Ransomware Targeting NAS

AIS Team Blog

Recent months have seen an increase in ransomware attacks targeting business and local governments. The financial incentives for ransomware campaigns will likely only increase, as criminals shift from indiscriminate attacks that include home PCs to more lucrative, targeted attacks on businesses and government entities.

While anti-malware mitigation like Sophos’ Intercept-X has proven to be effective at automatically stopping ransomware at the end-point, like all things in info security, there’s no one silver bullet. One recent example is a coordinated attack on a variety of Network Attached Storage (NAS) products using a simple, yet effective method of brute-forcing admin credentials.

The anti-malware on your NAS might not have advanced anti-ransomware features, and even then, an attacker with admin credentials may be able to disable anti-malware before deploying encryption that locks up your valuable files. That’s why it’s important to control access to your NAS, where some of your organization’s most critical data resides, and have a backup solution in place

Here are some recommendations for user action to take to protect your NAS (and many other system types.)

Reduce Attack Surface

  • Ensure RDP and other remote access is disabled unless remote access is absolutely required.
  • If remote access is required from an external source, enable firewall rules to lockdown access from only the IP subnets that require it.

Harden

  • Enable 2-step verification
  • Apply security patches in a timely fashion.
  • Use a complex and strong password, and apply password strength rules to all users.
  • Create a new account in the administrator group and disable the system default “admin” account.
  • Run credential analyzing tools to make sure there is no weak password in the system.

Monitor and Respond

  • Enable auto-block features to identify and block IP addresses with too many failed login attempts.

Recovery

  • Backup regularly and keep recent backups of your NAS data offline, so if a ransomware attack gets through, you have a way to recover your data without paying the ransom.