Austin Gadient is CTO and cofounder of Vali Cyber. Vali’s product ZeroLock autodetects and rolls back security threats such as ransomware.
getty
It is no secret that NAS devices are frequently targeted by ransomware attacks, and for good reason.
1. Critical data is often stored on devices.
2. NAS devices typically store large amounts of data.
3. NAS is a large, fast-growing market with $25.08 billion in revenue in 2021, growing to $91.23 billion in 2028 (at a CAGR of 20.3% for the forecast period).
NAS devices run Linux operating systems, so malware written for servers is easily ported to these devices. Users of NAS devices often assume their storage systems are secure and neglect to change default passwords or make the mistake of opening their devices to the broader internet. Thus, NAS devices are not only high value but are frequently soft targets for attacks across consumer, SMB and enterprise customer markets.
There are also few ransomware security solutions available for NAS devices. Several high-profile attacks against NAS devices over the last three years have caused millions of dollars in damages and ransom payments, including campaign hackers that launched a campaign launched against QNAP devices followed by a subsequent campaign against ASUStore devices in February of 2022. The attacks in 2022 were all perpetrated by the Deadbolt family of ransomware. In February of 2023, a critical CVE for QNAP NAS devices was released, leaving them vulnerable to further exploitation by Deadbolt campaigns.
The best advice given to most users of NAS devices is to protect their systems by making them inaccessible over the internet, performing regular updates, adjusting firewall rules and implementing strong passwords. While helpful, these strategies often fail to be adopted both in large organizations and by individual consumers due to a lack of awareness or technical ability to act. As a result, NAS devices continue to be held for ransom on a regular basis, and this trend shows no signs of stopping. Even worse, vulnerabilities in NAS software are found quite often, leaving gaps that prevention methods such as strong passwords cannot fix. Here are three examples released in 2023, 2021 and 2020.
To combat the growing threat, basic cyber hygiene must be followed. Many of these ransomware attacks are successful because vulnerable NAS devices are exposed to the public internet. Take inventory of all NAS devices and ensure those that are accessible to the internet truly require this level of exposure. If you must expose a system, it is essential to validate that its firewall is properly set and access to management ports such as SSH is restricted appropriately. Most NAS devices come with default administrative credentials for initial setup. These credentials must be updated with strong passwords.
Additionally, avoid using standard administrative usernames such as “admin” or “root.” These usernames are often the first to be guessed by brute-forcing attempts. Finally, make sure an update strategy exists for all NAS devices under management. This step ensures they remain patched against the latest vulnerabilities.
While the standard advice listed above will stop many attacks, it is not bulletproof. If there is an exploitable zero-day vulnerability for a NAS device that is exposed to the internet, attackers can take advantage of it to launch ransomware campaigns. One way to implement additional security is through advanced behavioral detection solutions. Behavioral detection for ransomware actively searches for threats based on the operations a program performs. Ransomware’s behavior is quite distinguishable from other programs, meaning it can be detected without many false positives.
Behavioral detection is advantageous to traditional signature or file scanning methods because it is robust against new versions of malware that are released. To understand why, it is important to first recognize that ransomware behavior hasn’t changed much since its resurgence in the 2013 CryptoLocker campaign. What does tend to change in ransomware campaigns are the underlying malware samples and delivery mechanisms used for attacks. These types of changes bypass signature-based detection but not behavioral detection because ransomware still operates in the same manner.
Beyond detection, a good solution to consider for the ransomware problem on NAS devices should include rollback, meaning the solution is able to undo any damage malware caused to files. Another beneficial feature is the ability to remove malware from a system in case an attacker left it there to gain persistence or to rerun their malware periodically. Many NAS devices run Docker, which allows users to easily install and leverage a wide ecosystem of security software to protect their systems. So, users do have access to additional security options beyond the standard advice of keeping systems updated, firewalls properly tuned and passwords strong.
The ransomware threat to NAS devices is severe. Fortunately, there is a growing list of solutions to turn the tide against threat actors.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
