware, in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. DeadBolt Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.