NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

jimk1963's avatar
jimk1963
Luminary
Dec 19, 2023
Solved

Ransomware - how to prevent on RN528X and RN424 (and RN212)

Today I saw this on reddit:   https://www.reddit.com/r/synology/comments/18jofdu/nas_hit_by_ransomware_ds720/   Synology is purportedly the leader in NAS software security (at least according to ...
  • StephenB's avatar
    StephenB
    Dec 19, 2023
    jimk1963 wrote:

    Today I saw this on reddit:

     

    https://www.reddit.com/r/synology/comments/18jofdu/nas_hit_by_ransomware_ds720/

     

    This has happened before (more broadly) to Synology and I think QNAP.  The vector in the past was the cloud services set up by Synology and QNAP.   

     

    So in general you do need to be cautious on how you set up remote access.  Personally I use the openVPN service built into my Orbi router.

     

    The other major vector for ransomware is through your home PCs.  Since they have access to the NAS shares, ransomware on the PCs can encrypt (or destroy) files on the NAS also.  If the shares can be accessed without credentials (passwords) or if passwords are saved on the PCs, then ransomware can reach the NAS very easily.

     

    Most of these attacks include a social engineering component - for example, phishing emails that include malicious website links or attachments with embedded malware.

     

    The strongest protection against this is to have a copy of your files that cannot be reached by the ransomware attack.  I have a backup NAS on a power schedule.  It can't be reached when it is powered down.  If ransomware were to hit, I'd have some time to disconnect the NAS from my network before the next backup is scheduled.

     

    Less expensive is to use USB drives for backup - connecting them when you make the backups, and disconnected them immediately afterwards.

     

    Cloud backup is another option - several cloud backup services do have some protection against ransomware attacks, and even if that fails you should be able to roll back to file versions saved before the attack hit.

     

     As an aside, there are other threats with similar impact - fire, flood, theft, etc.  Protection from them requires some off-site storage. 

     

    jimk1963 wrote:

    There are no users underneath. I'm guessing this is maybe a problem, read somewhere it's a bad idea to use Admin as the primary access but don't understand why. Security issue??

     

    If someone gets the admin password to your NAS, then they can log into the admin web ui.  From there they can do a lot of bad stuff.

    • enable ssh, and install whatever software they like on the NAS
    • silently copy all your data
    • destroy your volume
    • ...

    Also, you can also do more damage accidently from windows if you are using admin credentials than you can do if you are using a more restricted account.

     

schumaku's avatar
schumaku
Guru - Experienced User
Dec 22, 2023
StephenB wrote:

This has happened before (more broadly) to Synology and I think QNAP.  The vector in the past was the cloud services set up by Synology and QNAP.   .

Nope. Start reading and understanding about EternalBlue and Wanna Cry. The majority of RandomWare attacks cam in by unaware and careless users, blindly opening files of whatever content containing malware where it can cause most effect: Where users believe it is "secure", on any kind of shared folders. 

StephenB's avatar
StephenB
Guru - Experienced User
Dec 22, 2023
schumaku wrote:
StephenB wrote:

This has happened before (more broadly) to Synology and I think QNAP.  The vector in the past was the cloud services set up by Synology and QNAP.   .

Nope. 

I pointed out that the main vector was through the local PCs (and specifically mentioned phishing).

 

But there are quite a few vulnerabilities that have been uncovered over the years with QNAP cloud software, including their QNAP photo station fairly recently.

 

The Synology vulnerability I was thinking about was some years ago ("SynoLocker"). The vulnerability was in their DSM software, but clearly required some form of remote access to exploit.  Reading through it again, it's not clear if Synology's cloud service was part of the exploit or not.

 

While I think both vendors are well-intentioned, I still think that using vendor-supplied "free" cloud infrastructure for remote access and file sharing is a significant risk.

 

 

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More