By Ken Lee, Manager of Security Incident Response Team at Synology Inc

One of the more fearsome cybercrimes committed in the digital age is ransomware, particularly as a company’s data is one of its most precious assets. 

In this type of attack, hackers encrypt the data on a company’s hard drive, server, or storage, and blackmail the user into either paying a specified sum by a deadline or losing access to their information forever.

These attacks can be if not completely averted, then certainly mitigated and quickly resolved. Where the ransomware attack could affect a global user base, including South African individuals and businesses, collaboration becomes essential. This was proven by a recent incident whereby a hacker was able to obtain admin credentials of various brands of Network Attached Storage devices using a brute force attack and encrypt the data stored within.

In response, we, in collaboration with other international cybersecurity organisations and the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC) were able to disable the malicious Control and Command (C & C) server and bring the attack to an end.

More specifically, initial reports of some ransomware attacks on Network Attached Storage began emerging on the 19t of July, escalating on the 22 of July to include dozens of users. At was at this point Global Technical Support Department, and Synology estimated that more than ten thousand different brands of NAS around the world were vulnerable to the ransomware.

When it became clear that it wasn’t an isolated incident and a worldwide action was required across a range of NAS products, we alerted the TWCERT/CC at the same time to initiate international collaboration. On July 26, with the information provided and forwarded by Synology and TWCRET/CC respectively, the Centre for Cyber Security in Denmark (CFCS-DK) identified the source of the attack and removed the C&C server.

In these kinds of attacks, time is of the essence. By working together, we were jointly able to get the situation under control in a few days before it became an outbreak.

An important learning from the incident is that weak passwords – and users failing to ensure their NAS units were adequately secured – were responsible for the attacker gaining access in the first place, rather than vulnerabilities in Synology’s DiskStation Management (DSM) system. 

On the plus side, it means that users of Network Attached Storage, irrespective of brand, can help prevent future instances of ransomware by being more proactive about their data security. Beyond increasing the strength of their passwords, there are a few other measures that they can take:

• Enable firewall and only connect to the Internet when necessary.
• Set up 2-step verification to prevent unauthorized login attempts.
• Disable the system default "admin" account.
• Apply password strength rules to all users.
• Enable Auto Block in Control Panel to block IP addresses with too many failed login attempts.
• Run Synology Security Advisor to make sure there is no weak password in the system.
• Perform multi-version backup using Synology Hyper Backup, backing up the data on your NAS to multiple destinations such as on-premises storage, remote folders, and public cloud.

As debilitating as ransomware is, this recent instance demonstrates that collaboration is an effective and necessary response if we are to stamp out this scourge. Indeed, Joy Chan, the director of the TWCERT/CC, expressed optimism that more brands will follow in Synology’s footsteps to set up product safety teams and actively interact with cybersecurity organizations.   

For South African and global users, it is a wake up call. Clearly there is an opportunity for them to become more vigilant as they use business-enhancing technology like NAS, so as to protect their data now and in the future from malicious players.

By working together, as manufacturers, cybersecurity organisations and users across the globe, I am confident that we can continue to stop ransomware attacks in their footsteps.