AA19-6C

New ransomware attacks target your NAS devices, backup storage

The number of ransomware strains targeting NAS and backup storage devices is growing, with users "unprepared" for the threat, researchers say. 

Ransomware comes in many forms and guises. The malware variant is popular with cybercriminals and is used in attacks against the enterprise, critical services -- including hospitals and utilities -- and individuals. 

Once deployed on a system, the malware will usually encrypt files or full drives, issue its victim with a ransom note, and demand payment in return for a way to decrypt and restore access to locked content. 

There is no guarantee that paying up will result in decryption, but many will do so rather than lose their files -- and in cases where crucial systems have been locked, such as at government bodies or healthcare providers, there is additional pressure to return to normal operations as quickly as possible. 

The average consumer will often come across ransomware deployed through phishing campaigns and fraudulent messages, exploit kits, or bundled within illegitimate or compromised software. However, Kaspersky researchers say that Network Attached Storage (NAS) devices are now also under direct threat from malware operators. 

NAS systems, available for enterprise purposes and home setups, are devices connected to a network to provide centralized storage capacity, as well as for data backup purposes. 

These devices may be accessed directly through a network or may have a web interface. The problem, Kaspersky says, is that user authentication can sometimes be bypassed due to integrated software in NAS systems that have vulnerabilities. 

Ransomware developers have realized this, and while there was little evidence of NAS devices being targeted in 2018, this year, a range of new ransomware families have emerged with NAS-exploit capabilities. 

To begin an attack chain, operators will first perform a scan of a range of IP addresses to find NAS devices that are accessible via the Internet. Exploits of unpatched vulnerabilities are then attempted, and if successful, Trojans will be deployed and data encryption of all devices connected to the NAS drive begins. 

According to Kaspersky's Q3 IT threat evolution report, overall detection of ransomware attacks -- based on customer data -- dropped by 11 percent year-on-year. 

However, new ransomware modifications and families have grown from 5,195 to 13,138 in the past 12 months, a trend the researchers say "signals cybercriminal interest in this type of malware as means of enrichment."

The research also says that WannaCry ransomware remains as the most popular form of ransomware with cybercriminals, followed by Phny and GandCrypt. 

"Previously, encryption ransomware targeting NAS was hardly evident in the wild, and this year alone we have already detected a number of new ransomware families focused solely on NAS," said Fedor Sinitsyn, security researcher at Kaspersky. "This trend is unlikely to fade, as this attack vector proves to be very profitable for the attackers, especially due to the users being completely unprepared for them as they consider this technology highly reliable."

In November, Intezer and IBM X-Force researchers explored PureLocker, a new form of ransomware that is targeting enterprise servers. The malware, written in PureBasic, is actively being used in attacks and is offered to criminals as a custom -- and likely expensive -- tool