Ransomware crooks hit Synology NAS devices with brute-force password attacks

Password-guessing attacks against Synology NAS devices are delivering a ransomware payload.
Written by Liam Tung, Contributing Writer

Taiwan-headquartered storage vendor Synology is warning users to strengthen the passwords to their network attached storage (NAS) after several devices — capable of storing terabytes of data — were encrypted by ransomware. 

NAS units used by home and small-business users are a juicy target for ransomware attackers, who know they're packed with valuable data, including backups of primary systems. In 2014, ransomware crooks hit thousands of Synology Diskstation devices by exploiting a flaw in the company's Linux-based DiskStation Manager that users hadn't patched. The attackers demanded 0.06 Bitcoin, then worth around $350, to regain access to files.   

Synology is now warning its NAS device users that attackers recently stole device admin credentials using brute-force, or so-called dictionary attacks, where the attacker throws thousands of password combinations at a login interface. 

As reported earlier this month, ransomware attackers have been targeting internet-facing NAS devices from a variety of vendors using the same methods

Those attacks targeted NAS devices from Taiwanese vendor QNAP and delivered ransomware known as eCh0raix. But, in late July, there was a spate of reports from Synology users in an online forum that Synology devices were being encrypted with ransomware asking, once again, for 0.06 Bitcoin, now worth $583. 

"We believe this is an organized attack. After an intensive investigation into this matter, we found that the attacker used botnet addresses to hide the real source IP," said Ken Lee, manager of Synology's security incident response team. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

"After collecting admin account passwords with brute-force attacks, the attack was launched on July 19 and caught users off guard. We therefore informed TWCERT/CC and CERT/CC immediately of this matter in hopes of accelerating the collaborative efforts to resolve this incident."

The firm is recommending customers use Synology's network and account management settings to prevent the internet-based attacks. This includes enabling the firewall in the Control Panel and only allowing public ports for essential services, as well as enabling two-step verification.   

According to a person who claimed to be from Russian antivirus firm Dr. Web, there's no tool available to decrypt files encrypted with eCh0raix. 

Editorial standards