Synology NAS servers are under attack of SynoLocker ransomware http://www.cso.com.au/article/551527/synolocker_demands_0_6_bitcoin_decrypt_synology_nas_devices/. Devices are encrypted and the owners are demanded to pay 0.6 Bitcoin if they want their data back. I was wondering if such thing is possible in the ReadyNAS realm? How can the ordinary user prevent such things from happening except from going off-line?

Saying it is not possible would be an error as a virus can be adapted to pretty much anything. OS X have viruses, as well as linux. The article says : It’s not clear yet how SynoLocker’s operators installed the malware, for example, if they had exploited a vulnerability in Synology devicesIf they exploited Synology vulnerability, then ReadyNAS are probably safe, if they exploited a linux vulnerability then ReadyNAS are at risk too. That's impossible to say without knowing exactly how they have been infected. What I can tell you is that the more backups you have on the more different platforms, the less chance you have to lose your data (Time Capsule, FreeNAS, Windows Server are not linux based and shouldn't share most of the vulnerabilities of Synology or readyNAS devices). Depending on the threat, a potent firewall, an IPS or an updated antivirus can help too. Change default password too if not already done (it should already be). Sorry to have nothing better to say, but if we don't know how we can objectively tell you if this is possible or not. And even if we know how, virus may be adapted for ReadyNAS. So the best course is to have backups on several platforms and decent protection all around the NAS.

Some Synology users reported files get encrypted one by one so when they started copying them early enough they were able to save data at least partially. Correct me if I'm wrong but if, by any chance, same happens to ReadyNAS users the possible rescue could be to switch the server emediately, take disks out, connect them to a computer, mount them and copy data to other disks, right? And then to make a factory reset with disks back in the device.By the way, is there any way to change the ports services listen to on ReadyNAS devices? From this forum I know it's very hard - but not impossible - to chanage the default SSH port. How about other services?

SSH port is easy to change. HTTP / HTTPS / FTP /FTPS ports should be possible to change too. I however doubt you can change SMB port or AFP port as clients do not ask ports and this would make those services inusable. I also doubt that changing the ports would be of any help. I would personally not forward the ports from internet, maybe rise iptables on the outside interface. Nevertheless if you want to change those ports at your own risks you have two options : - Using iptables redirect (not sure if readynas has all the modules but you could give it a try). If you can do it on a single interface (either eth0 or eth1) that is the safest option as you could still recover from the other interface. You can also choose to make changes persistent or not after a reboot. - Using config files (openSSH, Apache, Proftpd). But you would have to do it again after any update. Once again, I don't think this would make much of a difference for this particular case as most (if not all) of those ports are not available through internet. I do not know how readyNAS encryption works, if it does it file by file then you are right. If it takes the volume offline to do a full volume encryption, I don't know. Either way, I strongly recommend using a backup before it happens than to react while it happens. What if you are at work ? What if you don't get the alert ? An USB backup is a good option here too, not expensive if you have less than 3Tb data but definitely safer than any other option as it is disconnected from the NAS and even if it is connected it has no operating system to infect. The firmware can be infected though. Creating a user with "sudo" power can be a solution too as it should have access to encrypted files because it will act as root. Maybe the malware didn't think about erasing existing user accounts but just cut the servers out or change rights on the files.

If you map NAS shares to windows drive letters, then the mapped drive is vulnerable to normal cryptolocker.I wouldn't allow SSH, SMB or AFP ports to be forwarded through my NAT router.Overall, the ReadyNAS could be vulnerable, though as xeltros says w/o knowing more details it is hard to say. I do recommend installing current firmware if you are down-rev, since the recent releases have had security patches.

Seen ReadyNAS systems with https/ssh open to the net with rootkits installed before. Usually default passwords caused it.

Is ransomware attack on ReadyNAS possible?

24 Replies

Replies have been turned off for this discussion

StephenB
Guru - Experienced User
Aug 07, 2014
Ideally ports would not need to be forwarded - which is what I was getting to above. The NAS is safer if secured and authenticated interfaces are available for all functions and used by default out-of-the box. The home network as a whole is safer if port forwarding isn't needed to provide any services.

If its easier for people to deploy and use a secure solution than it is for them to deploy and use less secure options, then a lot of the problems go away.
ukbobboy
Luminary
Aug 09, 2014
Cheers StephenB

You have definitely hit "the nail on the head", inbuilt security solutions, for the ordinary guy, are far better than trying to find and use third party ones.

UK Bob

PS: As I pointed out in an earlier post, I am now far too conservative to mess around with "port forwarding" or any other facility that will weaken my overall security, years ago I did but now "no-way".
chirpa
Luminary
Aug 09, 2014
Having Remote or Genie running on the system bypasses Port Forwarding and such also, giving another possible attack vector via NETGEAR servers, if they were hacked themselves.
StephenB
Guru - Experienced User
Aug 09, 2014
chirpa wrote:
Having Remote or Genie running on the system bypasses Port Forwarding and such also, giving another possible attack vector via NETGEAR servers, if they were hacked themselves.
True. End to End authentication would reduce the risk, but it is still there. Remote's performance is also hit-or-miss.

VPN technology in home routers is another approach.

There are other further-out approaches that could be taken, but I think they are largely research areas for now. In theory you can use a p2p network to securely transfer files (and detect the "poison packets" that can kill torrents), which would be rather cool.

Forum Discussion

Is ransomware attack on ReadyNAS possible?

24 Replies

Related Content

Ultimate protection from Ransomware - #Webinar

Ransomware Protection Idea

Protection agains ransomware

Ransomware - how to prevent on RN528X and RN424 (and RN212)

SMB access versus Ransomware

NETGEAR Academy

ProSupport for Business