A hacker succeeds in gaining access to the computer systems of a business and ransomware is deployed, but there is a fair chance that the business will recover its files from backups and not pay the ransom. However, if backups are not available, there is a high chance that the business will have to pay since data loss is simply not an option. It is therefore no surprise that hackers are now targeting backups and Network Attached Storage (NAS) devices.
Attacks on NAS systems certainly make sense, but there has been little evidence uncovered to suggest that the devices are being targeted, at least not in 2018. This year it’s a different story. Several ransomware families have been identified that include NAS exploits and a new report from Kaspersky Lab has confirmed that attacks on backups and NAS devices are on the rise.
NAS devices are used by many businesses to backup their data. These devices are often connected to the network and sometimes have a web interface which can be accessed over the internet. An attacker would first need to provide valid login credentials in order to gain access to a NAS system, but Kaspersky Lab notes that authentication can sometimes be bypassed due to vulnerabilities in NAS devices and integrated software.
The simplest attack method involves scanning IP addresses to identify NAS systems that are accessible over the internet. Exploits are then used to take advantage of firmware and software vulnerabilities. If vulnerabilities have not been addressed, the attacker can then encrypt stored data. If the exploits fail, the attackers try to download Trojans, which will encrypt data on NAS-connected media.
“Previously, encryption ransomware targeting NAS was hardly evident in the wild, and this year alone we have already detected a number of new ransomware families focused solely on NAS,” said Kaspersky Lab security researcher Fedor Sinitsyn. “This trend is unlikely to fade, as this attack vector proves to be very profitable for the attackers, especially due to the users being completely unprepared for them as they consider this technology highly reliable.”
Another attack trend is for managed service providers to be targeted. Since MSPs have remote access to the clients’ systems, a successful attack on the MSP would allow the attackers to gain access to the systems of many other companies. Attacks on MSPs often result in backup and disaster recovery systems being disabled. When the ransomware attack occurs, the MSP discovers backup systems have been disabled and full file recovery will not be possible.
While Kaspersky Lab reports that there have been 11% fewer ransomware attacks compared to last year, the number of new ransomware modifications increased from 5,195 in Q3, 2018 to 13,138 in Q3, 2019 – An increase of 153%. That strongly suggests ransomware is not in decline and that it is still seen as an important income stream for cybercriminals.