Last Update: Sep 04, 2024 | Published: Dec 18, 2019
Ransomware has been thriving in 2019, with hardly a week going by where we don’t hear about a new high-profile attack in the press. What receives less attention is how these attacks affect small and medium-sized businesses, but I think it’s safe to say that while big business and government attacks naturally get attention, small businesses are also fair game as they are less able to protect themselves. While thinking often still revolves around ‘what have we got that anyone would want to steal?’, ransomware has changed the game because it can hold entire businesses to ransom.
Windows has been a popular target, although Linux and macOS are more commonly in the sights of hackers. Windows is targeted partly because it is so ubiquitous in the enterprise and secondly because security best practices are usually ignored, or sometimes not implemented for technical reasons. One example is removing local administrator privileges from users, a goal that can be difficult to achieve without help from third-party privileged access management (PAM) solutions.
Once endpoints are infected, ransomware like Locky can encrypt network shares mapped to devices. Why just encrypt a local device when you can also steal potentially more important data sitting on servers? CryptoFortress goes even further and can encrypt network shares regardless of whether mapped drives have been configured. Windows 10 Controlled Folder Access can be used to restrict access to sensitive data locations to approved applications, helping to reduce the likelihood that ransomware could encrypt data. Controlled Folder Access can be useful as part of a defense-in-depth security strategy. For more information on how Controlled Folder Access works, see Controlled Folder Access in Windows 10 FCU on Petri.
While getting access to server file shares via Windows might seem the most likely way hackers would approach an attack, Kaspersky says in their Threat Evolution Report Q3 2019 that they are seeing new families of ransomware designed specifically to attack Network Attacked Storage (NAS). According to Fedor Sinitsyn, a security researcher at Kaspersky:
“Previously encryption ransomware targeting NAS was hardly evident in the wild, and this year alone we have already detected a number of new ransomware families focused solely on NAS. This trend is unlikely to fade, as this attack vector proves to be very profitable for the attackers, especially due to the users being completely unprepared for them as they consider this technology highly reliable. NAS devices are usually purchased as complete and secure products, which as it turns out is not the case. Consumers and especially business users need to therefore remain cautious when protecting their data”
Kaspersky says that hackers scan IP address ranges looking for NAS devices where web management interfaces are exposed. While you need to authenticate to get access to NAS management, other software with vulnerabilities can make devices vulnerable. Ransomware like eCh0raix targets vulnerabilities in QNAP NAS devices by using brute-force attacks to reveal weak login credentials.
NAS is often used to store backups, and naturally the goal of ransomware is to hijack your data for a ransom in the hope that you don’t have a working backup or that your backup is online and has been encrypted as part of the attack. But what can you do to make sure that NAS devices and backups stay safe?
Many NAS devices designed for small businesses run their own operating systems based on Linux. But just because Windows isn’t deployed, it doesn’t mean they are immune to attack. So, take heed and make sure that your NAS devices are appropriately secured because NAS ransomware is on the rise.