NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Ransomeware blazing around the world
Hi Guys
As you know, there is a Ransomeware worm attacking computers around the world, and it seems to be the most infectious malware ever released. So I was wondering if Netgear was planning to release a security update to prevent this "thing" from infecting it's NAS products.
UK Bob
It's my understanding that the problem in this case is that users haven't been installing Windows updates (Microsoft has already released a security fix quite a while ago) and have been infected due to an old flaw being exploited. It's your choice whether to install security updates on your PCs or not. Another key common cause of malware infection, namely clicking on a suspect attachment in an email on your Windows PC, we can't stop you from doing either.
We don't run Windows on our NAS units. Our OS is based on Debian Linux.There are two very different possibilities with ransomware:
1. A PC on your network gets infected and encrypts your files on your NAS e.g. via a mapped network drive2. Your NAS gets directly infected
With possibility 1, snapshots (on OS6, note these are very different to the snapshot on RAIDiator) can help both on the NAS and on any backups that you have. On current firmware we keep the last two automatic snapshots if we have to delete the older snapshots to keep volume usage down below the threshold you've set (by default to try to keep volume usage below 90% full or if you last factory reset on very old firmware 95% full).
It's important to note though that with some use cases snapshots don't work very well. There is the option to enable/disable snapshots for each share/LUN.
With possibilty 2, a hacker could potentially do anything on your box if they have obtained root access to it. Of course it's possible that possibility 1 could lead to possibility 2.
Consequently we'd recommend that you consider the risks and take appropriate steps to backup your data. Backups directly from one NAS to another, but also backups to USB disks or tape that are disconnected and "offline" would be a good strategy.If you are comfortable with backing up to CLOUD providers it's possible they may also have taken steps to be able to recover their customers data from backups if they are hit by a ransomware attack. Note though if you store the only copy of data on one Cloud provider you shouldn't consider it backed up. They would have clauses in their T&Cs indicating that they're not responsible for data loss. Bi-directional syncing if used would also mean that any changes made are replicated to all the devices.
It's important to note that ReadyCLOUD on our NAS is quite a different thing from a CLOUD provider that stores your data in a remote location (I was referring to the latter above).
If in the worst case your online backups are completely compromised the offline backups hopefully will still be O.K.
If your systems are infected it's best to shut them down ASAP to limit the spread of the infection. We do have a volume read-only mode that can be used to copy off files that aren't infected (with possibility #1 and perhaps even possibility #2) if you catch things in time.
Some work has been done on 3rd parties on figuring out how to decrypt files encrypted by various malware strains. If you've been infected by an old strain or don't need the data back urgently you may be fortunate and find that some time down the line (could be a long time) that such a tool is released for the variant that attacked you, but it may not.
Ultimately you need to decide what level of risk you're comfortable with. It's your responsibility to make sure you have sufficient backups to protect against various problems (ransomware is just one of these). It's certainly much better to consider this before running into problems than wish you had afterwards.
There are various things you should consider including but not limited to: a strong firewall, running anti-virus software (may help with identifying suspicious files before they are opened), and locking down write access to shares or subfolders/files to only those users who absolutely need it. The malware can't encrypt files on your NAS if it's unable to gain write access to them.
There's things like setting a strong password, not forwarding ports that you don't need to etc. as well.You may wish to consult 3rd party experts for their opinions and advice as they might be able to give you some helpful further suggestions.
If you believe you've identified a security threat with any of our products we have instructions for reporting it here.
3 Replies
Replies have been turned off for this discussion
It's my understanding that the problem in this case is that users haven't been installing Windows updates (Microsoft has already released a security fix quite a while ago) and have been infected due to an old flaw being exploited. It's your choice whether to install security updates on your PCs or not. Another key common cause of malware infection, namely clicking on a suspect attachment in an email on your Windows PC, we can't stop you from doing either.
We don't run Windows on our NAS units. Our OS is based on Debian Linux.There are two very different possibilities with ransomware:
1. A PC on your network gets infected and encrypts your files on your NAS e.g. via a mapped network drive2. Your NAS gets directly infected
With possibility 1, snapshots (on OS6, note these are very different to the snapshot on RAIDiator) can help both on the NAS and on any backups that you have. On current firmware we keep the last two automatic snapshots if we have to delete the older snapshots to keep volume usage down below the threshold you've set (by default to try to keep volume usage below 90% full or if you last factory reset on very old firmware 95% full).
It's important to note though that with some use cases snapshots don't work very well. There is the option to enable/disable snapshots for each share/LUN.
With possibilty 2, a hacker could potentially do anything on your box if they have obtained root access to it. Of course it's possible that possibility 1 could lead to possibility 2.
Consequently we'd recommend that you consider the risks and take appropriate steps to backup your data. Backups directly from one NAS to another, but also backups to USB disks or tape that are disconnected and "offline" would be a good strategy.If you are comfortable with backing up to CLOUD providers it's possible they may also have taken steps to be able to recover their customers data from backups if they are hit by a ransomware attack. Note though if you store the only copy of data on one Cloud provider you shouldn't consider it backed up. They would have clauses in their T&Cs indicating that they're not responsible for data loss. Bi-directional syncing if used would also mean that any changes made are replicated to all the devices.
It's important to note that ReadyCLOUD on our NAS is quite a different thing from a CLOUD provider that stores your data in a remote location (I was referring to the latter above).
If in the worst case your online backups are completely compromised the offline backups hopefully will still be O.K.
If your systems are infected it's best to shut them down ASAP to limit the spread of the infection. We do have a volume read-only mode that can be used to copy off files that aren't infected (with possibility #1 and perhaps even possibility #2) if you catch things in time.
Some work has been done on 3rd parties on figuring out how to decrypt files encrypted by various malware strains. If you've been infected by an old strain or don't need the data back urgently you may be fortunate and find that some time down the line (could be a long time) that such a tool is released for the variant that attacked you, but it may not.
Ultimately you need to decide what level of risk you're comfortable with. It's your responsibility to make sure you have sufficient backups to protect against various problems (ransomware is just one of these). It's certainly much better to consider this before running into problems than wish you had afterwards.
There are various things you should consider including but not limited to: a strong firewall, running anti-virus software (may help with identifying suspicious files before they are opened), and locking down write access to shares or subfolders/files to only those users who absolutely need it. The malware can't encrypt files on your NAS if it's unable to gain write access to them.
There's things like setting a strong password, not forwarding ports that you don't need to etc. as well.You may wish to consult 3rd party experts for their opinions and advice as they might be able to give you some helpful further suggestions.
If you believe you've identified a security threat with any of our products we have instructions for reporting it here.
Hi MDGM
Your reply is very comprehensive and, I suspect, aimed at a wider audience than just me. However, your answer can be boiled down to a simple saying, i.e. User, help thyself, and no, there are not any current plans to prevent NASes from being attacked by this current scourge.
Personally, I have no argument with this because "an ounce of prevention is always better than a pound of cure".
But still, Netgear has been known in the past to release "security updates" and this was all I was inquiring about.
UK Bob
It's my understanding that the strain that is getting a lot of media attention at the moment exploits an old Windows vulnerability. We don't run Windows on our NAS.
If your PC gets infected then it can encrypt files on any network share it's connected to and has write access to including your NAS. That's totally out of our control.
We strive to keep our systems patched well, but there are never any guarantees. It's possible that an exploit may be found and exploited.
A competitor had a highly public ransomware infection incident a while back. The users impacted if I recall correctly were running old, out-of-date firmware.
If you keep your firmware up to date, don't forward ports, set a strong password etc. you do work to limit your risk.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
