Poorly Protected NAS Devices Make Easy Targets for Ransomware Attacks

Hackers go for the low-hanging fruit and recently they found it on the network-attached storage (NAS) devices from at least two manufacturers. Crooks use the easy access to infect QNAP and Synology systems with file-encrypting malware in the hopes of getting paid for the decryption key.

NAS systems are used to store large volumes of data and make it accessible to multiple users, commonly over a local network. In some installations, though, the devices are open on the public web, allowing access to the files to anyone with the correct password. The risk is that hackers can scan the internet for these boxes and try to compromise them.

Attacks with a ransomware strain called eCh0raix started in June as threat actors search for targets and try default credentials or brute-force their way in to devices with weak login credentials. Since many users delay updating the NAS firmware, another method is to exploit known vulnerabilities.

One victim reported that eCh0raix encrypted more than 12TB of data stored on a Synology DS918 NAS device. Another admitted to using a weak password for login access. Another one decided to put the device behind a VPN connection, albeit too late. A free decryption tool is not yet available for them.

Both QNAP and Synology advise users to set strong, unique passwords and enable on their devices the brute-force protection feature – called Network Access Protection on QNAP systems and Auto Block on Synology devices. Running the latest firmware version ensures protection against older vulnerabilities that often get exploit code soon after they are patched.

If remote connection services like SSH and Telnet are not required, they should be disabled to reduce the attack surface. If your device needs to be exposed, using non-default connection ports will make it more difficult for hackers to reach it, while a VPN service will make it inaccessible to most hackers.

The simplest defense against ransomware is to create back-up copies of the data and store them offline. Synology recommends turning on Snapshot, a function that creates a copy of the file at a particular time. QNAP NAS devices have a backup function that duplicates the data.

These features help protect against hackers targeting individual devices, but other local systems may not provide sufficient security options. Modern security solutions offer network-wide protection to all gadgets, blocking exploit attempts and warning of vulnerable firmware or weak login passwords.

Image credit: Synology & QNAP