Global, Technology

Ransomware incident targeting NAS devices “under control”: Synology

Synology and the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC) have jointly announced the recent ransomware attack on various brands of NAS (Network Attached Storage) devices is now “under control”.

Ken Lee, Synology and Joy Chan, TWCERT/CC, ransomware on NAS
Ken Lee, Synology and Joy Chan, TWCERT/CC

The ransomware attack obtained admin credentials by brute force and encrypted the data on various brands of NAS.

Synology and TWCERT/CC took down the C&C server on 22nd July, thanks to the collaboration with international cybersecurity organisations. The organisations urge all NAS users to reinforce system security settings to keep their data safe.

“Synology has always made protecting user data our first priority,” said Ken Lee, manager, Security Incident Response Team, Synology. “As a long-term active participant in the international cybersecurity community, Synology was able to promptly collaborate with international cybersecurity organisations when the attack launched, preventing it from turning into an outbreak.”

Synology began to receive user reports since 19th July indicating that the data on their NAS was encrypted by ransomware.

The investigation report showed that the attacks weren’t based on DSM system vulnerabilities. Instead, they targeted those using weak passwords of the system default admin accounts. After the attacker gained admin access, they encrypted the files and asked for ransom.

On 22nd July, there were dozens of affected Synology users reporting this attack to the Global Technical Support Department, and Synology estimated that over ten thousand different brands of NAS around the world may be exposed to risks and can be potential targets in this attack. On the same day, Synology traced and connected to the attacker’s C&C server, notifying the TWCERT/CC at the same time to initiate international collaboration. On 26th July, with the information provided and forwarded by Synology and TWCRET/CC respectively, CFCS-DK identified the source of the attack and removed the C&C server.

“TWCERT/CC reacted promptly, obtained incident reports to initiate the international collaboration, and controlled the situation at an early stage, all thanks to our long-term partnership,” said Joy Chan, the director of the TWCERT/CC. “We look forward to seeing more brands follow in Synology’s footsteps to set up product safety teams and actively interact with cybersecurity organisations.”

Even though this matter is already under control, Synology suggested that all NAS users regardless of the brands strengthen data security by taking the following measures:

  • Enable firewall and only connect to the Internet when necessary.
  • Set up 2-step verification to prevent unauthorised login attempts.
  • Disable the system default “admin” account.
  • Use a strong password, and apply password strength rules to all users.
  • Enable Auto Block in Control Panel to block IP addresses with too many failed login attempts.
  • Run Synology Security Advisor to make sure there is no weak password in the system.
  • Perform multi-version backup using Synology Hyper Backup, backing up the data on your NAS to multiple destinations such as on-premises storage, remote folders, and public cloud.
Previous ArticleNext Article


The free newsletter covering the top industry headlines