Every NAS connected to your network is a potential ransomware target. Regardless of brand, and regardless of whether it's exposed directly to the internet. This guide covers the specific attack vectors used in real NAS ransomware incidents (Deadbolt on QNAP, eCh0raix on Synology), the configuration changes that eliminate most of that exposure, and the snapshot and backup strategy that limits data loss if an attack succeeds. It applies to Synology, QNAP, UGREEN, and Asustor. Australian warranty and ACL context for ransomware incidents is in the AU section below.
In short: Disable the default admin account, turn off UPnP, never expose your NAS login page to the internet, use a VPN for remote access, enable snapshots on every shared folder, and maintain a 3-2-1 backup strategy with at least one offsite copy. These six steps stop the vast majority of NAS ransomware attacks before they start.
Why NAS Devices Are a Prime Ransomware Target
A NAS is fundamentally different from a laptop or desktop when it comes to ransomware risk. A laptop might hold a few hundred gigabytes of documents. A NAS typically holds terabytes of consolidated data. Family photos, business records, media libraries, surveillance footage, and backups. It runs 24/7, sits on your network with a static IP, and often has services exposed to the internet via port forwarding or UPnP. Attackers know this. A single compromised NAS can yield a ransom payment that a single laptop never would, because the data concentration makes the loss devastating.
There is an important distinction between NBN-connected NAS devices and corporate setups. Home NAS units running relay-based remote access (QuickConnect, EZ-Connect) expose an attack surface through the vendor's relay infrastructure. See the remote access guide for setup options that minimise exposure. NBN-specific remote access considerations are covered in the AU section below.
Step 1: Disable the Default Admin Account
The single most exploited vulnerability on NAS devices is the default admin account. Every automated attack script in existence tries "admin" as the username first. Both Synology DSM and QNAP QTS ship with a default admin account that many users never disable.
On Synology DSM: Create a new administrator account with a unique username, log in with it, then go to Control Panel > User & Group and disable the built-in "admin" account. DSM will warn you. Confirm it. Your new admin account should use a strong, unique password of at least 16 characters.
On QNAP QTS / QuTS Hero: Create a new administrator account, log in with it, then go to Control Panel > Users and disable the default "admin" account. QNAP's recent firmware versions prompt you to do this during initial setup, but older installations may still have the default account active.
Do this first. If your NAS still has the default admin account enabled, stop reading and disable it now. Every other security measure in this guide is secondary to this one step. Automated bots scan the internet continuously for NAS login pages with the username "admin". And they will find yours.
Step 2: Turn Off UPnP and Close Unnecessary Ports
UPnP (Universal Plug and Play) is a protocol that allows devices on your network to automatically open ports on your router. Without your knowledge or approval. Many NAS devices use UPnP to make remote access setup easier, but it also exposes your NAS directly to the internet. This is how the majority of NAS ransomware infections occur: the NAS opens a port via UPnP, attackers discover it through mass internet scanning, and they exploit known vulnerabilities or brute-force the login.
Disable UPnP on your router. Not just on the NAS. Check your router's settings and turn off UPnP globally. Then check your NAS settings:
Synology DSM: Go to Control Panel > External Access > Router Configuration and ensure no UPnP port forwarding rules are active. Also check Control Panel > Login Portal > DSM to confirm the NAS is not listening on an externally accessible port.
QNAP QTS: Go to Control Panel > Network & Virtual Switch > Service Discovery and disable UPnP. Also check myQNAPcloud settings and disable any automatic port forwarding.
After disabling UPnP, manually review your router's port forwarding table. Remove any rules pointing to your NAS unless you have a specific, justified reason for them. Ports 5000, 5001, 8080, and 443 are commonly forwarded for NAS access and should be closed unless protected by a VPN.
Step 3: Use a VPN for Remote Access. Not QuickConnect or myQNAPcloud
Both Synology and QNAP offer built-in remote access services. Synology's QuickConnect and QNAP's myQNAPcloud. These services relay your connection through vendor servers to reach your NAS without port forwarding. While convenient, they still expose your NAS login interface to anyone who knows (or guesses) your QuickConnect ID or myQNAPcloud address. If your credentials are weak, this is an open door.
The more secure approach is to use a VPN (Virtual Private Network) to access your home or office network remotely, and then access the NAS as if you were on the local network. This way, the NAS login page is never exposed to the internet at all.
Options for VPN access:
- NAS-hosted VPN: Both Synology (VPN Server package) and QNAP (QVPN Service) can act as VPN servers. This is the simplest option but means the NAS itself must accept incoming VPN connections on one port.
- Router-hosted VPN: If your router supports WireGuard or OpenVPN, this is the more secure option. The NAS is not directly exposed at all. The router handles VPN authentication.
- Tailscale or ZeroTier: Mesh VPN services that create encrypted tunnels between your devices without opening any inbound ports. Tailscale in particular has become popular for NAS remote access. Both Synology and QNAP support Tailscale installation.
Australian NBN note: If your NBN connection uses CGNAT (Carrier-Grade NAT). Common on fixed wireless, satellite, and some fibre-to-the-node connections. Traditional port forwarding and VPN server hosting will not work because you do not have a public IP address. Tailscale or ZeroTier are your best options in this situation, as they work through NAT without requiring inbound ports. Contact your ISP to check if you are behind CGNAT, or request a static public IP if your plan supports it.
Step 4: Enable Snapshots on Every Shared Folder
Snapshots are your most effective recovery tool if ransomware does encrypt your NAS files. A snapshot is a point-in-time copy of your data that is read-only and cannot be modified by ransomware. If your files are encrypted, you roll back the affected shared folder to a snapshot taken before the infection. And your data is restored without paying a ransom.
Synology DSM: Open Snapshot Replication from the package centre. Enable snapshots on every shared folder that contains important data. Set a schedule. Daily snapshots with a 30-day retention is a reasonable starting point for home users. Business users should consider more frequent snapshots (every 4-6 hours) with longer retention.
QNAP QTS: Open Storage & Snapshots and enable snapshot scheduling for each shared folder. QNAP's snapshot implementation is robust and was instrumental in helping users recover from the Deadbolt ransomware attacks. Users running QuTS Hero get additional protection through ZFS's copy-on-write snapshots, which are more storage-efficient and offer self-healing capabilities against silent data corruption.
Critical point: Snapshots consume storage space. Each snapshot stores only the changes since the last snapshot (not a full copy), but over time this adds up. Plan to reserve 10-20% of your total NAS storage capacity for snapshots. If your NAS is nearly full, you need more drives before snapshots become practical. Check our best NAS hard drive guide for current Australian pricing on NAS-grade drives.
Why snapshots beat traditional backups for ransomware recovery: A backup that runs on a schedule copies files. Including encrypted files. If ransomware encrypts your data and your backup job runs before you notice, the backup now contains encrypted files too. Snapshots are different: they preserve the state of data at specific points in time, and ransomware cannot alter or delete snapshots (provided the attacker does not gain full admin access to the NAS itself).
Step 5: Enable Two-Factor Authentication (2FA)
Even with a strong password and the default admin account disabled, credentials can be compromised through phishing, password reuse, or data breaches on other services. Two-factor authentication adds a second layer: after entering your password, you must also enter a time-based code from an authenticator app on your phone.
Synology DSM: Go to Personal Settings > Account > 2-Factor Authentication and set up using an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator). Synology also supports hardware security keys (FIDO2/U2F) for even stronger authentication.
QNAP QTS: Go to Control Panel > Security > 2-Step Verification and configure an authenticator app. Enforce 2FA for all administrator accounts at minimum. Ideally for all user accounts.
Enable 2FA for every account that has write access to shared folders. This is non-negotiable for any NAS accessible remotely.
Step 6: Enable Auto-Block and Account Lockout
Brute-force attacks. Automated scripts that try thousands of username and password combinations. Are one of the most common attack vectors against NAS devices. Both Synology and QNAP include automatic IP blocking to counter this.
Synology DSM: Go to Control Panel > Security > Protection. Enable auto-block and set it to block an IP after 5 failed login attempts within 5 minutes. Enable the blocklist expiry so blocked IPs are released after 30 days (this prevents your blocklist from growing indefinitely). Also enable account protection to lock accounts after repeated failed logins.
QNAP QTS: Go to Control Panel > Security > IP Access Protection. Enable it for all connection types (HTTP, HTTPS, SSH, FTP, SAMBA) and set blocking thresholds. Also enable Network Access Protection to block IPs across all protocols simultaneously.
Step 7: Keep Firmware and Apps Updated
Most NAS ransomware exploits target known vulnerabilities that have already been patched by the vendor. The Deadbolt ransomware that hit QNAP devices exploited vulnerabilities that had patches available. Users who had updated their firmware were not affected. The same applies to Synology: every critical security advisory they release comes with a DSM update that closes the vulnerability.
Enable automatic updates for both the NAS operating system and installed packages. On Synology DSM, go to Control Panel > Update & Restore and enable automatic DSM updates. On QNAP QTS, go to Control Panel > Firmware Update and enable auto-update. For both platforms, also update installed apps regularly through the package centre or App Center.
If you are uncomfortable with automatic updates (some business users prefer to test updates before deploying), set a calendar reminder to check for updates weekly. The key is consistency. The window between a vulnerability being disclosed and it being exploited is measured in days, not months.
Step 8: Disable Unused Services and Ports
Every service running on your NAS is a potential attack surface. If you are not using FTP, disable it. If you are not using SSH, disable it. If you are not using Telnet (you should not be), disable it. The fewer services running, the fewer entry points an attacker can exploit.
Services to review and disable if not needed:
- FTP / SFTP. Use SMB or NFS for local file sharing instead
- SSH / Telnet. Only enable temporarily when you need command-line access
- Web-based file managers. Synology's File Station and QNAP's File Station are useful but should not be internet-accessible
- Media streaming services. Disable DLNA, iTunes Server, and Plex ports from external access
- Default HTTP port (5000 on Synology, 8080 on QNAP). Force HTTPS-only access and disable the unencrypted HTTP port entirely
On Synology, go to Control Panel > Login Portal and uncheck "Automatically redirect HTTP connections to HTTPS". Instead, disable HTTP access entirely and only allow HTTPS. On QNAP, go to Control Panel > General Settings > System Administration and disable HTTP, forcing HTTPS only.
Step 9: Set Up Offsite Backup. The 3-2-1 Strategy
All of the security measures above reduce the likelihood of a successful attack. But no security is perfect. The only true protection for your data is having a copy that ransomware cannot reach. This means an offsite backup. Either to a cloud service, to a second NAS at another location, or to an external drive stored off-premises.
The 3-2-1 backup strategy is the gold standard: 3 copies of your data, on 2 different media types, with 1 copy offsite. For most Australian NAS owners, this looks like:
- Copy 1: Primary data on your NAS (RAID provides redundancy, not backup)
- Copy 2: Local backup. USB drive connected to the NAS, or a second NAS on the same network
- Copy 3: Offsite backup. Cloud (Synology C2, Backblaze B2, Wasabi) or a remote NAS at a second location
NBN upload reality: Australian NBN connections typically offer around 20-40 Mbps upload on standard plans, with the most common NBN 100 plan delivering roughly 20 Mbps upload (about 2.4 GB per hour). If you have 10TB of data, the initial cloud backup seed will take weeks. Plan for this. Start your cloud backup early, prioritise your most important data first, and let incremental syncs handle the rest over time. Some cloud providers accept posted hard drives for initial seeding.
Critical detail: Your offsite backup must be versioned or use immutable storage. If your backup simply mirrors your NAS, and ransomware encrypts your NAS files, the mirror will sync the encrypted files to the cloud. Destroying your backup. Use versioned backups (Hyper Backup on Synology, Hybrid Backup Sync on QNAP) or cloud storage with object lock / immutability (Backblaze B2 with Object Lock, Wasabi with Object Lock, or Synology C2 with versioning enabled). This ensures previous clean versions of your files remain recoverable even after an encryption event.
Step 10: Restrict User Permissions and Shared Folder Access
The principle of least privilege applies to NAS security. Every user account should only have access to the folders they actually need. If a user account is compromised by ransomware, the damage is limited to the folders that account can write to. A properly configured NAS with restricted permissions will contain the blast radius of an attack rather than losing everything.
Practical steps:
- Create separate user accounts for each person who accesses the NAS. No shared accounts
- Set shared folder permissions so each user only has read/write access to their own folders
- Use read-only access for shared media folders (movies, music) that do not need write access from regular users
- Keep administrator accounts to the absolute minimum. Ideally one admin account, used only for NAS configuration
- Never use an administrator account for daily file access
On both Synology and QNAP, configure permissions at the shared folder level and at the application level. A user who needs access to shared files does not necessarily need access to the NAS admin interface, surveillance station, or Docker.
NAS Security Checklist: Quick Reference
| Security Measure | Priority | Synology DSM | QNAP QTS |
|---|---|---|---|
| Disable default admin | Critical | Control Panel > User & Group | Control Panel > Users |
| Disable UPnP | Critical | Router + DSM External Access | Router + myQNAPcloud |
| Enable VPN for remote access | Critical | VPN Server package or Tailscale | QVPN Service or Tailscale |
| Enable snapshots | High | Snapshot Replication | Storage & Snapshots |
| Enable 2FA | High | Personal Settings > Account | Control Panel > Security |
| Auto-block failed logins | High | Control Panel > Security > Protection | Control Panel > Security > IP Access Protection |
| Firmware auto-update | High | Control Panel > Update & Restore | Control Panel > Firmware Update |
| Disable unused services | Medium | Control Panel > File Services | Control Panel > Network Services |
| Force HTTPS only | Medium | Control Panel > Login Portal | Control Panel > General Settings |
| Offsite versioned backup | Critical | Hyper Backup | Hybrid Backup Sync |
| Restrict user permissions | High | Control Panel > Shared Folder | Control Panel > Shared Folders |
What to Do If Your NAS Is Already Infected
If you discover encrypted files or a ransom note on your NAS, take these steps immediately:
- Disconnect the NAS from the network. Pull the Ethernet cable. Do not shut it down yet. Powering off may destroy evidence or interrupt any recovery tools that could help.
- Do not pay the ransom. There is no guarantee of file recovery, and payment funds further attacks. The Australian Cyber Security Centre (ACSC) and the AFP advise against paying ransoms.
- Check your snapshots. If you had snapshots enabled, connect a laptop directly to the NAS (Ethernet, no internet connection) and check whether clean snapshot versions exist. If they do, you can roll back affected shared folders.
- Check your offsite backup. If you have an offsite or cloud backup with versioning, your data is likely recoverable. Do not restore until you have cleaned the NAS.
- Report the incident. Report to the ACSC via cyber.gov.au/report and consider contacting the AFP if business data is involved.
- Rebuild the NAS. After recovering your data, perform a full factory reset and reinstall the NAS operating system before reconnecting it to your network. Implement every step in this guide before restoring your data.
Do not pay the ransom. In many past incidents, QNAP's support team was eventually able to provide decryption tools for affected users free of charge. Paying ransoms also carries legal risk. The Australian government's position is that ransom payments fund criminal organisations and may breach sanctions laws in some circumstances.
Brand-Specific Security Features Worth Knowing
Synology
Synology's DSM includes several built-in security tools that are easy to configure but often overlooked:
- Security Advisor: A built-in scanner that checks your NAS configuration against security best practices and flags issues. Run it after initial setup and monthly thereafter.
- Hyper Backup with versioning: Supports versioned backups to local, remote, and cloud destinations. Each backup version is independent. Ransomware encrypting the latest version does not destroy previous versions.
- Immutable snapshots: Available on Btrfs volumes (Plus series and above). Immutable snapshots cannot be deleted even by an administrator account, providing protection against attackers who gain admin access.
- Synology C2 cloud: Synology's own cloud backup service with built-in versioning and encryption. An Australian-friendly option, though data is stored in overseas data centres.
QNAP
QNAP's QTS and QuTS Hero offer deeper security features, reflecting the brand's more technical user base:
- QuFirewall: A full firewall built into QTS that allows granular control of inbound and outbound traffic by port, protocol, and IP range. More powerful than Synology's built-in firewall.
- WORM storage (QuTS Hero): Write Once, Read Many. Prevents files from being modified or deleted for a defined retention period. Particularly valuable for businesses with compliance requirements.
- SnapSync: Near-real-time snapshot replication between two QuTS Hero NAS devices. If one NAS is compromised, the second has recent clean snapshots available for immediate recovery.
- ZFS self-healing (QuTS Hero): Automatically detects and repairs corrupted data blocks during scheduled scrubs. This protects against silent data corruption that RAID alone cannot detect.
- Security Counselor: QNAP's equivalent of Synology's Security Advisor. Scans for misconfigurations, weak passwords, and exposed services.
QNAP's security incident history has actually driven significant investment in security features. The Deadbolt ransomware attacks pushed QNAP to improve firmware update processes, strengthen default security configurations, and develop better snapshot-based recovery tools. For a detailed comparison of both brands, see our Synology vs QNAP Australia guide.
🇦🇺 Australian Buyers: Warranty, ACL, and Ransomware
A question that comes up after ransomware incidents: does warranty or Australian Consumer Law cover data loss from ransomware? The short answer is no. Australian Consumer Law protects the hardware purchase. It guarantees the product is fit for purpose and free from defects. A ransomware attack is not a hardware defect. If your NAS hardware is functioning correctly but your data has been encrypted by malware, ACL does not apply. Your warranty covers a faulty motherboard or dead power supply, not the consequences of a cyber attack.
ACL note: Australian Consumer Law protections apply when purchasing NAS hardware from Australian retailers. Warranty covers hardware defects and failures. Not data loss, ransomware, or software-related incidents. For official guidance on your consumer rights, visit accc.gov.au. Neither Synology nor QNAP have service centres in Australia. Warranty claims go through your retailer. Expect a 2-3 week turnaround for hardware replacements.
This reinforces why prevention and backup are everything. If your NAS is encrypted by ransomware, no retailer, vendor, or consumer protection law will get your data back. Only your backups can do that. If you are setting up a NAS for the first time, see our what is a NAS guide for a complete overview, and our best NAS Australia guide for current models and pricing from Australian retailers like Scorptec, PLE, and Mwave.
Drive failure is a separate risk from ransomware. Our Drive Failure Risk Estimator calculates the probability of a physical drive failure event for your array size and AFR, independent of external threats.
Can ransomware encrypt files on a NAS that is only used on a local network?
Yes. Ransomware does not need the NAS to be internet-accessible. If a computer on your local network is infected with ransomware, it will scan for and encrypt files on any mounted network drives. Including NAS shared folders mapped as drive letters on Windows or mounted via SMB on macOS. The NAS does not need to be "hacked" directly; the infection travels through the network from a compromised PC. This is why user permissions, snapshots, and offsite backups matter even for NAS devices that are never exposed to the internet.
Is Synology or QNAP more secure against ransomware?
Neither brand is inherently more secure. QNAP has had more publicised ransomware incidents (Deadbolt, eCh0raix), but this is partly because QNAP's default configuration historically made it easier to accidentally expose the NAS to the internet. Synology's defaults are slightly more conservative, but a misconfigured Synology is just as vulnerable. The security of your NAS depends on your configuration, not the brand. Follow the steps in this guide regardless of which brand you own. For a full comparison, see our Synology vs QNAP guide.
Do NAS snapshots protect against ransomware?
Yes, snapshots are one of the most effective defences against ransomware. A snapshot is a read-only point-in-time copy of your data. If ransomware encrypts your active files, you can roll back to a clean snapshot taken before the infection. However, snapshots are not a complete solution on their own. If an attacker gains full administrator access to the NAS, they could potentially delete snapshots before encrypting data. This is why disabling the default admin account, using 2FA, and maintaining offsite backups are all essential alongside snapshots. Immutable snapshots (available on Synology Btrfs and QNAP ZFS volumes) provide stronger protection as they cannot be deleted even by administrators.
Should I use QuickConnect or myQNAPcloud for remote access?
For maximum security, no. QuickConnect and myQNAPcloud are convenient but they expose your NAS login interface to the internet, even if indirectly through relay servers. A VPN is the more secure option for remote access. If you must use QuickConnect or myQNAPcloud, ensure you have a strong unique password, 2FA enabled, auto-block active, and the default admin account disabled. Also limit which services are exposed through these relay services. You do not need to expose the full admin interface remotely if you only need file access.
How often should I update my NAS firmware?
Enable automatic updates if your use case allows it. Most NAS ransomware exploits target known vulnerabilities that have already been patched. The window between vulnerability disclosure and exploitation is days, not months. If you cannot use automatic updates (some business users prefer testing updates first), check for updates at least weekly. Both Synology and QNAP release security advisories when critical vulnerabilities are discovered. Subscribe to these advisories so you are notified immediately.
Is it safe to access my NAS remotely while on an Australian NBN connection with CGNAT?
CGNAT does not make your NAS less secure. It actually makes it harder for attackers to reach your NAS directly because you do not have a public IP address. However, CGNAT also prevents traditional VPN server hosting and port forwarding. For remote access behind CGNAT, use Tailscale or ZeroTier, which create encrypted peer-to-peer tunnels that work through NAT without opening any inbound ports. Both are compatible with Synology and QNAP NAS devices and are straightforward to set up.
What is the best offsite backup option for a NAS in Australia?
For most Australian NAS owners, Backblaze B2 with Object Lock is the best balance of cost, reliability, and ransomware protection. Object Lock makes your backups immutable for a defined period, meaning ransomware cannot overwrite or delete them. Synology C2 is a good option if you want a single-vendor solution with built-in versioning. Wasabi is another option with immutable storage at competitive per-TB pricing. For all cloud backup, factor in NBN upload speeds. The initial seed of a large NAS can take weeks on typical Australian upload speeds. See our 3-2-1 backup guide for a detailed comparison.
Not sure which NAS suits your security and storage needs? Our buying guide covers every model available in Australia with current pricing.
Read the Best NAS Australia Guide →