NAS drives & backup systems attacked by new ransomware attack

News by Rene Millman

A previously undetected ransomware attack has been discovered targeting Network Attached Storage (NAS) that poses new risks for back-up data usually stored on such devices.

Researchers at Kaspersky have discovered a previously undetected ransomware attack that is targeting Network Attached Storage (NAS) that poses new risks for back-up data usually stored on such devices.
Following the release of Kaspersky’s Q3 IT Threat Evolution Report, the Encryption ransomware is a malware that applies advanced encryption methods so files cannot be decrypted without a unique key. This leaves the infected device owner stuck with a locked device and a demand to pay a ransom in order to regain access to files. 
While users are typically infected with ransomware via email or exploit-kits planted on websites, the new type of attacks on NAS devices use a different vector. Ransomware operators scan ranges of IP addresses looking for NAS devices accessible via the web. Although only web interfaces protected with authentication are accessible, a number of devices have integrated software with vulnerabilities in it. This allows the attackers to install a Trojan using exploits, which will then encrypt all data on the devices connected to the NAS, according to researchers.
"Previously encryption ransomware targeting NAS was hardly evident in the wild, and this year alone we have already detected a number of new ransomware families focused solely on NAS", said Fedor Sinitsyn, security researcher at Kaspersky.
"This trend is unlikely to fade, as this attack vector proves to be very profitable for the attackers, especially due to the users being completely unprepared for them as they consider this technology highly reliable. NAS devices are usually purchased as complete and secure products, which as it turns out is not the case. Consumers and especially business users need to therefore remain cautious when protecting their data."
The report also found that the number of new encryption ransomware modifications grew from 5,195 in Q3 2018 to 13,138 in Q3 2019 marking a 153 per cent increase. This development signals cybercriminal interest in this type of malware as means of enrichment, according to researchers.
Javvad Malik, security awareness advocate for KnowBe4, told SC Media UK that ideally NAS and other backup systems should be offline and not accessible through the internet. 
"Any organisation with NAS devices should ensure they are kept fully patched and up to date to prevent criminals from being able to directly infect them, or use the NAS as a launchpad into the environment," he said.
"Backups should be shipped to offsite locations frequently, so that even if onsite NAS is infected or fails, there is a safe copy from which data can be restored. Most ransomware is successful either due to taking advantage of unpatched systems or through social engineering attacks. So, organisations should take stock of their assets and ensure any publicly exposed ones are kept patched as well as ensuring all staff receive regular and up to date security awareness and training."
Kelvin Murray, senior threat research analyst at Webroot, told SC Media UK that NAS devices can be encrypted from direct attacks such as eCh0raix, but they are much more likely to be encrypted by attacks launched from connected machines. 
"As well as securing your NAS devices through proper setup, password and patching policies any connected devices should be secured also. Stopping ransomware and being cyber-resilient involves updates, security systems such as AV, proper password policy, proper access policies and other well known steps," he said.
"NAS devices such as these should not be used as the only backup for an organisation. Once a machine is compromised the data on these devices is easily compromised too, so backups need to be air-gapped or have very limited and secured access."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews