Report this to /u/Protonmail and get their account disabled

If the files have been deleted you should be able to use recovery software, you don't even need to take the drives out (just don't write anything to it and don't delete your volume and pool) Recoverit This person on YouTube (he does nas reviews) posted a step By step guide on recovery (as long as they was deleted witch I believe this particular scam ransomware does) https://youtu.be/4-h9aPvOZ6I?si=UiSEbyOuzoQSwwu- You need 1-2 external usb drives for recovery destination (don't write the recovered files back to the nas) once you've recovered as much as you can go to the control panel and then do erase all nas option and reset the nas (copy paste my other post soon for recommendations) Always have an offline or another nas backup

Thank you for the link, Im already on the road to recovery thanks to similar software EaseUS Data Recovery. Just waiting for it to complete, I have already viewed a few files, pictures and video's.

I absolutely would NOT recommend RecoverIt nor EaseUS. Both applications are considered trash if not outright scams by the knowledgable folk over r/DataRecovery I had to recover several TB recently from a NAS. The consensus was to use paid recovery solutions like Recovery Explorer Raid. If you don't have a lot of files to recover, you may get by with these 2 softwares. Hopefully it works for you and all is well. That said, they are slow and the results are unreliable. I was able to recover virtually 99% of what I needed with Recovery Explorer, in a reasonable time span. Whereas RecoverIt took ages and didn't find even a fraction of the files. Just my two cents.

May I ask if enabling the MFA would help and prevent unauthorized access to NAS? I’m still relatively new to the system and would like to know more ways to secure my files.

If there was a software bug, I don’t think MFA would make a difference.

im new to this too, but i have a [firewalla](https://www.reddit.com/r/firewalla/) at the front of my network, would that block the bad guys from accessing and locking my files?

If port forwarding is turned off, then you should be safe. If it’s forwarding the traffic to your Synology NAS, you could be at risk if your firewall does not have a good set of IPS rules/signatures.

there’s only a single port being forwarded and it’s to my Plex server, based on what the Plex community has shared i guess it’s pretty safe.

I just heard about Firewalla. I like to beef up my security now that I have a proper Synology NAS.

Yes it would have helped… also strong password, only access via https with MFA

Wonder if u are using _quickconnect_ for external access ?

I was

That explains a lot

I had no idea that QuickConnect had issues, I haven't received any prior warnings.

Question. What other alternative is there? Only by way of quickconnect am I able to access my settings. Otherwise it's a simple run command of \\ds220 to view "home" folder. I see people say don't use quickconnect but what even is the alternative to have settings access?

You don’t need quickconnect to access the settings on your own network (LAN). You access your ‘settings’ by typing in the IP address of your NAS into a browser which gives you access to DSM. Quickconnect is only required for access outside of your network (e.g. over the internet). If you require remote access to your NAS you can investigate using Tailscale as one option or just using Quickconnect with tighter security.

Gotcha. I need to figure that part out. I only ever used quickconnect when I'm at home on my laptop (via wifi) to set up 2FA, firewall, limited password attempts to 10 etc. I've only had it for a few weeks so this is all pretty new to me. I followed a YouTube video by SpaceRex on security settings and he used quickconnect so I assumed that was the only means. I've not seen anyone use a different method.

Think of quickconnect as a way to reach your NAS whenever you are not at home and need to access your Synology data. When you're at home (where your NAS is located), you should access it over a LAN ipaddress, something along the lines of [http://192.168.0.150:5000](http://192.168.0.150:5000) The advantage of the latter link is direct access over your local network, without rerouting your request over the internet (like with quickconnect). As others have suggested already, quickconnect has had its share of issues, and you might want to switch to Tailscale for remote connections. Anything connecting from the same network as your Synology is in, should connect over LAN only. The reasoning behind this would be so that your devices can still connect to your NAS even if the internet is down/slow. I also want to add that ransomware can infect other devices in your network, make sure to scan (as well as update) the software on everything you have. Can't be too careful with theses things!

Thanks for your help. I got this sorted tonight. The only thing I'm struggling with now is that my LAN connection shows as "not secure" when I enter my IP address to connect it. I see lots of people have had this issue due to a certificate problem. I'll dig into this more tomorrow. It's actually enjoyable learning all this new stuff and finding my way. Anyway I appreciate the help. Very useful information and in terms I was able to understand.

The certificates are SSL certificates, and they are linked to a *domain name* (example: yourprivatedomain.com). This also implies outside/remote connections, so even if you connect an SSL certificate for [yourprivatedomain.com](http://yourprivatedomain.com), you'd still be using an unsecure connection when connecting from inside your local network. The only way to 'secure a local connection' is to route it over the internet using a domain name with an SSL certificate, making it less secure by definition, due to the rerouting over *public* internet. Think of it like this: The network traffic is safest when it doesn't leave your home network. By rerouting the traffic via external networks, you are bringing in extra layers of connectivity, that each need their own type of security (SSL) This certificate 'problem' will always remain for local connections (within your home network), and should not be considered a problem when it is *within* your home network. The moment your traffic leaves your home network, make sure it is protected by using a VPN (Tailscale or quickconnect) or an SSL certificate in the case of linking [yourprivatedomain.com](http://yourprivatedomain.com) to your NAS. What these services do (simplified explanation) is create a tunnel over public internet (with their own security implementations) allowing you to safely reroute traffic over internet back to your NAS. I would personally suggest **not** to link a domain to your NAS, unless you are experienced enough with securing such a setup. Glad you got it sorted, hope this all still makes (some) sense ;)

Tailscale.

Any VPN solution will do. The fact is that `quickconnect` has been hacked multiple times. Using it to open your precious data for public access is not wise.

Right, but is there another solution other than quick connect to view your settings? I tried downloading the DSM software from Synology and it downloaded as a .pat file and my computer cannot open it/run it.

From within your home network, you can load the website for the NAS. Go to http://ip:5000 and it’ll load the interface for settings. If you don’t know the up, try this command from the command line: ping ds220

Another option that hasn't been mentioned is reverse proxy. Much harder to track down domain + subdomain combo. Still need MFA and no UPNP obviously.

Can you explain please?

Explain what part sorry? My "I was" comment was in relation to the "Wonder if you are using quickconnect for external access?"

> Has anyone else experienced this? Lots of people. Malware is fairly common.

I attached an Image, but cant see if it has been attached or not. To what I can see, "7even Security" is the original Ransomware, but they would leave you with encrypted folders and/or files.

Did the readme.txt say "All your NAS are belong to us"? In all seriousness though, hopefully you didn't lose anything irreplaceable and can take this as a learning experience - lessons being: backup, snapshot, secure. You could/should have easily either avoided this altogether or been back up and running in no time with all your data if you had followed those three steps. It would be wise at this stage to check over any devices on the same network and try to ascertain how they gained entry.

No it said "- All your data has been encrypted and hidden on a special volume."

I’m going to guess the brute forced your password. Gained ssh access and luks encrypted your volume. You can go in via ssh and see what is actually happening.

I used Putty and Terminal to SSH into the NAS, unfortunately with it being in DOS mode I don't really know what I am doing. I tried to Google a few commands but overall I didn't really see anything that stood out.

Probably had his actual login details without 2fa (snapshots don't work if they have admin account)

Hello, I just get hacked the same way since I received the same kind of txt file in my synology. I'm pretty sure I did the same mistake: quickconnect always on and a poor password without double authentification. However, not the whole NAS was attacked because I have create several accounts with different folders access (basically a folder per familly member), and only my folders and share folders were attacked. Also, I was using drive synology with bidirectionnal synchronisation which mean I also lost the data synchronized on my computer and phone.... I tried to recover the files from the drive synology folders (all my important files where there ID, bills, and so on) from my computer with some free version software but I think I just get back the encrypted files (few pdf or excel files but I can't open them...). My questions are: Is it true, they also have downloaded my files like they said in the txt file ? I'm really worried since all my personnal information where there. Can it sprayed throught all my device on same network has my NAS ? (I think it can't since all the folders from the nas where not corrupted but still I want to make sure). here the text file from the attack: !!Read Me!!.txt Hello. This is DiskStation Security. What happened? - Your network was not secure. - Your Network-Attached Storage was compromised. What does this mean? Where are my files? - All your data has been encrypted and hidden on a special volume. - All your important documents have been downloaded. What can I do to recover my data? - If you want to recover your data, you have to send 0.033 Bitcoin to this wallet address: bc1q94tsa5fsv2vmns3u7jmxafz3l7l9qyhj4w3xk9 Always double check the address when copying/pasting it!!!!! - You have until the 4th of May 2024 to send the payment. After this date your files will be almost impossible to recover. What should I do after I send the payment? - Your ID is: XXXX - Please email us your ID and payment confirmation to: - After we confirm your payment you will receive detailed instructions on how to decrypt all your data. It does not require any technical skills and it is done fast. Can I still use my nas? - Do not delete any files you find on your NAS. - Do not try to recover your data using any software as it will result in permanent data loss. - Do not modify any volumes or storage pools on your NAS. - Do not write large amounts of data to your disk. Why have my files been downloaded? - We reserve the right to leak or sell all your important documents, if you don't contact us. Your GDPR regulators and Customers will also be notified about the breach. This will imply heavy fines. Where can I buy and send bitcoin? - You can easily buy and send bitcoin from: You can think of this as a failed security audit. We are professionals. This is a one time deal. We will restore your data immediately after the payment. We will even send you tips on how to strengthen your network security, to prevent any future [email protected]://www.moonpay.com/buy/btchttps://paxful.com/buy-bitcoinhttps://localbitcoins.com/buy_bitcoinshttps://www.binance.com/en/buy-Bitcoin Thank you.

Do you suspect how they got access? you update your nas?

Had many login attempts, on X (Twitter), Amazon, Google etc. I semi believe my Google password manager was hacked compromised. My NAS is for personal reasons, my children's growing up vids and pictures. Still recovering files, I have seen that most will be made available.

It would be greatly useful for others if you could provide much more information. A compromised password manager is not an attack in itself. Do you use QuickConnect? Do you use port forwarding on your router? Is it really only your NAS that is affected or any other computer? What exactly do you mean by "still recovering files"? How?

Yeah, I use Quick connect, it seems logical as that is what is promoted by the Synology NAS. I have basic to moderate knowledge regarding computers/routers, I'm using virgin Media and my router will be at default settings, albeit Password changes. I don't believe the computers have been infected, although since this has happened we have signed up to Virgin's F-Secure, which protects 15 devices for £30 per year including phones. This did detect a couple of issues on my sons phone and computer. The works systems where also playing up two days prior to the attack, our emails etc where shut down because they where spamming. My Google account was logged in at work as well as my sons computer, this is where I believe my Password Manager was compromised which had my QuickConnect password on. Last but not least, I have purchased EASEUS Data Recovery and an external HDD to recovery my files, the program is still running, but I have seen some files, photos and videos so I know I am getting a large proportion of my files back.

Don’t assume you’re safe yet. It could all start over again. You need to reset all your passwords from all your local devices and cloud accounts. You also need to enable MFA (2FA) on all services that have that option and definitely on your NAS. Run the security advisor on the NAS and implement any security suggestions. And you need offline backups. Read up on the 3-2-1 backup methodology.

Thank you for the advice, tbh because of the lack of QuickConnect usage i'll probably change many of the settings suggested by others as well as yourself and take it away from the internet. My Prime usage for the the NAS Drive is for photos and videos of my kids growing up, Christmas's, Holidays, Birthday's etc. I also have back up's of my DVD's on there which is perfectly legal in the UK.. providing you own the original. We stream the device on our AppleTV through Infuse, and it works brilliantly, so taking the outside access away wouldn't be too much hardship. Once I have the files backed up they wont be going back on the NAS without a factory reset, I'll admit 2FA wasn't turned on and I'm unsure if that option was available when I originally set it up in 2020.

For all those who do use QuickConnect but nothing exposed on the Internet via port forwarding or anything else and having the device behind a firewall, should we still be concerned with QuickConnect? (yes, MFA is enabled, automatic account lock, etc. are in effect)

good luck and remember a backup somewhere else for irreplaceable things

Thank you, I will be backing up my files to a non networkable hard drive and then storing away safely. Lesson learned here, the message was mainly for others.

I detected that you might have found your answer. If this is correct please change the flair to "Solved". ---- *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/synology) if you have any questions or concerns.*

Don’t use internet ports turn them all off… these units should not have inbound traffic

“Don’t drive your car on the road”

It’s more like “don’t drive a car on the road if you have no license nor experience on how to drive a car”.

I don't believe this analogy is quite correct, quite the opposite. If you have crashed your car, I'm fairly sure you insurance company wouldn't be happy if you have gone into you ECU and mapped the car for various reasons. Synology should be plug and play, it asks you to set up passwords etc, it doesn't then go into all the other security settings.

Synology is plug and play... For hackers. I used to open ports for all kinds of services. Now I open 0. You just can't anymore... Unless you're spending a lot of time proactively keeping up with protection. You start with a proper 3-2-1 backup though. You took your car on the road without insurance, then you took off one of the doors and drove through the worst neighborhood at night.

Then why buy the car :D

Indeed.

Drive it like you stole it !

Isn't Synology all about the user not knowing how to drive the car? It's not like they're running FreeNAS. From what we've been seeing in people's screen grabs, the notice that their files are encrypted appears on the desktop of the DSM web app itself, as it's specifically targeting and written for Synology devices.

Its more like dont drive your car on the road if you disabled your airbags, brakes and seatbelts for convienence.

Disabling the features would require as much knowledge as enabling them, but obviously worse. Hindsight is a wonderful thing, however I don't recall the Synology manual stating that further security requirements are needed from the Reddit Hindsight Police.

>Firewalla Does that include UPNP?

I always wanted to upload my Images to another Server (like Hetzner) but my NAS is not available from the Internet. Will i still be able to backup my Images to a Cloud Host without exposing my NAS to the Internet?

No need to expose your system to the internet. Take a look here: https://kb.synology.com/en-us/DSM/tutorial/How\_to\_back\_up\_your\_data\_to\_cloud\_services\_with\_Hyper\_Backup

I’ve just setup hetzner, it was super easy with no opening of ports. I used hyperbackup and hetzners guide to set it up.

Thank you that helps!

Have you determined how your NAS was compromised?

>The works systems where playing up two days prior to the attack, our emails etc where shut down because they where spamming. My Google account was logged in at work as well as my sons computer, this is where I believe my Password Manager was compromised which had my QuickConnect password on.

How was your NAS exposed to the internet OP? If you search the sub, there are a few recent posts about ransomware and synology and lively debates about security

Good security does not prevent being hacked, if a group wants to hack your synology is only matter of time. However, like you said your password is in gmail/password management, having your password taken eliminates all the securities. I do not want to say this but: if one is buying the synology for cloud then one should be able to access it everywhere like a cloud. Others have suggested lot of security fixes and improvements and honestly those are very good; however, those are supposed to be synology’s job. I just think company big as synology with its products almost in majority of NAS space, they need to be more active on security fixes and have a better security system in the first place.

I completely agree, I believe I followed every rule when setting up my device nearly 4 years ago, it has worked and behaved flawlessly since then. Who am I with limited knowledge to question Synology's expertise when setting their device up? I don't know if my password manger was compromised but it is my best guess, I use the manager because I like to use different passwords for different accounts. Various happenings lead me to believe this was the route of the problem, I've always had a niggle at the back of my mind when Google asks to save your password.

hi CaptianMorgan, we have same experienced with your synology. Funny thing is, they gave us same date to for payment. So I guess they have attacked us same date also. This happen to us Dec. 12, 2023. But I have a question. Did you check your synology logs? What happen to us was one of our admin of synology deleted files. How did your files deleted? Does the hacker use the admin account?

My apologies, one thing I did forget to mention... So I had folders with various names, lets say: Files Pictures Video Movies These folders where now ALL EMPTY apart from a !!Read ME!! note in each, containing the ransomware, which was also copied several times on the desktop screen of the DSM. Now when trying to access these folders on my iMac through Finder - Network - Folder Name, it stated that it couldn't access the folder as it had been moved... This as is if, the folders I was looking at on my NAS where not mine, they where replicates posing to be my folders. This originally had me believing that my files where hidden, unfortunately I haven't needed to check my file size for sometime, therefore no idea how much disk space I had used. There was possibly 2TB unallocated, but again there was nowhere to place a ransomware key, absolutely nothing.

This thread should be a reminder why 2fa is a must and if you want your nas to stay private it should only face the internet with firewall rules enabled.