Is ransomware attack on ReadyNAS possible?

Saying it is not possible would be an error as a virus can be adapted to pretty much anything. OS X have viruses, as well as linux.

The article says :

It’s not clear yet how SynoLocker’s operators installed the malware, for example, if they had exploited a vulnerability in Synology devices

If they exploited Synology vulnerability, then ReadyNAS are probably safe, if they exploited a linux vulnerability then ReadyNAS are at risk too. That's impossible to say without knowing exactly how they have been infected.
What I can tell you is that the more backups you have on the more different platforms, the less chance you have to lose your data (Time Capsule, FreeNAS, Windows Server are not linux based and shouldn't share most of the vulnerabilities of Synology or readyNAS devices). Depending on the threat, a potent firewall, an IPS or an updated antivirus can help too. Change default password too if not already done (it should already be).

Sorry to have nothing better to say, but if we don't know how we can objectively tell you if this is possible or not. And even if we know how, virus may be adapted for ReadyNAS. So the best course is to have backups on several platforms and decent protection all around the NAS.

Some Synology users reported files get encrypted one by one so when they started copying them early enough they were able to save data at least partially. Correct me if I'm wrong but if, by any chance, same happens to ReadyNAS users the possible rescue could be to switch the server emediately, take disks out, connect them to a computer, mount them and copy data to other disks, right? And then to make a factory reset with disks back in the device.
By the way, is there any way to change the ports services listen to on ReadyNAS devices? From this forum I know it's very hard - but not impossible - to chanage the default SSH port. How about other services?

SSH port is easy to change. HTTP / HTTPS / FTP /FTPS ports should be possible to change too. I however doubt you can change SMB port or AFP port as clients do not ask ports and this would make those services inusable.
I also doubt that changing the ports would be of any help. I would personally not forward the ports from internet, maybe rise iptables on the outside interface.
Nevertheless if you want to change those ports at your own risks you have two options :
- Using iptables redirect (not sure if readynas has all the modules but you could give it a try). If you can do it on a single interface (either eth0 or eth1) that is the safest option as you could still recover from the other interface. You can also choose to make changes persistent or not after a reboot.
- Using config files (openSSH, Apache, Proftpd). But you would have to do it again after any update.
Once again, I don't think this would make much of a difference for this particular case as most (if not all) of those ports are not available through internet.

I do not know how readyNAS encryption works, if it does it file by file then you are right. If it takes the volume offline to do a full volume encryption, I don't know. Either way, I strongly recommend using a backup before it happens than to react while it happens. What if you are at work ? What if you don't get the alert ? An USB backup is a good option here too, not expensive if you have less than 3Tb data but definitely safer than any other option as it is disconnected from the NAS and even if it is connected it has no operating system to infect. The firmware can be infected though.
Creating a user with "sudo" power can be a solution too as it should have access to encrypted files because it will act as root. Maybe the malware didn't think about erasing existing user accounts but just cut the servers out or change rights on the files.

If you map NAS shares to windows drive letters, then the mapped drive is vulnerable to normal cryptolocker.

I wouldn't allow SSH, SMB or AFP ports to be forwarded through my NAT router.

Overall, the ReadyNAS could be vulnerable, though as xeltros says w/o knowing more details it is hard to say. I do recommend installing current firmware if you are down-rev, since the recent releases have had security patches.

Seen ReadyNAS systems with https/ssh open to the net with rootkits installed before. Usually default passwords caused it.

As StephenB mentioned keeping the firmware up to date is good. Security updates continue to be added over time including in e.g. 6.1.9 RCs, 4.2.27 beta etc.

Changing ports may help a bit, but there are ways hackers can still identify open ports and attempt to brute-force their way in.

You definitely shouldn't forward any more ports than necessary, and if you do have to forward ports take some steps to secure your NAS to provide some defence against attack.

You also should backup your important data regularly. There are many reasons why backups are important.

If your NAS does get infected by ransomware power down the NAS immediately and contact support for assistance in recovering as much data as possible, then once as much data has been recovered as possible factory reset (wipes all data, settings, everything) and copy data back from backup.

We do have a low level diagnostics mode that shouldn't ever get infected (even if the NAS is hacked) which would allow our support agents the opportunity to recover data that hasn't already been lost.

chirpa wrote:
Seen ReadyNAS systems with https/ssh open to the net with rootkits installed before. Usually default passwords caused it.

Very bad idea to use the default admin password.

What usually happens is they enable SSH, and update FrontView admin password, but never update the root user SSH password. Then scanning bots find it and get in.

Getting back to the original question...

Jarkod wrote:

Synology NAS servers are under attack of SynoLocker ransomware http://www.cso.com.au/article/551527/synolocker_demands_0_6_bitcoin_decrypt_synology_nas_devices/. Devices are encrypted and the owners are demanded to pay 0.6 Bitcoin if they want their data back. I was wondering if such thing is possible in the ReadyNAS realm? How can the ordinary user prevent such things from happening except from going off-line?

Every device you own that is connected to the internet (including your ISP router) is potentially vulnerable to attack, and once compromised can lead to attacks on other devices you own. You can lower the odds greatly by minimizing the attack surface (e.g., turning off services you don't use, being thoughtful about port forwarding), and you can lower the odds further with other best practices (good passwords, applying software updates with security patches). Backups to other devices can help mitigate the damage if you are compromised. But you can't bring the odds down to 0 unless you go totally offline.

Of course the benefits of the internet are huge and with good practices the risks to your systems are low - so the risks generally outweigh the rewards. But it would be foolish to think that this couldn't ever happen to your ReadyNAS (or your ipad or your smartphone or your windows PC or your mac or ...)

There is a famous quote in security that says :

The only system which is truly secure is one which is switched off and unplugged locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it. -- Gene Spafford, Director, Computer Operations, Audit, and Security Technology (COAST) Project, Purdue University

Nothing is ever fully secured. All you can do is decrease the odds or the impact of an event. Although in this case you may be safe because it seems that attackers exploited a synology hole on systems with 4.3 and that systems with 5.0 are not affected. So having you NAS up to date may be enough to avoid this one (but they may update the virus, or there may be a new one though or any other kind of attack/failure).
http://www.zdnet.com/ransomware-attacks ... 000032335/

So my advice is to properly backup preventively then reduce attack surface and you should be spared (or have really bad luck).