Content, Ransomware

Ransomware Attacks Target Backups, NAS (Network Attached Storage)

Ransomware operatives are eyeing network attached storage (NAS) devices accessible via the Internet, catching users unaware and threatening the security of their backup data, a new Kaspersky report found.

NAS hasn’t previously been considered a viable attack target but this new type of ransomware hits users unprepared for the possibility of infection and believing their backup data is safe. It’s a profitable attack type growing in popularity, the security provider said.

Ransomware typically victimizes users through spear phishing or exploit kits planted on websites. But this is something else altogether. Cyber extortionists are scanning ranges of IP addresses looking for NAS devices accessible via the web. Although only web interfaces protected with authentication are accessible, a number of devices have integrated software that’s potentially vulnerable. If the attackers find an opening, they can install a Trojan using exploits to encrypt all data on the devices connected to the NAS.

“Previously, encryption ransomware targeting NAS was hardly evident in the wild, and this year alone we have already detected a number of new ransomware families focused solely on NAS,” said Fedor Sinitsyn, security researcher at Kaspersky. “This trend is unlikely to fade, as this attack vector proves to be very profitable for the attackers, especially due to the users being completely unprepared for them as they consider this technology highly reliable.

During Q3 2019, Kaspersky products detected and repelled encryption ransomware attacks on 229,643 Kaspersky products users, which is 11% less than during the same period last year. Although the total number of affected users slightly decreased, the report shows that the number of new encryption ransomware modifications grew from 5,195 in Q3 2018 to 13,138 in Q3 2019 marking a 153% growth. This development signals cybercriminal interest in this type of malware as means of enrichment, Kaspersky said.

Here are additional findings by the numbers:

  • The top three most popular verdicts that account for almost half of users attacked by cryptors were Trojan-Ransom.Win32.Wanna (20.96% users attacked), Trojan-Ransom.Win32.Phny (20.01%) and Trojan-Ransom.Win32.GandCrypt (8.58%).
  • Kaspersky detected and repelled 989,432,403 malicious attacks from online resources located in around 200 countries and territories around the world (4% growth compared to Q3 2018).
  • Attempted malware infections that aim to steal money via online access to bank accounts were registered on 197,559 user computers (35% decline compared to Q3 2018).
  • Kaspersky’s antivirus file detected a total of 230,051,054 unique malicious and potentially unwanted objects (4% decrease compared to Q3 2018).
  • Kaspersky mobile security products also detected 870,617 malicious installation packages (33% decrease compared to Q3 2018).

Ransomware attacks on NAS devices may have a malevolent cousin of sorts. Last August, MSSP Alert’s sister blog ChannelE2E uncovered that hackers were breaking into managed service providers' networks, secretly disabling backup and disaster recovery (BDR) systems, and then launching ransomware attacks.

In a typical scenario, the ransomware attacks spread from MSP systems to end-customer networks. When the MSP attempts a data restore, the service provider discovers BDR systems were disabled days, weeks or even months before the ransomware attack occurred. That resulted in encrypted MSP and customer systems, and outdated or deleted backups.

As with the NAS device attacks, these assaults are spreading rapidly.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.