How Hackers Hack NAS Devices (Synology, QNAP) — and How to Protect Yourself
How attackers compromise internet-exposed NAS devices — a major ransomware vector — and how to harden yours.
🛡️
Defender's Guide
This is a defender-focused resource covering attack patterns at a conceptual level so you can recognise threats and protect yourself or your organisation. The page does not include step-by-step exploitation procedures. If you suspect you are currently being targeted or have been compromised, scroll to the recovery section below.
What attackers want from NAS Devices (Synology, QNAP)
Network Attached Storage (NAS) devices — Synology, QNAP, Asustor, Western Digital My Cloud, and similar — have become one of the most consistently-exploited consumer and small-business technology categories of the past five years. The combination of sensitive data (photos, business documents, backups), internet-accessibility features (remote-access apps, mobile sync, cloud backup bridges), and user populations that often lack IT expertise has produced repeated ransomware campaigns specifically targeting NAS devices.
The realistic threat profile is dominated by internet-exposed NAS devices with default or weak credentials, outdated firmware with known vulnerabilities, and misconfigured remote-access features. QLocker (QNAP, 2021), DeadBolt (QNAP, 2022), eCh0raix (QNAP and Synology, ongoing), and multiple Synology-specific campaigns have collectively affected hundreds of thousands of devices — most of them belonging to home users and small businesses who did not realise the NAS was directly reachable from the internet.
NAS security is meaningfully improved if you treat the device as a server — because that is what it is. Server-grade patching cadence, server-grade authentication, server-grade network isolation, and server-grade backup strategy. Consumers frequently treat NAS like an appliance (set and forget); attackers exploit exactly this gap. For anyone running a NAS with data they care about, the device warrants active security ownership, not passive reliance on defaults.
How attackers actually do it
Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.
Direct internet exposure exploited via known vulnerabilities
Most NAS ransomware campaigns target devices with known firmware vulnerabilities that have been patched but not updated. Shodan indexes hundreds of thousands of internet-exposed NAS devices; attackers scan for specific vulnerable firmware versions and mass-exploit. DeadBolt hit 3,500+ QNAP devices in days by exploiting a single CVE.
Credential stuffing and brute-force against admin accounts
Default admin accounts (admin/admin on older devices, "admin" with weak passwords on many), reused passwords from breach databases, and simple brute force against exposed interfaces. Baseline attack pattern against any exposed NAS; consistently successful against unhardened devices.
UPnP and auto-port-forwarding exposing internal NAS
NAS devices often request UPnP port forwarding from home routers automatically to enable remote-access features. Users do not realise their NAS is now internet-exposed; the attack surface is established without informed consent. UPnP should be disabled on home routers as baseline; NAS remote access should use VPN instead.
Third-party application vulnerabilities
NAS devices run third-party applications (Plex, Docker containers, photo-gallery apps, VPN servers). Each app expands attack surface; vulnerabilities in apps (outside the NAS vendor's patching) have been exploited. Minimising installed apps and keeping remaining apps current matters.
Ransomware via cryptocurrency-demand, specifically targeting NAS users
Entire ransomware families (DeadBolt, eCh0raix, QLocker) specifically target NAS devices. Payment demands calibrated to consumer budgets ($200-$1,000 typical, rather than enterprise six/seven-figure demands). Some campaigns also exfiltrate data before encryption, adding data-leak extortion.
Credential theft via phishing for NAS cloud accounts
Synology QuickConnect, QNAP myQNAPcloud — vendor-hosted remote-access services — have their own credential systems. Phishing for those credentials grants attackers direct NAS access without ever touching local firewall configuration.
How to recognise compromise
Signs that your nas devices (synology, qnap) may have been compromised:
File extensions changed or files encrypted
The obvious ransomware indicator. Files renamed with random extensions, README ransom notes appearing in folders. By the time you see this, encryption is usually already complete.
Admin login from unfamiliar IPs
NAS audit logs (System → Log Centre on Synology, equivalent on QNAP) show login attempts and successes. Unfamiliar source IPs warrant investigation.
New admin users or services created
Attackers commonly create additional admin accounts for persistence. Review user list and installed services regularly.
Unusual CPU or network activity
Ransomware encryption activity, cryptomining malware, or data exfiltration all produce resource-usage anomalies. NAS dashboards show these metrics.
Shares or permissions changed
Modified share configurations, newly-shared folders, or altered permission settings — investigate any changes you did not make.
Vendor security advisories for your model
Follow your NAS vendor's security advisory feed. Notifications of in-the-wild exploitation targeting your model = immediate patching priority.
What actually protects you
Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.
Do not expose the NAS directly to the internet
Most important control. Disable UPnP on your router. Do not port-forward to the NAS. For remote access, use VPN (WireGuard, your router's built-in VPN, commercial VPN gateway) and access the NAS only through the VPN. The "convenience" of direct exposure has produced thousands of ransomware incidents; the VPN alternative is marginally more work for dramatically more security.
Keep firmware and all apps current — aggressive patching cadence
Enable auto-updates where available. Check for updates weekly if not auto-updating. NAS firmware vulnerabilities get patched; unpatched devices become sitting targets. Vendor security advisories demand immediate patching, not "next maintenance window".
Strong unique admin password, no default accounts
Rename or disable the default admin account; create a named admin account with a long random password from your password manager. Default admin/admin combinations and weak passwords are the most common compromise vector.
2FA on admin accounts
Synology and QNAP both support 2FA. Enable it. For devices reachable via vendor cloud services (QuickConnect, myQNAPcloud), 2FA on those services is equally important.
Network-segment the NAS on a separate VLAN or subnet
Isolate NAS from main LAN where possible — reduces blast radius if other devices are compromised, and vice versa. Requires router support for VLANs (many prosumer routers support this).
Disable unused services and apps
Every enabled service is attack surface. If you do not use SMB1, disable it. If you do not use FTP, disable it. If you installed a Plex server and no longer use it, remove it. Minimise running services to the actual-use set.
Offline backups — 3-2-1 backup rule
3 copies of data, 2 different media, 1 offsite/offline. Offline means disconnected from network — a second NAS connected to the same network does not count because ransomware reaches both. External drive that is connected only during backup, cloud backup with appropriate snapshot/versioning, or actual offline archive. Critical for ransomware recovery because online backups frequently get encrypted too.
Enable snapshot/versioning if supported
Synology Snapshot Replication, QNAP Snapshot Center — immutable snapshots that ransomware typically cannot modify. Enable hourly or daily snapshots with reasonable retention. Provides a recovery path if other backups fail.
Monitor for vendor security advisories
Subscribe to your vendor's security advisory RSS or mailing list. In-the-wild exploitation campaigns announce themselves; awareness is the first step to response.
Frequently Asked Questions
Yes — NAS ransomware campaigns do not target specific content value, they target any reachable device. Your family photos are as valuable to ransomware operators as business data (worth whatever ransom they can extract from you) and the same exploitation path affects both. More importantly, most NAS ransomware does not just encrypt — it also frequently exfiltrates data. Family photos exfiltrated to criminal infrastructure is its own concern beyond the encryption.
Scale and consumer deployment patterns. Both vendors have huge installed bases of devices deployed by non-experts with minimal ongoing security attention. Internet exposure plus unpatched firmware plus weak authentication plus valuable data equals target. Both vendors have improved default security substantially; the persistent vulnerability is in older deployments and in user practices that ignore security updates.
Cautiously. Both are better than direct port-forwarding because the vendor proxy does not require exposing the NAS directly. Both have had security incidents of their own; both require strong authentication on the vendor account. For genuine security, VPN-gated access is still preferable. For convenience-first users, vendor cloud services are substantially safer than UPnP/port-forwarded direct exposure, as long as the vendor account itself is well-protected (2FA, unique strong password).
Yes, and this is where most users fail. A NAS used as backup for laptops is a single copy — if the NAS is compromised (ransomware), you have lost both your laptop data and the backup simultaneously. True backup strategy requires 3-2-1: three copies, two different media, one offsite/offline. For NAS users: the NAS itself + an external drive disconnected when not backing up + cloud backup with versioning. Without this, the "backup NAS" is a single point of failure, not backup infrastructure.
No — those address power-related hardware failure, not ransomware. Important for other reasons (NAS hardware longevity, preventing corruption during power events) but not a security control. Do both: UPS for hardware protection, security hardening for ransomware protection.
Generally no. Reasons: decryption-after-payment success rates for NAS ransomware campaigns have been notoriously poor, paying funds further attacks, and in some jurisdictions paying ransomware is itself potentially illegal (OFAC sanctions on affiliated groups). Check NoMoreRansom.org for free decryption tools first — several NAS ransomware variants have public keys. If backups exist, restore from backups. If no backups and NoMoreRansom has no solution, engage professional data recovery for options; they often have methods short of paying ransom.
Security capability yes, security deployment often no. Enterprise storage products have stronger default configurations, dedicated security teams, structured patching processes. But enterprise-storage deployments also have dedicated IT teams running them properly. A consumer NAS deployed by an engaged user with good practices is more secure than an enterprise storage product deployed by an unengaged admin. The choice is less "consumer vs enterprise" and more "deployed by whom with what ongoing attention".
Cloud storage (iCloud, Google Drive, OneDrive, Dropbox, Backblaze B2) with versioning enabled handles many NAS use cases without the direct-exposure risk. Self-hosted alternatives (Unraid, TrueNAS, self-built servers) give more control but demand more expertise. External drives for backup and a small cloud tier for offsite redundancy can cover family-photo scenarios without a NAS at all. NAS is the right tool for some use cases (large media libraries, local network file serving, self-hosted services), not all of them.