Skip to content
Make Your Internet Intelligence Blossom | Get 20% off Censys Search Teams or Solo annual plans with code Spring24 by 5/31 | Save Now

Tracking Deadbolt Ransomware Across the Globe

Deadbolt, the ransomware attack that just won’t end, appears to be back for a third round. Our Rapid Response Team has been monitoring the QNAP vulnerability since it first appeared in late January 2022.

A quick refresh on QNAP Deadbolt ransomware

QNAP is a manufacturer of network-attached storage (NAS) devices. In January of this year, a group calling themselves Deadbolt targeted a series of QNAP NAS devices made for consumers and small businesses that run the QNAP QTS (Linux-based) operating system, infecting the devices with ransomware.

Instead of encrypting the entire device, which effectively takes the device offline (and out of the purview of Censys), the ransomware only targets specific backup directories for encryption and vandalizes the web administration interface with an informational message explaining how to remove the infection.

Deadbolt Ransomware warning

Due to how this ransomware communicates with the victim, Censys could easily find infected devices exposed on the public internet via this simple search query. Along with general information about what hosts were infected with Deadbolt, we could also obtain and track every unique bitcoin wallet address used as a ransom drop.

When Censys teamed up with Concinnity Risks, we determined the exact amount of money involved in this attack by tracking the Bitcoin wallet transactions associated with an infection; as of last month, we concluded the following. Note that this does not include the most recent set of infections but gives us good insight into the inner workings of a ransomware campaign.

Deadbolt number of ransoms paid

For more on the original attacks, you can check our posts from January, “The QNapping of QNAP Devices,” and our entry on the resurgence in March, “Deadbolt Ransomware is Back.”

Real-time tracking of Deadbolt

Because of the persistence of this threat, our research team has created a dashboard that tracks the infections of Deadbolt devices using the same data that feeds Censys search.

Censys Deadbolt Ransomware Report

At the time of this writing, on May 20th, Deadbolt infected around 469 devices. In the last seven days (May 11-May 18), most infected devices have been in the United States, followed by Germany and the United Kingdom.

Censys Deadbolt Ransomware Tracker

Digging deeper into the report, we can examine the number of infected devices by country, see detailed information on hosts and see the associated Bitcoin addresses.

Censys Search tracking Deadbolt Ransomware

We’ll continue to monitor NAS devices infected with Deadbolt ransomware. In the meantime, you can start exploring the Censys Deadbolt Ransomware Report below.

Explore the Deadbolt Dashboard


Catch up on the latest Deadbolt news

Tech TargetQNAP devices hit by DeadBolt ransomware again

IT ProQNAP NAS drives targeted by DeadBolt ransomware for the third time this year

The RecordQNAP urges users to update after new Deadbolt ransomware attacks discovered



Special thanks to Eireann Leverett @ Concinnity Risks for providing the BTC transaction info. 

Attack Surface Management Solutions
Learn more