Ransomware Attacks on NAS Devices
March 22, 2021
NAS devices are widely used by individuals and companies alike to store large amounts of data to be accessed via a network. It is also very convenient to use NAS as storage for backups and, in many cases, NAS devices are connected to the internet. That’s why NAS devices are common targets for cyber criminals. Some ransomware versions are designed specifically to target NAS. However, files stored on a NAS can be encrypted and corrupted by any ransomware if a computer in the network is infected and has access to the NAS. This may come as a surprise for many users, who believe that NAS is reliable and invulnerable by default. This blog post explains how you can protect NAS against ransomware attacks. The set of security measures includes general anti-ransomware measures in addition to NAS-specific measures.
Change Credentials on NAS
Ransomware creators are well aware of the default administrator usernames and passwords on different NAS devices. Administrator or admin are the most popular usernames for admin accounts. If the username and password are not changed on a device, attackers can easily gain access to the NAS. When admin users set their own passwords, attackers can use automated tools to carry out brute-force attacks and dictionaries to guess the password to get full access to the NAS.
In most cases, you cannot delete a built-in administrator account on a NAS device. The best thing to do is create a new user account on your NAS and set a strong username and password that are difficult to guess. Then add all the administrative permissions for this account (all permissions that are available for the default admin account). When done, disable the default admin account on your NAS.
You can create accounts for users who access shared data directly on NAS, or you can join your NAS to the Active Directory domain and use Active Directory user accounts to share folders and access them.
Make sure to use strong passwords for users who access shared data. A strong password contains at least 8 characters including uppercase, lowercase letters, digits, and special characters (like %, $ & #).
Data on a NAS can become encrypted by ransomware if a user has write access from an infected computer to a shared folder on the NAS. The accessible data on the NAS can also be encrypted by ransomware.
A good option to avoid this kind of scenario is to use a separate user account, that is, not the same account that is used to log into Windows, without saving passwords on the Windows machine. In this case, user will have to enter their credentials to access a shared folder after each Windows login. It is more difficult to access and encrypt data on a shared folder located on a NAS if the user has not entered their credentials to open a shared folder. Ransomware protection is further improved if the password is strong because some ransomware can use small dictionaries with popular passwords to guess a password and gain access.
Another good practice is to set different access levels for different categories of users. Users that require read-only access should not have write permissions to further boost security.
If your NAS must be accessed from external networks or the internet, configure the firewall on your gateway properly to allow access only from trusted IP addresses. This way you prevent attackers from scanning and detecting your NAS device over the internet. The best option is to locate your NAS behind a NAT firewall.
There are two approaches to allow access to users outside your network: port forwarding and a virtual private network (VPN). If you use port forwarding to access your NAS from external networks, use custom (non-standard) port numbers for protocols used to access data. For example, use port TCP 8122 instead of 22. Attackers usually scan standard ports to detect open ports and start brute-force/dictionary attacks to compromise accounts and get access to the NAS. However, scanners that scan all ports may also be used to find open ports.
Allow access to your NAS by opening only the needed ports instead of all ports. For example, if you use SMB to transfer files over LAN and SFTP to transfer files over WAN, disable other unused services and file protocols. Opt for using the latest version of the SMB (CIFS) protocol in local networks due to the higher level of security.
You should also disable remote connectivity. On Synology NAS, disable the Quick Connect feature intended to connect to the NAS from any WAN IP address without configuring port forwarding. Disabling this feature reduces the number of ways to connect to the NAS, thus making it less likely that the NAS would be compromised and data encrypted by ransomware.
Protect your network, computers, and other devices connected to the network. If you use your NAS only to store backups on-premises, disable connections to your NAS from external networks. If there is a built-in firewall on your NAS, you can enable connections only from IP addresses of servers on which data is regularly backed up.
NAS devices have firmware or a special operating system adopted to work on NAS. Ransomware can exploit security vulnerabilities of software to infect a device and encrypt files. And operating systems installed on NAS devices are not an exception. Update NAS firmware (operating systems) and applications regularly to install the latest security patches that fix discovered NAS software vulnerabilities. Installing security updates reduces the risk of ransomware attacks on NAS devices. Automatic updates may be useful in this case.
Note: Recent ransomware attacks involving the eCh0raix ransomware used brute-force and software vulnerabilities to target QNAP NAS devices that are not patched. Users who were using weak credentials and unpatched software were attacked with eCh0raix. The latest ransomware attacks targeting NAS devices also included AgeLocker and QSnatch.
Configure Security Settings
Many NAS devices have built-in security settings that are useful for ransomware protection. The auto block option is used to prevent brute-force attacks to get access to NAS. Configure NAS software to block IP addresses from which too many login attempts are detected. Enable logging to detect failed login attempts. Configuring account protection allows you to block the login option for the appropriate time after X login attempts failed for XX minutes. Defense against unauthorized access reduces the probability of ransomware attacks targeting NAS devices. Enable DDoS protection if your NAS is exposed to the internet. This option protects NAS devices against distributed denial-of-service attacks, which are designed to disrupt online services.
Use Secure Connection
Always use encrypted connections to your NAS. Enable SSL for connections to use the HTTPS protocol instead of HTTP to access the NAS web interface. If you share files with external users, use SFTP or FTPS instead of FTP because classic FTP doesn’t support encryption. When you use network protocols without encryption, a third party can capture data transferred over network. Passwords are transferred as plain text when using an unsecured unencrypted connection. Use SSH and not Telnet to manage your NAS in the command line interface.
Protect the Entire Environment
Effective ransomware protection involves a complete set of measures for all devices connected to your networks. Even one unprotected device can be used as the entry point for ransomware. Update firmware on all devices, install security patches on all machines. Configure email protection using anti-spam filters because spam and phishing emails are the most popular ransomware infection methods. Configure monitoring to detect a ransomware cyber attack as soon as possible and stop file encryption and ransomware spreading.
Back Up Data
Cybercriminals are looking for new vulnerabilities and improve attack techniques to attack users and encrypt their data. Ransomware attacks become more sophisticated. That’s why you should back up your data regularly. Having a backup allows you to restore data in a short time in a case of a ransomware attack or other disasters leading to data loss. NAS devices are usually used as backup destinations but they can also be a target of ransomware. For this reason you should create backup copies based on the 3-2-1 backup rule. Back up your data regularly and create several backup copies. If your files have been encrypted with ransomware, don’t pay the ransom because paying out incentivizes cybercriminals to launch more attacks.
NAKIVO Backup & Replication is a universal data protection solution that can be installed on NAS and can back up your data to NAS and other storage including creation of backup copies to tape and cloud. NAKIVO Backup & Replication supports backup of VMware vSphere VMs, Microsoft Hyper-V VMs, Amazon EC2 instances, Linux machines, Windows machines, Microsoft 365, and Oracle databases. You can explore various features and functionality of NAKIVO Backup & Replication by simply downloading the Free Edition. The Free Edition allows you to protect 10 workloads and 5 Microsoft 365 accounts free of charge for one year!
Read other blog posts about ransomware to learn more about ransomware attacks, how is ransomware spread, and how to remove ransomware:
With the growing popularity of NAS devices, ransomware targeting NAS is also on the rise, unfortunately. In order to protect NAS devices against ransomware attacks, you should implement a complete set of measures. Set strong passwords, configure firewall, configure permissions, protect software on NAS and on other computers in your network, install security patches regularly. Configure email filtering on email servers in your organization to prevent users against spam and phishing emails. But most importantly, make sure to back up your data regularly to ensure you can recover after a ransomware incident.
This post was first first published on Official NAKIVO Blog website by Michael Bose. You can view it by clicking here