ALPS blog

Defending Users’ NAS Devices From Evolving Threats

Threats to the internet of things (IoT) continue to evolve as users and businesses grow increasingly reliant on these tools for constant connectivity, access to information and data, and workflow continuity. Cybercriminals have taken notice of this dependence and now regularly update their known tools and routines to include network-attached storage (NAS) devices to their list of targets, knowing full well that users rely on these devices for storing and backing up files in both modern homes and businesses. More importantly, cybercriminals are aware that these tools hold valuable information and have only minimal security measures.

In our latest research paper, Backing Your Backup: Defending NAS Devices Against Evolving Threats,” we studied the current infrastructure, environment, threats, and recommendations for defending systems against current threats targeting NAS devices. To emphasize the importance of mitigating the risks of malware infection and targeted attacks on NAS devices, we analyzed the technical details of two malware families that potentially included NAS devices in their existing business models, the REvil ransomware and StealthWorker botnets.


While the disappearance of REvil (aka Sodinokibi) in mid-2021 is filled with uncertainty, security researchers have found a Linux version of the REvil ransomware that they have dubbed as Revix. After analyzing the samples, we found four different versions of the malware, all of which rely on an embedded JavaScript Observed Notation (JSON)-based configuration to set parameters before encrypting files.

Figure1 defending nas devices from evolving threats
Figure 1. Revix’s JSON-based configuration

While some parameters are ignored by the ransomware, these are most important ones that we observed:

  • pk: A 64-byte key
  • nbody: The ransomware note text-encoded in base64
  • nname: The ransomware note name
  • ext: The extension added to encrypted files

After compromising the system, the malicious actors execute it manually on a NAS device to encrypt files and create a ransom note with a unique key per victim.

Figure2 defending nas devices from evolving threats
Figure 2. Revix encrypting a QNAP NAS device
( / test # qaxaq - readme.txt - [ + Happen ? + ] Your files are encrypted, and currently unavailable. You can check it : all files on your has extension By the way, everything is possible to recover ( restore ) but you need to follow our instructions. Otherwise, you cant return your data ( NEVER ) [ + ] what guarantees ? [ + ] Its just a business. absolutely do not care about you and your deals, except getting benefits. If do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests To check the ability of returning files go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with service - for us its does not matter. But you will lose your and data, cause just we have the private key In practise - time is much more valuable than money. [ + to get access on website ? [ ], You have two :, a ) and install TOR browser fron this site : ) Open our website : http : /, 2 ) blocked in your country, try to use VPN ! you can use our secondary website. For this : a ) Open your any browser (, Firefox, Opera, IE, Edge ) b Open our secondary website : Warning : secondary website can be blocked, thats why first variant much better and available. When you open our website, put the following data in the input Кеу, TIL DONT try to change files by yourself, DONT use any third software for restoring your data or antivirus solutions - its entail dange of the private key and, as result, Loss all data ONE MORE TIME : Its in your interests to get your files back. our side, the best specialists ) everything for restoring, but please should not interfere !!! !!! !!! - / test ]
Figure 3. Revix ransom note

While the differences between the versions are minor, the group advertised the capability of encrypting NAS devices as early as May 2021 in underground forums. Given the vulnerability of NAS devices that are directly connected to the internet, we can expect a new wave of ransomware attacks affecting these gadgets in the future.


In 2021, security researchers found brute-force attacks launched from the StealthWorker botnet on Synology NAS devices. We found multiple samples for this botnet and confirmed that newer versions are capable of brute-forcing and compromising servers running on several products and systems such as WooCommerce and WordPress. This botnet is also designed to generally attack any web server using HTTP authentication and other NAS devices like QNAP. Valid credentials found during compromise are then uploaded to the command-and-control (C&C) server, usually at port 5028/TCP.

Figure4 defending nas devices from evolving threats
Figure 4. StealthWorker brute-force function targeting QNAP devices
Active Internet connections ( servers and established ) Proto Local Address Foreign Address 1, State PID / Program name LISTEN 1124 / / usr / sbi SYN_SENT / stealth SYN_SENT / stealth ) ESTABLISHED 1978 / sshd : user [ pr ESTABLISHED 574 / sshd : user [ pri ESTABLISHED 584 / sshd user [ pri SYN_SENT / stealth SYN_SENT / LISTEN 1124 / / usr / sbi 353 / dhclient, tcp, udp
Figure 5. Infected Linux device connected to a C&C server

How to protect NAS devices

Without proper security implemented in NAS devices, users and businesses will continue to be targeted since these tools can be used as entry points for information theft, malware infection, and the disruption of operations, among others. Here are some best practices to protect your systems against threats that leverage the gaps in your NAS devices:

  • Avoid connecting a NAS device directly to the internet.
  • Regularly change the credentials for accessing an NAS device. Never use the preset default credentials that come with the device as these are well-known to malicious actors.
  • Enable two-factor authentication (2FA) for additional security.
  • Uninstall applications, software, and services that are no longer in use as these can be abused as entry points.
  • Regularly check NAS manufacturers’ online security guides, such as Synology’s recommended best practices and QNAP’s recently released suggestions on how to help defend their devices against additional exposure on the internet.

To find more technical details, threats, insights, and recommendations in protecting your NAS device, download our research Backing Your Backup: Defending NAS Devices Against Evolving Threats.”


Featured News