We have a small workgroup network of 10 PCs and an RN-424 serving shared data to all the PCs. All the PCs do image backups to a Share on the NAS as well as local image backups to s 2nd harddrive on each PC.About a month ago we installed a "work from home" Chrome plugin that logged into a local PC through port 443 which we opened on our Cisco router. Two days later, that PC suffered a ransomware attack that encrypted most of the data files on the local machine, including the local image backups.I believe I interupted the attack before it finished as a few local files were not encrypted that seemed to be vulnerable. A very few files on other machines were also infected through shortcut links. We closed port 443, stopped using the remote software and restored the infected computer from an image backup that was on the NAS.My question: What do I need to do to ensure that the NAS is protected from another Ransomware attack through one of our PCs.? Are there steps I can take to make sure the NAS is not vulnerable?

I am not aware of any ransomware that can attack a Linux based NAS directly. BUT, ransomware on a PC that uses the NAS can encrypt the data on the NAS using that PC's access. There are some things you can do to reduce it's chances of doing so: Limit each users' access as much as practical to reduce the scope the ransomware will have on the NAS. If it is only used for backup, don't mount any NAS share as a drive on any PC or keep a folder on the NAS open. If possible, don't access the NAS directly from Windows Explorer at all. Definately don't save NAS credentials on the PC (don't check the "remember" box). Let the backup software directly access the share, if it can do that. If it can use a protcol other than SMB, even better (though I know of no decent PC backup software that does).. and then shut down SMB completely on the NAS. If you can put the NAS on a time schedule, that may give you time to intervene before it's even on, but I wouldn't count on this being especially effective. Once the ransomware has done it's deed, the backup software may stop working. But in case it doesn't, insure your backup keeps at least one old copy on the NAS and that the NAS has snapshots enabled (custom gives you better control than "Smart") and enough space that all snapshots won't be deleted to make way for the next backup, which may be huge because the encrypted files are "new". Dont have "allow snapshot access" checked, so they are invisible to the PC. If you have a backup NAS for this NAS (and you may not if it's only PC backups already), don't enable SMB on the backup computer -- use rsync only. Don't use "remove files deleted on source" (though that can get unruly if you don't have a process for deleting old files and have a lot of churn). Snapsots and a time schedule for this NAS may also help some in the same way as on the primary, BTW, a way to implement old file deletion on the NAS without an external process is to have one periodic backup that does delete files deleted on source. But you can get unlucky and have that one occur at the wrong time.

If you are willing throw disk space at the problem, you could recover data from snapshots if a PC encrypts the files on the NAS. Since you generally want 20% free space (even after ransomware attacks), you'd want to size the volume so that you always have 60% free space.

ReadyNASinUK wrote: For shared files, backup frequently to a different share on the NAS, which also has no access from network PC's. (Data penalty here, but user files on our NAS are only a few 100's of GB) I'd like to repeat the suggestion on using btrfs snapshots as part of your mitigation strategy. When the malware rewrites the files (encrypting them, and optionally scrambling their names), the original files will remain in the snapshots. That is more efficient than your frequent backup idea, and also should eliminate the need to stop the backups before the encrypted files poison the backup store. It would also give you the most recent copy of the unencrypted files. If you are new to NAS, you should probably research how btrfs snapshots work generally. They also provide some ability to roll back to older file versions in response to user errors. Another mitigation (which I use myself) is to deploy a backup NAS that uses rsync, and doesn't have SMB or other file sharing protocols enabled at all. This NAS runs on a power schedule, so it isn't on very often. This reduces the chance of the malware reaching it (especially in the scenario where I see the problem in time to simply disconnect that NAS from my network). Cloud backup is another potential mitigation - many do have some ability to detect malware infections, and prevent them from spreading to the cloud backups. In some cases they offer unlimited retention, which would ensure that you can get back to uncorrupted files. And you might want cloud backup for disaster recovery anyway.

Sandshark I think I understand your suggestion, but as well as backup our ReadyNAS is used for PC users to access shared files, your suggestion seems to be "don't do that" ?I have been thinking about anti-ransomware precautions along these lines:For backups, no access to backup shares from network PC's.For shared files, backup frequently to a different share on the NAS, which also has no access from network PC's. (Data penalty here, but user files on our NAS are only a few 100's of GB)I am not a ReadyNAS expert by any means, so would welcome comments on this as a strategy.

Thanks for all the advice.Looks like I need a few more TB to better utilize snapshots on our main server RN424. We do have two older NASs which we use for backup, a local NV+, and a remote RN104. Looks like I need to isolate those backups better and limit them to using rsync.

Is a NAS vulnerable to Ransomware attack?

13 Replies

Sandshark
Sensei
Apr 18, 2020
I am not aware of any ransomware that can attack a Linux based NAS directly. BUT, ransomware on a PC that uses the NAS can encrypt the data on the NAS using that PC's access. There are some things you can do to reduce it's chances of doing so:

Limit each users' access as much as practical to reduce the scope the ransomware will have on the NAS. If it is only used for backup, don't mount any NAS share as a drive on any PC or keep a folder on the NAS open. If possible, don't access the NAS directly from Windows Explorer at all. Definately don't save NAS credentials on the PC (don't check the "remember" box). Let the backup software directly access the share, if it can do that. If it can use a protcol other than SMB, even better (though I know of no decent PC backup software that does).. and then shut down SMB completely on the NAS. If you can put the NAS on a time schedule, that may give you time to intervene before it's even on, but I wouldn't count on this being especially effective.

Once the ransomware has done it's deed, the backup software may stop working. But in case it doesn't, insure your backup keeps at least one old copy on the NAS and that the NAS has snapshots enabled (custom gives you better control than "Smart") and enough space that all snapshots won't be deleted to make way for the next backup, which may be huge because the encrypted files are "new". Dont have "allow snapshot access" checked, so they are invisible to the PC.

If you have a backup NAS for this NAS (and you may not if it's only PC backups already), don't enable SMB on the backup computer -- use rsync only. Don't use "remove files deleted on source" (though that can get unruly if you don't have a process for deleting old files and have a lot of churn). Snapsots and a time schedule for this NAS may also help some in the same way as on the primary, BTW, a way to implement old file deletion on the NAS without an external process is to have one periodic backup that does delete files deleted on source. But you can get unlucky and have that one occur at the wrong time.
- StephenB
  Guru
  Apr 18, 2020
  If you are willing throw disk space at the problem, you could recover data from snapshots if a PC encrypts the files on the NAS.
  
  Since you generally want 20% free space (even after ransomware attacks), you'd want to size the volume so that you always have 60% free space.
- ReadyNASinUK
  Aspirant
  Apr 19, 2020
  Sandshark
  I think I understand your suggestion, but as well as backup our ReadyNAS is used for PC users to access shared files, your suggestion seems to be "don't do that" ?
  I have been thinking about anti-ransomware precautions along these lines:
  For backups, no access to backup shares from network PC's.
  For shared files, backup frequently to a different share on the NAS, which also has no access from network PC's. (Data penalty here, but user files on our NAS are only a few 100's of GB)
  I am not a ReadyNAS expert by any means, so would welcome comments on this as a strategy.
  - StephenB
    Guru
    Apr 19, 2020
    ReadyNASinUK wrote:
    
    For shared files, backup frequently to a different share on the NAS, which also has no access from network PC's. (Data penalty here, but user files on our NAS are only a few 100's of GB)
    
    I'd like to repeat the suggestion on using btrfs snapshots as part of your mitigation strategy. When the malware rewrites the files (encrypting them, and optionally scrambling their names), the original files will remain in the snapshots. That is more efficient than your frequent backup idea, and also should eliminate the need to stop the backups before the encrypted files poison the backup store. It would also give you the most recent copy of the unencrypted files.
    
    If you are new to NAS, you should probably research how btrfs snapshots work generally. They also provide some ability to roll back to older file versions in response to user errors.
    
    Another mitigation (which I use myself) is to deploy a backup NAS that uses rsync, and doesn't have SMB or other file sharing protocols enabled at all. This NAS runs on a power schedule, so it isn't on very often. This reduces the chance of the malware reaching it (especially in the scenario where I see the problem in time to simply disconnect that NAS from my network).
    
    Cloud backup is another potential mitigation - many do have some ability to detect malware infections, and prevent them from spreading to the cloud backups. In some cases they offer unlimited retention, which would ensure that you can get back to uncorrupted files. And you might want cloud backup for disaster recovery anyway.

Forum Discussion

Is a NAS vulnerable to Ransomware attack?

13 Replies

Related Content

vulnerable to attacks

False Positive DoS Attacks

Ultimate protection from Ransomware - #Webinar

DOS Attacks

KRACK Vulnerabilities

NETGEAR Academy

ProSupport for Business