NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Ransomware - how to prevent on RN528X and RN424 (and RN212)
Today I saw this on reddit: https://www.reddit.com/r/synology/comments/18jofdu/nas_hit_by_ransomware_ds720/ Synology is purportedly the leader in NAS software security (at least according to ...
jimk1963 wrote:
Today I saw this on reddit:
https://www.reddit.com/r/synology/comments/18jofdu/nas_hit_by_ransomware_ds720/
This has happened before (more broadly) to Synology and I think QNAP. The vector in the past was the cloud services set up by Synology and QNAP.
So in general you do need to be cautious on how you set up remote access. Personally I use the openVPN service built into my Orbi router.
The other major vector for ransomware is through your home PCs. Since they have access to the NAS shares, ransomware on the PCs can encrypt (or destroy) files on the NAS also. If the shares can be accessed without credentials (passwords) or if passwords are saved on the PCs, then ransomware can reach the NAS very easily.
Most of these attacks include a social engineering component - for example, phishing emails that include malicious website links or attachments with embedded malware.
The strongest protection against this is to have a copy of your files that cannot be reached by the ransomware attack. I have a backup NAS on a power schedule. It can't be reached when it is powered down. If ransomware were to hit, I'd have some time to disconnect the NAS from my network before the next backup is scheduled.
Less expensive is to use USB drives for backup - connecting them when you make the backups, and disconnected them immediately afterwards.
Cloud backup is another option - several cloud backup services do have some protection against ransomware attacks, and even if that fails you should be able to roll back to file versions saved before the attack hit.
As an aside, there are other threats with similar impact - fire, flood, theft, etc. Protection from them requires some off-site storage.
jimk1963 wrote:
There are no users underneath. I'm guessing this is maybe a problem, read somewhere it's a bad idea to use Admin as the primary access but don't understand why. Security issue??
If someone gets the admin password to your NAS, then they can log into the admin web ui. From there they can do a lot of bad stuff.
- enable ssh, and install whatever software they like on the NAS
- silently copy all your data
- destroy your volume
- ...
Also, you can also do more damage accidently from windows if you are using admin credentials than you can do if you are using a more restricted account.
jimk1963 wrote:
Today I saw this on reddit:
https://www.reddit.com/r/synology/comments/18jofdu/nas_hit_by_ransomware_ds720/
This has happened before (more broadly) to Synology and I think QNAP. The vector in the past was the cloud services set up by Synology and QNAP.
So in general you do need to be cautious on how you set up remote access. Personally I use the openVPN service built into my Orbi router.
The other major vector for ransomware is through your home PCs. Since they have access to the NAS shares, ransomware on the PCs can encrypt (or destroy) files on the NAS also. If the shares can be accessed without credentials (passwords) or if passwords are saved on the PCs, then ransomware can reach the NAS very easily.
Most of these attacks include a social engineering component - for example, phishing emails that include malicious website links or attachments with embedded malware.
The strongest protection against this is to have a copy of your files that cannot be reached by the ransomware attack. I have a backup NAS on a power schedule. It can't be reached when it is powered down. If ransomware were to hit, I'd have some time to disconnect the NAS from my network before the next backup is scheduled.
Less expensive is to use USB drives for backup - connecting them when you make the backups, and disconnected them immediately afterwards.
Cloud backup is another option - several cloud backup services do have some protection against ransomware attacks, and even if that fails you should be able to roll back to file versions saved before the attack hit.
As an aside, there are other threats with similar impact - fire, flood, theft, etc. Protection from them requires some off-site storage.
jimk1963 wrote:
There are no users underneath. I'm guessing this is maybe a problem, read somewhere it's a bad idea to use Admin as the primary access but don't understand why. Security issue??
If someone gets the admin password to your NAS, then they can log into the admin web ui. From there they can do a lot of bad stuff.
- enable ssh, and install whatever software they like on the NAS
- silently copy all your data
- destroy your volume
- ...
Also, you can also do more damage accidently from windows if you are using admin credentials than you can do if you are using a more restricted account.
StephenB wrote:This has happened before (more broadly) to Synology and I think QNAP. The vector in the past was the cloud services set up by Synology and QNAP. .
Nope. Start reading and understanding about EternalBlue and Wanna Cry. The majority of RandomWare attacks cam in by unaware and careless users, blindly opening files of whatever content containing malware where it can cause most effect: Where users believe it is "secure", on any kind of shared folders.
schumaku wrote:
StephenB wrote:This has happened before (more broadly) to Synology and I think QNAP. The vector in the past was the cloud services set up by Synology and QNAP. .
Nope.
I pointed out that the main vector was through the local PCs (and specifically mentioned phishing).
But there are quite a few vulnerabilities that have been uncovered over the years with QNAP cloud software, including their QNAP photo station fairly recently.
The Synology vulnerability I was thinking about was some years ago ("SynoLocker"). The vulnerability was in their DSM software, but clearly required some form of remote access to exploit. Reading through it again, it's not clear if Synology's cloud service was part of the exploit or not.
While I think both vendors are well-intentioned, I still think that using vendor-supplied "free" cloud infrastructure for remote access and file sharing is a significant risk.
Both Synology and QNAP have experienced well documented ransomware attacks. Synology had Synolocker and then recently, whatever this user had happen to him/her.
QNAP has suffered several ransomware attacks, here’s a QNAP PR from 2021:
https://www.qnap.com/static/landing/2021/qlocker/response/da-dk/
NASCompares and others have been reporting on this for quite some time.
Haven’t reviewed the specific mechanisms these hackers used to gain access, seems to be more sophisticated than the typical phishing approaches but not sure.
jimk1963 wrote:
Haven’t reviewed the specific mechanisms these hackers used to gain access, seems to be more sophisticated than the typical phishing approaches but not sure.
I didn't see any reports that including phishing in those exploits.
I saw brute-force attacks on admin passwords listed in at least one of the attacks (and if a NAS manufacturer is targetted, then obviously the default admin passwords will be first on that list).
Another theme was users not updating the software regularly - in several cases QNAP and Synology had fixed security vulnerabilities months (or even years) earlier, but users hadn't bothered to install the updates.
In the specific case of ReadyNAS running OS-6:
- The version of Linux ( Debian 8 ) has been archived/deprecated, so any security fixes in the future would need to be back-ported by Netgear.
- Since Netgear has also dropped software support, they are unlikely to get timely notice of an exploit aimed at ReadyNAS products.
- Available apps are not maintained, and often the current version of popular apps can not be installed, due to out-of-date libraries. Old app versions might be missing security fixes.
I think the best strategy for ReadyNAS users is to avoid exposing their NAS to inbound internet connections. Personally I've only used my ReadyNAS for storage from some time. No apps are running on them, no ports are forwarded to them, and remote access is only done through openVPN. uPNP is disabled in my router (a basic precaution that also helps protect PCs).
One thing I don't like is that Netgear hasn't released firmware that completely removes the ReadyCloud client from the firmware. Blocking traffic (both inbound and outbound) for port 6300 in your router might be a good precaution.
Given the history, I personally would avoid apps and remote access software from any NAS vendor, and continue to use my NAS simply for storage. I run apps on a separate PC server. My backup NAS (I use a couple) are all on a power schedule, so essentially air-gapped when not performing their backups. Their schedules are staggered, so I should have time to disconnect them from the network if I find the primary NAS has been compromised.
I also use cloud backup (running on a PC) for disaster recovery - many cloud backup systems have some detection in place for ransomware, and they all should let you roll back to a previous (unencrypted) version of the files.
Thanks StephenB , very helpful.
Re:
I think the best strategy for ReadyNAS users is to avoid exposing their NAS to inbound internet connections. Personally I've only used my ReadyNAS for storage from some time. No apps are running on them, no ports are forwarded to them, and remote access is only done through openVPN. uPNP is disabled in my router (a basic precaution that also helps protect PCs).
Maybe a really dumb question - my NAS's are DHCP assigned on my network, connected via 10GbE or 1GbE. I'm not running any apps on the NAS units, and no ports are knowingly forwarded. Other than powering the units off (per your comments), seems a NAS is inherently at risk as long as it, and any PC, are turned on in the home since they reside on the same network. Am I missing something? I don't have any VPN set up so there's no remote access possible that I'm aware of. I looked into OpenVPN on the Orbi, not exactly straightforward. Sounded like I need to sign up for some service or establish some account to make it work.
Re:
One thing I don't like is that Netgear hasn't released firmware that completely removes the ReadyCloud client from the firmware. Blocking traffic (both inbound and outbound) for port 6300 in your router might be a good precaution.
Looking at the Orbi web GUI, it's not clear to me how to do this. There are many source types to choose from - I tried ALL, but then it wouldn't let me fill in any port numbers. I tried "Any (TCP)" and filled in 6300 for the port number, that failed also. If possible, please dumb it down for me as to how to set parameters to close this port. Finally, researching Port 6300, I didn't find anything very helpful - does closing this port have unwanted side effects? Like other software programs not working, or losing access to networked devices, etc?
I'll look into the backup service you mentioned, sounds like what I'm looking for. Something that can be slow, but reliable for disaster recovery.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
