Data Protection Tool

Ransomware is Coming After Your NAS, Storage Devices

Picture of Tracy Rock

Tracy Rock

Director of Marketing @ Invenio IT



It was only a matter of time.

Researchers have detected a surge in the number of ransomware strains that are directly targeting NAS and other backup storage devices. And to make matters worse, many businesses appear to be unprepared for the threat.

Here’s what you need to know about these new attacks and what to do about it.

What we know so far

For months, researchers at Kaspersky have been advising users about the risks of ransomware targeting NAS devices and other backup storage, according to ZDNet. Reports first surfaced about the risk last July. But for the most part, the threat never really materialized – until recently.

Back in 2018, ZDNet found little evidence that ransomware was specifically going after NAS. But 2019 has been a different story. Researchers say “a range of new ransomware families have emerged with NAS-exploit capabilities” that allow an infection to take root in these backup devices and spread outward across the network.

How does it work?

Ransomware typically infects computers by deceiving users with phishing attacks or other emails containing malicious links and attachments. Some strains, however, take advantage of vulnerabilities in applications, operating systems and connected devices.

That’s what is happening here, as attackers are now attempting to exploit network-attached storage devices and other systems.

Specifically, Kaspersky found that the new ransomware strains were exploiting the integrated software in some NAS systems. In turn, this allowed the attackers to bypass the user authentication and gain access to the device without the standard login process.

Where the attackers get in

So, how do attackers know which devices to target and where they’re located? It all begins with an IP address scan.

Attackers are using software to rapidly scan the Internet for vulnerable NAS devices. As ZDNet explains, “To begin an attack chain, operators will first perform a scan of a range of IP addresses to find NAS devices that are accessible via the Internet. Exploits of unpatched vulnerabilities are then attempted, and if successful, Trojans will be deployed and data encryption of all devices connected to the NAS drive begins. ”

NAS ransomware is on the rise

While ransomware detections, overall, have dipped at times over the last year, there are signs that strains like “NAS ransomware” are the new rage among cybercriminals.

Kaspersky said in its quarterly report that overall ransomware detections fell 11 percent in Q3 2019 vs. the same quarter in 2018. But the rate of new ransomware strains is surging.

The number of ransomware families and modified strains increased from 5,195 to more than 13,000 in the last 12 months alone. This is evidence that the threat is not actually waning but evolving as attackers look for new, more lucrative ways to infect your data.

NAS is the new black

Researchers say they are seeing a rapid development of ransomware families that are focused solely on targeting NAS devices.

An official at Kaspersky told ZDNet, “This trend is unlikely to fade, as this attack vector proves to be very profitable for the attackers, especially due to the users being completely unprepared for them as they consider this technology highly reliable.”

A troubling trend

These numbers reflect the same broad findings that the FBI warned about in a recent statement about ransomware.

In October—a full two years after the WannaCry and NotPetya attacks—the FBI warned that ransomware attacks still pose a serious threat to U.S. businesses and organizations.

While the overall frequency of ransomware attacks “remains consistent,” officials wrote, “Ransomware attacks are becoming more targeted, sophisticated, and costly … The losses from ransomware attacks have increased significantly.”

Indeed, if businesses are using vulnerable NAS devices as their primary means of data backup, then these attacks are undoubtedly costing them a fortune.

A quick ransomware refresher

If you’re new to ransomware, you’re not alone. Despite numerous high-profile attacks and widespread alarm about ransomware over the past two years, many in the business community are still unfamiliar with the threat.

In a recent survey of IT providers, only 26% said their business clients shared their heightened concern about ransomware. Many businesses just aren’t taking it seriously or don’t know enough about it.

Ransomware is a uniquely destructive form of malware that encrypts data on your computers. Encrypted data cannot be accessed without paying the attackers for a decryption key (though paying this ransom doesn’t guarantee you’ll get the key). The malware often spreads across a network, rendering critical data inaccessible and applications unusable.

Operational downtime from ransomware can cost businesses between $10,000 to $5 million per hour, depending on the size of the company.

Which NAS devices are vulnerable?

It’s unknown exactly which vendors’ NAS products are most at risk, though attackers are likely searching for vulnerable systems indiscriminately.

In July, Taiwanese NAS developer Synology issued a warning that “several users were under a ransomware attack, where admins’ credentials were stolen by brute-force login attacks.”

Synology noted that these particular attacks were not due to system vulnerabilities, but they cautioned the need to take proactive steps to prevent a successful infection.

Independent researchers warned that Synology devices were not the sole target. The same techniques were being used on other vendors’ products as well.

How to protect your data

Just because attackers are taking advantage of vulnerabilities in NAS devices doesn’t mean there’s nothing you can do.

Like all other ransomware threats, there are numerous measures you can take to help minimize the risk of an infection. And remember: the culprits are specifically going after weakly defended systems. So the obvious solution is to maximize your defense. Let’s look at some ways to do it.

When was the last time you updated your NAS?

Attackers are hoping you’ve forgotten. Because if you haven’t recently updated your NAS’s software or firmware with the latest security patches, then it’s a cyberattack waiting to happen.

While every vendor is different, it’s critical that your data storage devices are updated promptly if/when patches are released. Typically, updates become available after new vulnerabilities have been identified. Savvy hackers quickly jump on this news to begin taking advantage of outdated devices.

If applicable, set your devices to update automatically. And consider speaking directly with the vendor or your managed-service provider to make sure your NAS isn’t vulnerable.

Block inbound Internet access

Unless it’s absolutely critical for the function of specific NAS services (i.e. communication with the cloud or offsite device management), then your NAS device should not allow inbound Internet access. In addition to configuring this on the device, if applicable, this traffic should be blocked from the edge of the network via the router or firewall.

If you need to allow some inbound communication, make sure it’s through designated ports. Otherwise, block all unknown / untrusted WAN hosts. Some NAS devices have their own firewalls with additional settings that can be configured to block potential threats.

Beef up those passwords

Brute-force attacks will remain a key way for attackers to take over NAS devices, regardless of whether other vulnerabilities exist. Brute-force is a method in which attackers use software to break through login pages by rapidly guessing numerous username/password combinations.

Stronger passwords, incorporating a wide array of random characters and symbols, make it much more difficult for brute-force attacks to be successful.

Some devices can be configured to require stronger passwords and also limit the number of failed login attempts (including the blocking of IP addresses where those attempts originated).

Limit access and enable two-factor authentication

Only select personnel should have access to a business’s NAS device, as part of their job responsibilities. A limited number of users will reduce the risk of someone’s credentials being compromised.

Additionally, require two-factor authentication for the users that do have access. This will ensure that every login is verified with a secondary method, i.e. a smartphone authenticator app.

Replace vulnerable hardware

To put it bluntly, you shouldn’t be using NAS devices that have vulnerabilities allowing attackers to gain access to your data by bypassing the login altogether.

Speak with your IT provider to perform an audit of your NAS devices and other infrastructure to make sure it’s secure. If you’re using outdated hardware or devices from unknown vendors, it’s probably time to consider replacing it.

Don’t use NAS as your sole form of backup

NAS is a convenient place to store data and backups, while making it accessible to others on the network. Additionally, some NAS devices include backup services, like versioning, which allow you to quickly roll back to previous versions of files.

However, a NAS device should NOT be your sole method of backup.

NAS is ideal for storing and sharing data over a network. But only a robust data backup and disaster recovery solution will ensure continuity after disasters like ransomware attacks, server failure and widespread data loss.

A dependable, hybrid-cloud BC/DR system can replicate your entire infrastructure—not just the files—and enable faster, more fluid recovery options. So in the event that your NAS or other storage devices are locked up by ransomware, you’ll still have reliable backups to fall back on.

Learn more

For more information on how you can protect your NAS and other systems from ransomware, request a free demo of BC/DR solutions from Datto. Contact our business continuity experts at (646) 395-1170 or email

New call-to-action
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles