What should I do if my NAS is affected by Ransomware?
Applicable Products
- Malware Remover
- Security
Overview
The ransomware has been widely targeting the NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom. Prevent the NAS from being directly accessed, please Check whether your NAS is exposed to the Internet. If your NAS is exposed to the Internet, follow the instructions below to ensure NAS security:
- Disable the Port Forwarding function of the router
Go to the management interface of your router, check the Virtual Server, NAT or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 443 by default).
- Disable the UPnP function of the QNAP NAS
Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration”, and unselect "Enable UPnP Port forwarding".
- Access the NAS remotely using a more secure method.
- Securely access your QNAP NAS via the Internet through myQNAPcloud Link
- Learn more about NAS remote access and network security
If you found the files are encrypted, the following questions could help to better diagnose the issue and proceed with the actions.
Analysis
How do I know if ransomware hits my system?
The ransomware may hit your system if you find the followings symptoms
Some of the files can't open
All the files that can't open are added with the same file extension e.g.
- .encrypt
- .7z
- deabolt
A README text file appears in every folder e.g.
- !!!READ_ME_txt
- *README_FOR_DECRYPT.txt
What did ransomware do to my files?
Ransomware encrypts the files by a mathematical key known only by the author of ransomware.
How do I know which ransomware encrypts the files?
You can identify the ransomware by using ID Ransomware Service from MalwareHunterTeam or Googling with the keywords, file extension and filename of the README text file.
What information should I know?
The information you need to know is the ransomware name and which OS platform that ransomware runs on.
If the ransomware runs in Windows and encrypts the files in the NAS through Window File Explorer, the following sites may help
If the ransomware runs in a Unix-like environment and only encrypts the files in the NAS
- Click here to enter QNAP security advisories and search the ransomware name.
- Click here to enter QNAP FAQ and search the ransomware name or Malware Remover ID.
Can QNAP help to decrypt the encrypted files?
Unfortunately, QNAP can't decrypt the files since decrypting the files requires a mathematical key. QNAP doesn't know the key.
Is it possible to recover the encrypted files?
If Qlocker encrypts your data, you may Manually Install QRescue to recover Qlocker-encrypted files on QNAP NAS
If other Non-Qlocker ransomware encrypts your files, unfortunately, we can't recover the encrypted files, you will need to use your backup.
What should I do to continue using the NAS?
Before copying the backup data to the NAS, please read the instruction to enhance NAS security and ensure that you have done the following highly recommended actions
- Disable the Port Forwarding function of the router
- Disable the UPnP function of the QNAP NAS
- Firmware and APPs are updated to the latest version.
- Install Malware Remover in App Center.
- Change the password to a difficult one.
- Change the system port from 80,8080-8090,443,8443 to an unusual number.
- If you are still worried, you may consider completely reinitialize the NAS before restoring the backup files.
For future data safety, review or plan a solid backup strategy.
- You may want to know what is 3-2-1 backup strategy
- Recommend having at least one offline backup (external drive)and one online backup ( Cloud ) of your important files. You can backup the data by Hybrid Backup Sync.
- Regularly take snapshots of your data volume
