NAS under assault

A strain of ransomware is targeting network attached storage devices

Attackers are deploying strains of ransomware that specifically target data held on network attached storage (NAS) devices, going after back-up technologies that normally help enterprises recover from malware-based attacks.

File-encrypting ransomware typically arrives via email or exploit-kits that are planted on websites. The new type of attacks on NAS devices, however, make use of a different vector.

Cybercriminals first scan ranges of IP addresses looking for NAS devices accessible via the web before looking for vulnerabilities that they can exploit.

Vulnerabilities of sufficient severity open up an opportunity for attackers to plant a file-encrypting trojan on insecure devices. This malware will then set about encrypting all data on the devices connected to the NAS.

While NAS is generally perceived as a secure technology, users often remain unprepared for the possibility of infection, putting their data at higher risk, security vendor Kaspersky warns.

Fedor Sinitsyn, security researcher at Kaspersky, explained: “Previously encryption ransomware targeting NAS was hardly evident in the wild, and this year alone we have already detected a number of new ransomware families focused solely on NAS.

“This trend is unlikely to fade, as this attack vector proves to be very profitable for the attackers, especially due to the users being completely unprepared for them as they consider this technology highly reliable.

“NAS devices are usually purchased as complete and secure products, which as it turns out is not the case,” he added.

Last week security firm Blueliv warned that a Russian cybercrime group might be responsible for a strain of ransomware that primarily targets Linux-based NAS devices made by Taiwan-based QNAP Systems.

This particular threat, QNAPCrypt, was discovered last summer when security firm Intezer detected and temporarily DoS’d (denial-of-service) the operation of the ransomware strain.

Other NAS-targeting ransomware strains include Muhstik, the target of a decryption tool back in October, and eCh0raix.

Storage vendor Synology warned of ransomware attacks against NAS users based on “dictionary attacks instead of specific system vulnerabilities” around the same time.

It said “various NAS models from different vendors” were under attack, in a statement that goes on to offer general protection advice.

Ransomware instances, in general, seem to be increasing in prevalence. In Q3 alone, Kaspersky products detected 13,138 encryption attacks, a 153% increase on figures from the previous year.

By contrast, attempted malware infections that aim to steal money via online access to bank accounts were logged on 197,559 user computers – a 35% decline compared to Q3 2018.

The figures come from Kaspersky’s Q3 IT Threat Evolution Report.

YOU MIGHT ALSO LIKE Kaspersky publishes free ransomware decryptors