Why is it important: Last month, QNAP faced a security crisis when a ransomware group targeted its customers’ network-attached storages (NAS). He released a security update that fixed the issue. However, for some, the fix caused unexpected side effects.
The Taiwanese company QNAP Systems had to explain how and why he got some of his customers to update the software for their NAS systems. While there was a clear need to stop the ransomware that had already infiltrated thousands of QNAP storage systems, many users felt they should have been given a choice due to the unique situation of each.
The trouble began in January when the Deadbolt ransomware group began infecting QNAP devices with ransomware. According to Malwarebytes, Deadbolt proposed to each affected user a decryption key for 0.03 bitcoin (about $1,100). At the same time, he was also trying to sell QNAP a universal decryption key and details of a zero-day exploit used by Deadbolt for 50 bitcoins (nearly $2 million).
At the end of January, after warning its users, QNAP released an automatic security update that fixed the exploit. However, he did it in such a way that some users’ systems were updated even if they turned off automatic updates, which angry Little.
Some users may have started important processes that could be interrupted by auto-update. Some of the ransomware victims who paid the ransom but received an update before decrypting their files could no longer use the keys they received from Deadbolt. Later versions of the QNAP software may have broken other features as well.
The global update was allowed because QNAP has two levels of automatic updates: an option to update the system to the latest build, and an option to update to a “recommended version”. The company has released a security update, changing the recommended iteration. Some users who have gone through several system updates in succession may have turned off automatic updates to the latest version, but were not aware of automatic updates to the recommended build.
This system is designed to provide flexibility, but tech companies usually respond to issues like this by simply informing users about the security update and strongly recommending that they install it. At the very least, this way users would have control over how and when to update the software.