The recent attack on QNAP branded NAS with ransomware has made more than one owner of this data storage solution nervous. In the end a NAS can serve as protection against deletions (accidental or not) of data but if they are compromised it becomes an additional problem.
Avoiding malware in a 100% secure way is impossible, but here we are going to give some tips to minimize the probability of being affected for this type of attack if we have a NAS, whatever the brand.
Update the software
The first thing, even if it is a bit of a truism, is have the NAS updated. Always use the latest available software version of the operating system and applications that we are using. This allows the only security flaws that malware writers can exploit are zero-day ones, that is, those that have not yet been discovered by the manufacturer.
To make this more bearable, it is best to configure the NAS to perform updates automatically. For at least the software packages, the operating system may require a little more monitoring.
Auto-update setup on Synology
And if we do not have auto-update enabled because we prefer to monitor the process, at least we must enable some type of notice on the mobile to tell us when there are updates. Do not forget that sometimes the NAS is used continuously but from different environments (applications) and we may not see the notification center.
Do not use the administrator user
Keeping the NAS up-to-date greatly limits potential problems, but just as users have many ways to access the NAS, so does ransomware. Most of the cases of data encryption on NAS does not come from security flaws, but from a compromised PC on the network that has the NAS as one more data drive.
And it is that a very common way of using the NAS is as one more network unit. And if a computer on the network has been infected with ransomware and is authenticated as an administrator on the NAS, has the ability to remotely encrypt the entire drive.
Although it may seem that using the administrator user is not very frequent (and it is indeed the case in business environments) at a domestic level, it is quite common. If we are in that situation, the recommended thing is switch to using a user with normal permissions.
Enable two-step authentication on Synology
To make this procedure less tedious, simply create a new administrator account and once this is done, log in with it and remove the permissions to the one we were already using. From now on, to install new packages or change configurations, you will have to login with this new account exclusively.
In addition, to have more security, this administrator account should have established two-step authentication (which is allowed by various brands of NAS), to prevent a key theft from being enough to log in.
Not using the administrator account does not prevent a ransomware PC on the network from encrypting all of that user’s files on the NAS, but if we establish backups and snapshots by the administrator, the data could be recovered.
Backup the NAS
Both to avoid ransomware and to face the unforeseen hardware failure of the NAS (of the hard drives) is important backup data. NAS provides many facilities to do so.
There are multiple cloud services to perform these backups and it is enough to install the corresponding application from the administrator account and configure the cloud service account to perform the task.
Synology applications for backup
Dropbox, Amazon S3, Google Drive and a long list of cloud services are available to make these backups, you just have to choose for prices and functionalities and start using one to have the most secure data. The backup can be continuous or done at a specific time of the night to avoid loading the NAS during the hours of most intensive use.
If the cloud service allows us to recover old versions of the files, we will be better protected against a ransomware attack, since if we take time to realize that we are victims of an attack backups could also be encrypted.
It is important that the regular user is not the one who performs the backups, since in case of theft of passwords by access through the network folder malware could disable the backup or even delete it.
Some NAS (such as Synology or QNAP) have the ability to enable snapshot creation. This allows that when a file is created or modified, what is actually done is writing only the changes to the file system.
Thanks to this functionality it is possible to go back, as if it were a time machine, to recover old versions of the files. Just an ideal functionality in case of being attacked by ransomware.
Snapshots on Synology
It is important, again, not to use the administrator account regularly and to have it well protected (complicated password, two-step authentication) to prevent sophisticated software from disabling snapshots before encrypting files.
Usually the biggest fear of enabling snapshots is hard drive occupancy, but they don’t really take up much, since all you do is store the differences when there are changes to the files, which are usually small. Faced with a deletion of large files, the previous occupation would be maintained. To reduce hard drive usage, the ideal is to limit snapshots for a period of time, for example keeping one daily for a week (to recover accidental deletions) and then a monthly one for several weeks (to protect against a ransomware attack).
With these tips, a ransomware attack is not inevitable, but they certainly complicate the achievement of the objective a lot: that the only way to recover the data is by paying a ransom. A ransom that, in addition, never guarantees that we will really recover the data since we must trust criminals to provide us with the keys.