February 3, 2022: This post has been updated since it was originally published on January 18, 2022 to reflect the most recent security alerts from NAS manufacturers.February 10, 2022: This post has been updated since the last update on February 3, 2022 to reflect recent guidance from QNAP on preventing DeadBolt ransomware.May 20, 2022: This post has been updated since the previous update on February 10, 2022 to reflect recent guidance from QNAP on new DeadBolt ransomware attacks.
If you use a NAS device for your business or home network, chances are one of the likely reasons you invested in NAS in the first place was to achieve a greater level of data redundancy and protection. You’re deliberate about the care and protection of your data. Unfortunately, ransomware operators have been ramping up attacks on NAS devices over the past year, especially in the past few weeks, which could mean you’re facing more risk.
Integrated Backblaze partners QNAP and Synology have smartly issued alerts and offered new guidance to help users better protect their data from these attacks. QNAP’s recent alerts urged users to take immediate action to ensure the security of their devices.
Since many of you use Backblaze B2 Cloud Storage to back up or build from your NAS devices, this post outlines the recent alerts, the nature of the attacks, and the steps you can take to protect your data.
Recent Alerts
- QNAP Statement, May 19, 2022: “Take Immediate Actions to Secure QNAP NAS, and Update QTS to the latest available version.”
- QNAP Security Advisory QSA-22-02, February 2, 2022: “DeadBolt Ransomware.”
- QNAP Statement, January 26, 2022: “Take Immediate Actions to Stop Your NAS from Exposing to the Internet, and Update QTS to the latest available version. Fight Against Ransomware Together.”
- QNAP Statement, January 7, 2022: “Take Immediate Actions to Secure QNAP NAS.”
How Cybercriminals Attack Your NAS
Attackers will typically exploit known vulnerabilities and may use brute force attacks where they try passwords until they gain access so they can plant ransomware software on NAS devices. In August of 2021, Palo Alto Networks, a security research firm, identified a variant of eCh0raix ransomware that targets Synology and QNAP NAS devices.
QNAP’s January 7 alert didn’t specify the ransomware strain involved in the attacks they’re seeing, but if they’re not using eCh0raix, they’re likely using something similar.
QNAP’s January 26 alert identified a new type of ransomware named DeadBolt. DeadBolt has been widely targeting all NAS exposed to the internet without any protection and encrypting users’ data for Bitcoin ransom. Specifically, DeadBolt exploited a vulnerability in QTS and QuTS hero.
QNAP’s May 19 alert reported their recent detection of a new attack by the DeadBolt Ransomware. The attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series. QNAP urged all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet.
What You Can Do
Even conscientious NAS users may occasionally miss the latest security updates and patches, leaving devices vulnerable. And cybercriminals exploit these vulnerabilities.
Here are a few immediate steps you can take to protect your data:
- Sign up for security alerts from your device manufacturer, and apply the latest security patches as soon as possible. For the latest security updates, check the QNAP Security Advisories page and Synology Product Security Advisory page regularly.
- Use best practices when it comes to passwords to make brute-force attacks more of a challenge for attackers, including changing passwords regularly and using complex passwords.
- Prevent network attacks by limiting device connections to a hard-coded list of IP addresses.
QNAP-specific Prevention
QNAP issued specific instructions on both January 7 and January 26 urging all users to disconnect their devices from the internet immediately. They recommend the following steps:
First, check whether your NAS is exposed to the internet. Open the Security Counselor on your QNAP NAS. Your NAS is exposed to the internet and at high risk if it shows the system administration service can be directly accessible from an external IP address via the following protocols: HTTP on the dashboard.
Note: QNAP recommended users check here to know which ports are exposed to the internet.
If your NAS is exposed to the internet, QNAP recommends the following steps:
-
- Disable the port forwarding function of the router.
Go to the management interface of your router, check the virtual server, NAT, or port forwarding settings, and disable the port forwarding setting of the NAS management service port (port 8080 and 433 by default).
-
- Disable the UPnP function of the QNAP NAS.
Go to myQNAPcloud on the QTS menu, click Auto Router Configuration, and deselect Enable UPnP Port forwarding.
QNAP also issued a security advisories on February 2 and May 20 with instructions to protect QNAP devices from DeadBolt ransomware. They recommend updating QTS or QuTS hero to the latest version immediately and avoiding exposing NAS devices to the internet.
If your QNAP NAS was already attacked by DeadBolt, they recommend upgrading to the recommended firmware version and the built-in Malware Remove will quarantine the ransom note, which would hijack the login page. If you want to input a received decryption key and are unable to locate the ransom note after upgrading the firmware, they recommend contacting QNAP Support for assistance.
Here’s how to update QTS or QuTS hero:
- Log on to your NAS using a web browser as an administrator and type http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi in the address bar.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
- QTS or QuTS hero downloads and installs the latest available update.
You can also download the update from the company’s website. Go to Support > Download Center and then perform a manual update for your specific device.
Synology-recommended Prevention
Synology provides users with a number of resources to help them increase the security of their NAS devices. To keep your Synology data secured, check out their knowledge base article on how to add extra security to your NAS or their blog post outlining “10 Security Tips to Keep Your Data Safe.”
Following security best practices, they recommend using complex passwords, setting expiration dates for passwords, and being very cautious with public ports. They also recommend enabling Security Advisor. Security Advisor is a built-in DiskStation Manager (DSM) app that scans your Synology NAS, checks your DSM settings, and gives you advice on how to address security weaknesses.
Protect Your Data With NAS Backups
Keeping your device up to date on security patches and updates and closely monitoring alerts from your device manufacturer will go a long way toward protecting your data. For the latest security updates, check the QNAP Security Advisories page and Synology Product Security Advisory page regularly. However, if you are operating without a backup, you’re at risk of data loss. Data recovery is much easier with a backup copy of your data saved in cloud storage.
Your vigilance plus a strong backup system could make all the difference in the event of a ransomware attack. Learn more by downloading our Complete Guide to Ransomware.