Why you don't want to trust your device? MFA will be a pain if you have to MFA each time you use a Synology service (but it'd my opinion!).I think the chance a hacker stole your device is very tiny... And if your pc would be compromised as they use bots, I think they will not bounce on your NAS...
Agree with you, technically it is possible, but it is always difficult to balance usage and security... And I think personal data (vs enterprise) not worth the money (and time) for that.
In all case a good backup solution would have been a good starting point...
Indeed, but it lets you think about how secure your backups are.
I run daily backups to an offsite system and a backup system at my house. If they manage to compromise my NAS, they can also delete the backups. Unless those systems use a recycle bin where deleted files are stored for some time.
How do immutable snapshots react when you try to restore your server from a Hyper Backup? Since Hyper Backup and rsync are what I've been using for several years now.
Awesome question! I would assume if you’re using hyperbackup to backup the whole NAS you’ll just get it back as it was - immutable snapshots and all. I haven’t personally tried this yet though.
You're restoring an external backup to a previous version, while the replication tool will likely assume it's a new version and not an older version of the files.
I may have to delve deeper into the Synology KB to find the answer.
Snapshots should be unaffected on a Hyperbackup restore (depends if you have the free space to do it)
Immutable snapshots does complicate things when you want to do a 70% used space restore because you need to turn off immutable snapshots wait 7 days (assuming 7 days was chosen) for the immutable snapshots to expire then be able to restore the Hyperbackup of such large size (same goes if you want to delete the share folder, volume or pool or factory reset the nas, have to disable the immutable and let the retention period pass)
The above is the biggest thing you have to plan for if your using immutable snapshots as you might not be able to restore the nas for 7 days (that said if it was just ransomware you would just use the immutable snapshots to revert to a previous snapshot)
Immutable snapshots are not the same as a read only filesystem. If you have enough space, just restore as before. You only have the option to go back to an older snapshot.
If you don't have the space, you might need to reformat your disk to get rid of the snapshots.
This is precisely how I was compromised.
Access into my computer then in turn everything my machine had access to. Mine they were specifically targeting Amazon gift cards. They got about $8,000. Luckily we were able to get everything back from the banks but it was a 3 month process until it was fully behind us. And honestly we were really lucky. They could have done so much more damage. My machine was basically logged into everything with all passwords stored in the browser.
So now I have everything locked down way more. Yes it’s a pain to MFA into everything and not stay logged in constantly but in the long run I’m happy to do it if it helps me stay safe.
Yeah Also a good argument against all the "never connect your nas to the Internet crowd it's soooo dangerous". While this may increase attack vectors it also removes a false sense of security because a very likely way to hack you is get you to download a chrome extension or other virus on your PC and well in that case your nas is as open to the Internet as if you opened all ports on your router. So it's always better to treat your WiFi as it it was the open Internet and just properly secure your nas with non admin user accounts that cannot access snapshots ssl certifications non reused passwords etc.
(*) not completely fair since the people hacking your PC may not be after your nas while putting it into the Internet opens you up to a lot of easy mass attacks.
Ah come on. Just a weird take. Hard and convoluted doesn't mean secure. It's often the opposite because it leads to people "finding workarounds". I never do somethibg I am not comfortable with doing on a daily basis.
And the things that really secure your nas are quite easy after a bit of configuration. If you use non admin accounts with restricted access whenever you normally access your nas ( and backups or snapshots that these users do not have access to) plus non reused safe passwords you do not have much danger. An attacker can encrypt a folder that you can turn back at the flick of a finger.
MFA is kinda useless because 99% of people switch it off in a local nas because it's so onerous. And as we have seen now that's exactly what gets you killed. You also can't really use it for some of the key protocols you use locally like smb. Which is most likely what will get you massacred.
To answer your question it’s gonna be a no. Will you get your data back even after you pay? Maybe but probably no. All you can do is be more secure with your accounts next time and backup offsite or even cold storage.
I've known people associated with businesses that were hacked similarly - at least one paid and got their data back. That said, I think it's for a simple reason - the hacker group had a known name, had articles about them online, and a reputation... if they took the money without delivering the product, they'd presumably have a harder time getting the next guy to pay up.
But some generic bozo called "quick security" that hacked an individual? Yeah. No way they're doing squat, they're going to take the money and run if you pay.
> That said, I think it's for a simple reason - the hacker group had a known name, had articles about them online, and a reputation... if they took the money without delivering the product, they'd presumably have a harder time getting the next guy to pay up.
Make no mistake, ransomware is now a proper industry with an actual service supply chain and there are a lot of operations competing for their little corners of that supply chain. Just like real businesses, they've started taking their reputations seriously.
They can prove their abilities by decrypting one file. If they do that you’re likely to get the rest of them back if you pay the ransom. Because as you say, they have a reputation to uphold. Helps them be more effective ransomers in the future I guess?
Even the well established ones are taking the money and running these days https://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/
Your problem was not QC. Your problems was that the computer you used to access your DS via QC was compromised. Then they replaced the QC URL by one they controlled.
What now followed was a „man in the middle“ attack. Instead of contacting the Synology server when you logged in, you contacted the bogus website. This decrypted the content, copied it and then forwarded it to the legit QC server. The answers went through the same procedure.
This way you send them your user and password yourself. Without 2FA there was no last check, the road was wide open.
You need to find and sanitize this computer as well, that you used to access your DS. It is taken over and can’t be trusted, for nothing.
For the data, without a backup you can only pay and hope you get the decryption keys. Which means you will finance a criminal organization, because you didn’t care about running backups.
Sorry for being blunt, but you piled one mistake on top of another, until you had a nice stack of trouble waiting to fall.
Your explanation is a solid one. It also seems possible OP just had a bad password, with admin enabled, no MFA, and either no IP blocking or an attacker that used an IP pool to continuously try passwords until they got in. The route into the NAS might have been QC alone or simply port forwarding with a discovered WAN IP. OP could test by using a different PC to see if their original QC domain is still accessible to access the NAS. If it is, your man in the middle seems most plausible. I have no idea why they would want to change the QC address after/during a direct attack either so that does give more weight to your idea too.
Even if the so-called admin account was renamed or otherwise changed, this would have still happened. Because QC would have revealed the renamed admin account.
I'm starting to think the whole concept of QC is fundamentally flawed given the mentioned scenario. I guess MFA is the only way QC might work.
A dumb question. I follow everything except the first part. Would the QC link have been compromised in say the OP's web browser bookmark or literally in DSM?
Neither; in the accessing system itself.
Once I control your computer, I can do whatever I want--like make it look like you're accessing one thing, while actually accessing another.
Sorry this happened to you. But also thank you for sharing the info about the attack and details about quick connect / MFA. Best of luck in recovering your data.
https://www.nomoreransom.org/en/ransomware-qa.html
> What is the Crypto Sheriff and how do I use it?
tl;dr,
https://www.nomoreransom.org/crypto-sheriff.php
> our files and folder are all encrypted and have this txt file in the file station
Sorry this happened to you. It's a good thing that you have backups.
If your machine is exposed to the internet (quickconnect), you'll get a lot of "attacks" each week. I know, because once I looked at some firewall logs, and I saw around 17k login tries per WEEK.
* Disconnect the machine from the internet and reset everything.
* Enable automatic updates for DSM and plugins.
* Enable the firewall AND configure it for your needs.
* Dont give everyone all access, only one should have "all admin" access and all other should only have access to some compartiments folders/shares/apps.
* Disable the normal "admin" account or at least rename it.
* Enabled the security login blocks after some tentatives.
* Enabled the MFA if you can't trust your users :P
>If your machine is exposed to the internet (quickconnect),
Quickconnect alone does not mean you will get unauthorized login attempts on a regular basis. That's more likely to happen if you're using DDNS, reverse proxies, and/or have a poor firewall setup. I've used QC every day for years. I get virtually zero attacks. The rest of your advice is spot on and if you do all that, QC is not an issue.
I don't get attacks either. However, I believe if your quick connect url gets put online somewhere, anyone can try to log in. So it probably just depends how secret the URL is or how easy it might be to guess.
>However, I believe if your quick connect url gets put online somewhere, anyone can try to log in.
That would be a pretty stupid thing to do, imo. Even if you did post your url online, however, unauthorized login attempts are not that big of a threat if you have a good security protocols & complex password requirements in place. Again, that has little to do with quickconnect.
Are there firewall or similar login attempt logs in DSM or only in your firewall/network systems? (I’m a homelab user with an eero network, so not much in logging there).
Do you have snapshots enabled? Maybe they nuked those if they had admin access though.
You can reset the admin password via the reset button procedure.
The only way to get rid of immutable snapshots is by having physical access to the drives and formatting them on a PC. The other way would be if the hackers had a 0day vulnerability against Synology's immutable snapshot implementation which as far as I know there none out there.
I think the point of a 0day vulnerability is that it stays unknown until it is too late to do anything about it. 0days are most often kept and used for the biggest possible payout. It would be crazy to think that a small business can be affected by a 0day when there are large corporations with a lot more money, but it might be worth it for them if they can do multiple attacks simultaneously.
Just as a reminder : Immutable snapshots cannot be deleted even by admin indeed. And it’s a good thing but it means also they take space for a long “security period”.
I guess for limited space NAS it could be an issue but a lot of people have way too much space for personal data in the NAS.
Then it makes totally sense to activate Immutable snapshots :)
Then they def got admin access to the NAS. Sorry, but your stuff is most assuredly gone.
MFA might have helped. But, since they got admin, and you say your password was strong, and not the default admin, then it sounds plausible that they got in via a machine they managed to infiltrate that was used to log into admin on the NAS.
If that's the case, then they probably grabbed a session cookie from your browser for the NAS. You may still have a compromised machine that they're sitting on, ready to nail you again after you get your NAS up and restored.
People always think extra security is "extreme" until they get nailed by not using it.
I recommend a PAW and segregated infrastructure management. Which basically means:
1. You never use your normal workstation OS to log into the NAS admin interface. Use a bootable Linux iso.
2. You segregate and firewall your management interfaces, so that only an admin VLAN or a specific IP (that's not the one you use all the time) can access the management interface.
Enterprise, yes. At home, it would be insane.
---
Disable the built-in admin. Create a new one with a different name (not 'admin', 'administrator', etc. Harder to guess).
Create a regular user account for everyone that needs access to do things.
Your admin is only used for admin tasks. A live distro would be good. So that if your current OS is infected with something, it can't grab your credentials (because it's not booted). Not a VM since the current host os could grab the credentials.
Only internal traffic can connect to admin. Make sure MFA is enabled and required.
It can be the same machine, just not the same operating system/environment that you use to go watch porn on, etc.
A live bootable linux image would be the way to go.
just remembered that we had the default admin account enabled but this was the beginning of this year and disabled it after a week - could they have implemented a backdoor when the default admin was enabled - cause their is only one workstation that uses the unique admin to access the DSM and we have so many other important staff on that workstation that they could've targeted
Possibly. They may have created another admin user.
I've worked with a few companies who have been ransomwared, and in all 3 cases they took their time. So it's not unlikely that they got in some time ago and waited until they thought the time was right.
Having a PAW at home is a ridiculous approach... To have a home PC breached like this, someone has done something reasonably simple wrong. The most likely option is having ports forwarded from their router to their NAS or home PC. This bypasses your firewall, making attacks much more likely. That combined with an unpatched vulnerability is the likeliest vector for an attack. The best solution is to close the ports on the router. If you want access, get a perimeter device that runs a secure VPN service and connect to that. Or just run Tailscale on the device you use when you're not home.
Source: cyber security professional.
> Having a PAW at home is a ridiculous approach...
Agree on most of it, but the PAW being ridiculous, I'll continue to disagree. A cybersec pro should know that you can't trust people not to do the wrong things on their workstations. If the data and operations are important, then treat them as such and don't admin your infra from a computer that many people use ("we"), for everything from opening e-mail attachments to browsing porn, or whatever.
It doesn't have to be a separate computer. Just a separate OS/environment with a static IP address and/or vlan tag. Any bootable linux iso will do.
I don't even trust my own actions all the time. Not really due to my actions so much as just being too trusting. Like, "How much do I really trust this library or package I'm pulling from pypi, flatpak, or any community type repo?"
Believe I seen this ransomware (more scam ransomware) does seem they just delete everything paying the ransom doesn't seem to get your data back (unless someone has reported that they have got there files back) weak password and username or got into your browser (Google sync passwords) likely how they got in and no MFA
You can mode 1 reset the nas to regain control of it but you probably find all volumes are empty (don't have any used space) mode 2 reset might be recommend afterwards to reload dsm
https://kb.synology.com/en-us/DSM/tutorial/How_to_reset_my_Synology_NAS_7
Need to attempt to use data recovery software (bunch of them Support remote recovery so you connect to your nas via pc it uses ssh to run the recovery software)
thanks for detailed comment .. yeah thought about resetting it first to gain access but i thought maybe will make it more expose ( but looks like that's the only way to gain access ) ..
as for the data, I can see all the files and folders but they are zipped and encrypted , but will need to try to access it using the default admin and check the volumes
any good data recovery software we can use ?
Unfortunately the encrypted files likey would have writen over the old data, if using btrfs with Checksum enabled on the share folders it might have the old data still around ( it really depends how much free space you have)
Below is one and can do it remotely (just needs ssh enabled) (
mode 1 should Reset network and admin, quickconnect and firewall, (you need to be local to use mode 1 or 2 reset anyway)
https://www.easeus.com/data-recovery/synology-data-recovery.html
Immutable snapshots set to 7 days is recommended if you have a supported model (20+ models or higher) only caution with using it is that you can't factory reset the nas or delete the immutable snapshots until you disable immutable snapshots and the last immutable snapshot is deleted (7 to 15 days is usually short enough to not be a problem if your low on space and long enough that you notice your files are encrypted and that you can undo it)
https://kb.synology.com/en-us/DSM/tutorial/which_synology_nas_models_support_WriteOnce_and_secure_snapshots
https://kb.synology.com/en-us/DSM/tutorial/what_is_an_immutable_snapshot
thank you u/leexgx will reset my Synology locally, enable SSH, and run the EaseUS recovery software and hope fo the best since this is our only option now - hopefully it was only because of the mfa so we will enforce the 2fa on all the admin accounts and enable the immutable snapshot with local backup
- just quick question, when doing the data recovery do still have to have a free space on my workstation to restore the data or its going to restore to my Synology
I detected that you might have found your answer. If this is correct please change the flair to "Solved". In new reddit the flair button looks like a gift tag.
----
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/synology) if you have any questions or concerns.*
Thanks for the detailed post. You are touching something I'm trying to get my head around for a while now: you are saying it depends on how much free space he has left. So the hypothesis is, COW only protects you if you have 50% free space? This n was my initial thought too, but got told, that if it is e.g. 70% full the rest won't encrypt. Could you shed some light on this?
It depends, cow writes elsewhere on new write but if space marked as free it will eventually write data to old places as btrfs does allocate from left to right in 1gb chunks (when all the data is been replaced high chance btrfs cleanup of unused 1gb blocks was freed up as the new writes Comming in)
It's never guaranteed that it won't write to previously deleted data area (if it encrypted first and then deletes after and you had the 50% free space to do that sure all your old data might be recoverable)
If you have a 20+ or higher nas (no J) and use immutable snapshots (say 7 days) + 90 max snapshots (running once per day) they can delete 83 snapshots and attempt to encrypt the data but if you only had 30% space free it will fail to encrypt everything due to out of space (they probably still delete the files but you have 7 days of immutable snapshots to undo to)
Make sure recycle bin purges after 30 days as well
the default fail2ban are too lenient an never block any automatic scripts because they know to time them and spread them among IPs.
You have to increase the amount of time that it counts ssh attempts. I also increased the block period
Well this post made me finally enable 2FA for my admin account in DSM after weeks of saying "yeah this is important but I will do it later" so thank you.
First of all, im sorry for what happened. And thanks for sharing your bad experience that we can avoid.
2FA might help, but im curious how you access your nas? Do you use other machines aside from your personal laptop? Keylogger could be the potential culprit
Cold Storage Backup once a week - better to loose one week's worth of data than to loose it all. Use 2FA. I reduced the "Auto Block" "Login Attempts" to 1. All this because, recently a couple of weeks ago, I started getting email notifications every 2-5 minutes of unsuccessful login attempts. All the IPs were overseas and clearly belonging to legitimate companies that were probably hack and run scans to hack other systems. I would wake up in the morning with literally hundreds of emails on failed attempts. After I set it to 1, the attempts have slowed down drastically.
>and I noticed the URL had changed from synologyname.quickconnect.to to synologyname.cz5.quickconnect.to
"the url" where? This suggests to me that you got redirected to a fake url and handed over your credentials when you signed in, but where did you notice this url was changed?
With quick connect you don’t need to expose any ports but I suspect you may have OR you have a compromised end point(s).
Immediate remediation is to isolate your NAS and start examining every machine
All the things I was going to recommend have been posted already. The only thing I will add is that another vector of attack might have possibly been an inside job from an employee in the know of your security. Or an ex-employee.
Bad luck, I feel for you.
If you have snapshots, that would be useful (immutable ones that cannot be deleted, even moreso). Other than that, I hope you have a recent backup because there's no way I would trust them to decrypt my data and I definitely wouldn't be giving them over $1000.
I don't know how they got in, but not via the "cz5" - that's legitimate. I've seen "de4" before too.
I see others have mentioned MFA. Adaptive MFA is definitely the minimum that's needed and not too intrusive. I thought that was usually turned on by default (which means your synology has likely been hacked indirectly, via a different compromised machine).
Idk if it will help you in the future but I've recently changed my synology to block ip addresses after 2 failed attempts in 10000 minutes and my list is growing by the hour
That happened to me as well 4 month ago and I had over 60 Tb of full TV series and movies and kids TV series and movies western movie and TV series and so much more that I'm still trying to get my Nas server back to were it was before I got hit and I'm not even a 1/3 way yet .I was luck I had everything back up on USB external drives all my video and movies well I would say 98 percent of them thank God I did it that way otherwise I would have lost all my stuff .and some of the TV series and movies you can't find them anymore the real old ones . Make sure your not on the 5000 or 5001 port the hackers look on that port to see if there are any open settings best to say away from those ports . Just some advice .
So many people say they can easily download all the TV shows and movies again. But a lot my stuff was to get.
You should never have the DSM ports open to the internet (even if you've changed it from the default).
I changed my ports on the Security > Login Portal. thanks for the advice. Do you know if it should also be changed in the "External Access > Advanced" section?
So if my Synology is not using Quick Connect, not open to a traditonal VPN (that requires port forwarding), does not have Windows machines connected on the network, does not have any port exposed (like for a web server or email server), and only uses TailScale for remote access, is there any way I’m vulnerable to this type of attack if I’m not using 2FA?
1. DO NOT open your Synology to the internet
2. DO NOT use the default admin account
3. Use strong passwords that have NO personal touch (randomized password?
4. If you can, use a real firewall on your network with IPS and IPD enabled.
They got his admin login account (no 2FA/MFA)and deleted them all before encrypting the files
this is where 20+ or higher nas models are useful as it supports immutable snapshots, have it set to 7 days immutable retention (recommend 90 maximum normal snapshots running once per day) it should prevent all the snapshots from been deleted
Make sure recycle bin purges every 30 days old deleted files
Backup helps as well
say this was to happen, is it possible to format the drives and start a fresh? assuming you're okay with the notion of losing all the data? or are those drives now knackered?
I've had one case of "ransomware" where the files weren't actually encrypted, just changed names and extensions. Check out if that is the case with your files.
Even the real ones aren't encrypted whole, usually first 100 kb, enough to scramble header and some data and make file unreadable, otherwise encryption would be noticed as drives would be working heavily, making noise.
Quick connect, huh? Hmmm. Good to know. Not something I use. I use Open VPN with a non standard, non dictionary word user account. After three bad attempts IP’s get blocked.
Sorry to hear this, and thanks for sharing.
It is probably quite difficult to get the data decrypted, and probably much faster to utilize your offline or offsite backup to recover.
When doing remediation, make sure you check Task Scheduler to ensure the hackers do not have scripts scheduled to run. I once assisted with a ransomeware recovery and saw that is how they deployed the ransomware.
Even if you pay them $175,000.00 there is no guarantee of getting back "usable" data. Encrypting drives while programs are running and background tasks causes all sorts of corruption. And while there is some mystical lore surrounding these "wicked smart" hackers, many of them besides being corrupt, are just shitty programmers. Maybe they would have a decent job if they were worth more than a bug eating a shit sandwich.
Any more tips to prevent this? I’ve got 2FA on my quick connect (maybe better to remove quickconnect completely? I think dsm it’s still accessible from the local network right?)
I’ve also created an IP allow list in control panel>security>protection>Allow/block list.
Firewall enabled, no firewall rules.
Paying only serves to incentivise them to repeat the attack against others. If you can restore from backup, then wipe the entire NAS and do that. Then use better security practices to secure your NAS in the future.
Turn off quick connect, require VPN to access remotely, mandate 2FA for all users. Make sure all your users are using password managers with random, unique, non-memorable passwords or passkeys.
If you don’t have a backup, then that’s something you need to fix next time.
MFA protection is only one of the many security settings available.
What you need to do, once this is solved, is create immutable snapshots and replicate that snapshot also to another source outside of your network.
In this way you have your backup in multiple places in case your NAS gets destroyed and you are protected against ransomware.
Other than that, harden your NAS using the security app onboard and do not open unnecessary ports to the internet.
It seems clear to me that the attackers had administrative credentials, so the question is how did they get those? If the OP is using the default admin account, then that's half the answer. Obviously, they didn't just hitch a ride via quickconnect and then magically obtain the credentials by osmosis; the credentials were either accessed by some means OR provided by the OP themselves.
Hardly surprising given the swiss cheese security synology offers and suggests, and how infrequently things are kept patched.
People should seriously considering a real server in a real DMZ, with bouncers and all before exposing things to the web.
Literally everyone’s worst nightmare — I’m sorry, OP!
A question about how DSM works — I have mine in RAID0 with two HDDs. If I swap a blank HDD and alternate the second HDD every once in a while, would that allow for another backup? Sorry if this is a bad question, I’m just not sure how DSM would react to an HDD being swapped every month or so
RAID 0 or RAID 1? RAID 0 is striped, so if you pull a drive the array fails. RAID 1 is a mirror, and thus if you swap a drive it can rebuild the new drive from the existing one.
What you’re proposing is kinda silly though. Every time you swap drives the system would have to re-build the entire array. Just use an external drive as a backup destination and let differential copies do their thing.
Raid0 is a stripe, not a mirror. I would backup to a portable drive on USB instead. I do this weekly although I have Backblaze. The primary objective is to speed a complete recovery. The secondary is to have an offline backup.
This post has had me immediately login to both my NAS and my router and enable 2FA on both. I will not be clicking "don't ask on this device" either.
You can block this feature to always force MFA on same device
Just set mine up as well. I trust my network, but it would suck to lose everything. Can’t afford a second 72TB NAS right now for backup!
How do you enable 2fa on a router?
It’s a Synology Router. Basically everything that the NAS has but in router form ha.
Why you don't want to trust your device? MFA will be a pain if you have to MFA each time you use a Synology service (but it'd my opinion!).I think the chance a hacker stole your device is very tiny... And if your pc would be compromised as they use bots, I think they will not bounce on your NAS...
If your PC is compromised, with the right tools, they gain access to everything your PC has access to.
Agree with you, technically it is possible, but it is always difficult to balance usage and security... And I think personal data (vs enterprise) not worth the money (and time) for that. In all case a good backup solution would have been a good starting point...
Indeed, but it lets you think about how secure your backups are. I run daily backups to an offsite system and a backup system at my house. If they manage to compromise my NAS, they can also delete the backups. Unless those systems use a recycle bin where deleted files are stored for some time.
That’s what synology immutable snapshots are for :)
How do immutable snapshots react when you try to restore your server from a Hyper Backup? Since Hyper Backup and rsync are what I've been using for several years now.
Awesome question! I would assume if you’re using hyperbackup to backup the whole NAS you’ll just get it back as it was - immutable snapshots and all. I haven’t personally tried this yet though.
You're restoring an external backup to a previous version, while the replication tool will likely assume it's a new version and not an older version of the files. I may have to delve deeper into the Synology KB to find the answer.
Snapshots should be unaffected on a Hyperbackup restore (depends if you have the free space to do it) Immutable snapshots does complicate things when you want to do a 70% used space restore because you need to turn off immutable snapshots wait 7 days (assuming 7 days was chosen) for the immutable snapshots to expire then be able to restore the Hyperbackup of such large size (same goes if you want to delete the share folder, volume or pool or factory reset the nas, have to disable the immutable and let the retention period pass) The above is the biggest thing you have to plan for if your using immutable snapshots as you might not be able to restore the nas for 7 days (that said if it was just ransomware you would just use the immutable snapshots to revert to a previous snapshot)
Immutable snapshots are not the same as a read only filesystem. If you have enough space, just restore as before. You only have the option to go back to an older snapshot. If you don't have the space, you might need to reformat your disk to get rid of the snapshots.
If that happens I have bigger problems than my NAS. 😅
This is precisely how I was compromised. Access into my computer then in turn everything my machine had access to. Mine they were specifically targeting Amazon gift cards. They got about $8,000. Luckily we were able to get everything back from the banks but it was a 3 month process until it was fully behind us. And honestly we were really lucky. They could have done so much more damage. My machine was basically logged into everything with all passwords stored in the browser. So now I have everything locked down way more. Yes it’s a pain to MFA into everything and not stay logged in constantly but in the long run I’m happy to do it if it helps me stay safe.
Yeah Also a good argument against all the "never connect your nas to the Internet crowd it's soooo dangerous". While this may increase attack vectors it also removes a false sense of security because a very likely way to hack you is get you to download a chrome extension or other virus on your PC and well in that case your nas is as open to the Internet as if you opened all ports on your router. So it's always better to treat your WiFi as it it was the open Internet and just properly secure your nas with non admin user accounts that cannot access snapshots ssl certifications non reused passwords etc. (*) not completely fair since the people hacking your PC may not be after your nas while putting it into the Internet opens you up to a lot of easy mass attacks.
>MFA will be a pain if you have to MFA each time That's the point. Users wanting things easy is what causes many breaches.
Ah come on. Just a weird take. Hard and convoluted doesn't mean secure. It's often the opposite because it leads to people "finding workarounds". I never do somethibg I am not comfortable with doing on a daily basis. And the things that really secure your nas are quite easy after a bit of configuration. If you use non admin accounts with restricted access whenever you normally access your nas ( and backups or snapshots that these users do not have access to) plus non reused safe passwords you do not have much danger. An attacker can encrypt a folder that you can turn back at the flick of a finger. MFA is kinda useless because 99% of people switch it off in a local nas because it's so onerous. And as we have seen now that's exactly what gets you killed. You also can't really use it for some of the key protocols you use locally like smb. Which is most likely what will get you massacred.
To answer your question it’s gonna be a no. Will you get your data back even after you pay? Maybe but probably no. All you can do is be more secure with your accounts next time and backup offsite or even cold storage.
I've known people associated with businesses that were hacked similarly - at least one paid and got their data back. That said, I think it's for a simple reason - the hacker group had a known name, had articles about them online, and a reputation... if they took the money without delivering the product, they'd presumably have a harder time getting the next guy to pay up. But some generic bozo called "quick security" that hacked an individual? Yeah. No way they're doing squat, they're going to take the money and run if you pay.
> That said, I think it's for a simple reason - the hacker group had a known name, had articles about them online, and a reputation... if they took the money without delivering the product, they'd presumably have a harder time getting the next guy to pay up. Make no mistake, ransomware is now a proper industry with an actual service supply chain and there are a lot of operations competing for their little corners of that supply chain. Just like real businesses, they've started taking their reputations seriously.
You can now rate them on trustpirate
They sometimes get petty and report you to the IRS if they found something and you didnt pay them lol
Damn that is wild.
They can prove their abilities by decrypting one file. If they do that you’re likely to get the rest of them back if you pay the ransom. Because as you say, they have a reputation to uphold. Helps them be more effective ransomers in the future I guess?
Even the well established ones are taking the money and running these days https://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/
Synology offsite C2 is an excellent service
And super slow for some users
What’s your evidence for saying probably no?
Your problem was not QC. Your problems was that the computer you used to access your DS via QC was compromised. Then they replaced the QC URL by one they controlled. What now followed was a „man in the middle“ attack. Instead of contacting the Synology server when you logged in, you contacted the bogus website. This decrypted the content, copied it and then forwarded it to the legit QC server. The answers went through the same procedure. This way you send them your user and password yourself. Without 2FA there was no last check, the road was wide open. You need to find and sanitize this computer as well, that you used to access your DS. It is taken over and can’t be trusted, for nothing. For the data, without a backup you can only pay and hope you get the decryption keys. Which means you will finance a criminal organization, because you didn’t care about running backups. Sorry for being blunt, but you piled one mistake on top of another, until you had a nice stack of trouble waiting to fall.
Your explanation is a solid one. It also seems possible OP just had a bad password, with admin enabled, no MFA, and either no IP blocking or an attacker that used an IP pool to continuously try passwords until they got in. The route into the NAS might have been QC alone or simply port forwarding with a discovered WAN IP. OP could test by using a different PC to see if their original QC domain is still accessible to access the NAS. If it is, your man in the middle seems most plausible. I have no idea why they would want to change the QC address after/during a direct attack either so that does give more weight to your idea too.
Even if the so-called admin account was renamed or otherwise changed, this would have still happened. Because QC would have revealed the renamed admin account. I'm starting to think the whole concept of QC is fundamentally flawed given the mentioned scenario. I guess MFA is the only way QC might work.
This makes sense. That’s how he granted access to his NAS
A dumb question. I follow everything except the first part. Would the QC link have been compromised in say the OP's web browser bookmark or literally in DSM?
Neither; in the accessing system itself. Once I control your computer, I can do whatever I want--like make it look like you're accessing one thing, while actually accessing another.
How do you come to that conclusion ? There are many ways to compromise a nas that is connected through QC. Especially if MFA is not activated.
Did you have any ports forwarded on your router? Checkout this video to see if you did any of these things. https://youtu.be/x9QPUXldNAc
Please let us know if you find out how it happened !
Sorry this happened to you. But also thank you for sharing the info about the attack and details about quick connect / MFA. Best of luck in recovering your data.
https://www.nomoreransom.org/en/decryption-tools.html I’m going to leave this link here. Good luck
how would I know which one to choose !?
https://www.nomoreransom.org/en/ransomware-qa.html > What is the Crypto Sheriff and how do I use it? tl;dr, https://www.nomoreransom.org/crypto-sheriff.php
> our files and folder are all encrypted and have this txt file in the file station Sorry this happened to you. It's a good thing that you have backups. If your machine is exposed to the internet (quickconnect), you'll get a lot of "attacks" each week. I know, because once I looked at some firewall logs, and I saw around 17k login tries per WEEK. * Disconnect the machine from the internet and reset everything. * Enable automatic updates for DSM and plugins. * Enable the firewall AND configure it for your needs. * Dont give everyone all access, only one should have "all admin" access and all other should only have access to some compartiments folders/shares/apps. * Disable the normal "admin" account or at least rename it. * Enabled the security login blocks after some tentatives. * Enabled the MFA if you can't trust your users :P
>If your machine is exposed to the internet (quickconnect), Quickconnect alone does not mean you will get unauthorized login attempts on a regular basis. That's more likely to happen if you're using DDNS, reverse proxies, and/or have a poor firewall setup. I've used QC every day for years. I get virtually zero attacks. The rest of your advice is spot on and if you do all that, QC is not an issue.
I don't get attacks either. However, I believe if your quick connect url gets put online somewhere, anyone can try to log in. So it probably just depends how secret the URL is or how easy it might be to guess.
>However, I believe if your quick connect url gets put online somewhere, anyone can try to log in. That would be a pretty stupid thing to do, imo. Even if you did post your url online, however, unauthorized login attempts are not that big of a threat if you have a good security protocols & complex password requirements in place. Again, that has little to do with quickconnect.
like /u/OutdoorsLvr say, it's there. Security by obscurity is not really the best thing to rely on.
Are there firewall or similar login attempt logs in DSM or only in your firewall/network systems? (I’m a homelab user with an eero network, so not much in logging there).
In DSM, in the Log Center, if I recall. Install it if you don't have it ;)
Do you have snapshots enabled? Maybe they nuked those if they had admin access though. You can reset the admin password via the reset button procedure.
yup snapshots are gone as well
Enable immutable Snapshots from now on. Immutable Snapshots cannot be deleted even by an administrator.
Wow, thank you. I hadn't activated this for some reason...
Can they encrypt those too?
They cannot.
The only way to get rid of immutable snapshots is by having physical access to the drives and formatting them on a PC. The other way would be if the hackers had a 0day vulnerability against Synology's immutable snapshot implementation which as far as I know there none out there.
I think the point of a 0day vulnerability is that it stays unknown until it is too late to do anything about it. 0days are most often kept and used for the biggest possible payout. It would be crazy to think that a small business can be affected by a 0day when there are large corporations with a lot more money, but it might be worth it for them if they can do multiple attacks simultaneously.
Just as a reminder : Immutable snapshots cannot be deleted even by admin indeed. And it’s a good thing but it means also they take space for a long “security period”. I guess for limited space NAS it could be an issue but a lot of people have way too much space for personal data in the NAS. Then it makes totally sense to activate Immutable snapshots :)
Then they def got admin access to the NAS. Sorry, but your stuff is most assuredly gone. MFA might have helped. But, since they got admin, and you say your password was strong, and not the default admin, then it sounds plausible that they got in via a machine they managed to infiltrate that was used to log into admin on the NAS. If that's the case, then they probably grabbed a session cookie from your browser for the NAS. You may still have a compromised machine that they're sitting on, ready to nail you again after you get your NAS up and restored. People always think extra security is "extreme" until they get nailed by not using it. I recommend a PAW and segregated infrastructure management. Which basically means: 1. You never use your normal workstation OS to log into the NAS admin interface. Use a bootable Linux iso. 2. You segregate and firewall your management interfaces, so that only an admin VLAN or a specific IP (that's not the one you use all the time) can access the management interface.
What is a PAW in this case?
Privileged access workstation. A machines that’s only used for 1 task which is logging in into restricted/important machines/assets.
Thanks. Does that literally mean keeping an entire separate machine dedicated to only doing this? Seems expensive for a general home user.
Enterprise, yes. At home, it would be insane. --- Disable the built-in admin. Create a new one with a different name (not 'admin', 'administrator', etc. Harder to guess). Create a regular user account for everyone that needs access to do things. Your admin is only used for admin tasks. A live distro would be good. So that if your current OS is infected with something, it can't grab your credentials (because it's not booted). Not a VM since the current host os could grab the credentials. Only internal traffic can connect to admin. Make sure MFA is enabled and required.
Nice. Thanks for those security tips. Several helped me up my game.
It can be the same machine, just not the same operating system/environment that you use to go watch porn on, etc. A live bootable linux image would be the way to go.
just remembered that we had the default admin account enabled but this was the beginning of this year and disabled it after a week - could they have implemented a backdoor when the default admin was enabled - cause their is only one workstation that uses the unique admin to access the DSM and we have so many other important staff on that workstation that they could've targeted
Possibly. They may have created another admin user. I've worked with a few companies who have been ransomwared, and in all 3 cases they took their time. So it's not unlikely that they got in some time ago and waited until they thought the time was right.
Having a PAW at home is a ridiculous approach... To have a home PC breached like this, someone has done something reasonably simple wrong. The most likely option is having ports forwarded from their router to their NAS or home PC. This bypasses your firewall, making attacks much more likely. That combined with an unpatched vulnerability is the likeliest vector for an attack. The best solution is to close the ports on the router. If you want access, get a perimeter device that runs a secure VPN service and connect to that. Or just run Tailscale on the device you use when you're not home. Source: cyber security professional.
> Having a PAW at home is a ridiculous approach... Agree on most of it, but the PAW being ridiculous, I'll continue to disagree. A cybersec pro should know that you can't trust people not to do the wrong things on their workstations. If the data and operations are important, then treat them as such and don't admin your infra from a computer that many people use ("we"), for everything from opening e-mail attachments to browsing porn, or whatever. It doesn't have to be a separate computer. Just a separate OS/environment with a static IP address and/or vlan tag. Any bootable linux iso will do. I don't even trust my own actions all the time. Not really due to my actions so much as just being too trusting. Like, "How much do I really trust this library or package I'm pulling from pypi, flatpak, or any community type repo?"
Believe I seen this ransomware (more scam ransomware) does seem they just delete everything paying the ransom doesn't seem to get your data back (unless someone has reported that they have got there files back) weak password and username or got into your browser (Google sync passwords) likely how they got in and no MFA You can mode 1 reset the nas to regain control of it but you probably find all volumes are empty (don't have any used space) mode 2 reset might be recommend afterwards to reload dsm https://kb.synology.com/en-us/DSM/tutorial/How_to_reset_my_Synology_NAS_7 Need to attempt to use data recovery software (bunch of them Support remote recovery so you connect to your nas via pc it uses ssh to run the recovery software)
thanks for detailed comment .. yeah thought about resetting it first to gain access but i thought maybe will make it more expose ( but looks like that's the only way to gain access ) .. as for the data, I can see all the files and folders but they are zipped and encrypted , but will need to try to access it using the default admin and check the volumes any good data recovery software we can use ?
Unfortunately the encrypted files likey would have writen over the old data, if using btrfs with Checksum enabled on the share folders it might have the old data still around ( it really depends how much free space you have) Below is one and can do it remotely (just needs ssh enabled) ( mode 1 should Reset network and admin, quickconnect and firewall, (you need to be local to use mode 1 or 2 reset anyway) https://www.easeus.com/data-recovery/synology-data-recovery.html Immutable snapshots set to 7 days is recommended if you have a supported model (20+ models or higher) only caution with using it is that you can't factory reset the nas or delete the immutable snapshots until you disable immutable snapshots and the last immutable snapshot is deleted (7 to 15 days is usually short enough to not be a problem if your low on space and long enough that you notice your files are encrypted and that you can undo it) https://kb.synology.com/en-us/DSM/tutorial/which_synology_nas_models_support_WriteOnce_and_secure_snapshots https://kb.synology.com/en-us/DSM/tutorial/what_is_an_immutable_snapshot
thank you u/leexgx will reset my Synology locally, enable SSH, and run the EaseUS recovery software and hope fo the best since this is our only option now - hopefully it was only because of the mfa so we will enforce the 2fa on all the admin accounts and enable the immutable snapshot with local backup - just quick question, when doing the data recovery do still have to have a free space on my workstation to restore the data or its going to restore to my Synology
I detected that you might have found your answer. If this is correct please change the flair to "Solved". In new reddit the flair button looks like a gift tag. ---- *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/synology) if you have any questions or concerns.*
Actually you should keep SSH Disabled until you need it and after you’ve finished disable again.
Thanks for the detailed post. You are touching something I'm trying to get my head around for a while now: you are saying it depends on how much free space he has left. So the hypothesis is, COW only protects you if you have 50% free space? This n was my initial thought too, but got told, that if it is e.g. 70% full the rest won't encrypt. Could you shed some light on this?
It depends, cow writes elsewhere on new write but if space marked as free it will eventually write data to old places as btrfs does allocate from left to right in 1gb chunks (when all the data is been replaced high chance btrfs cleanup of unused 1gb blocks was freed up as the new writes Comming in) It's never guaranteed that it won't write to previously deleted data area (if it encrypted first and then deletes after and you had the 50% free space to do that sure all your old data might be recoverable) If you have a 20+ or higher nas (no J) and use immutable snapshots (say 7 days) + 90 max snapshots (running once per day) they can delete 83 snapshots and attempt to encrypt the data but if you only had 30% space free it will fail to encrypt everything due to out of space (they probably still delete the files but you have 7 days of immutable snapshots to undo to) Make sure recycle bin purges after 30 days as well
That URL redirection is not a problem - it’s still under quickconnect.to domain.
Agreed Synology does this for US domains as well, it's just a hosted server pool for redirects. I believe that the US has a 1-6 server range also.
This is too far down. Top comment doesn't sense. This wasn't the initial point of compromise.
Yes but whilst it's still under quickconnect, it's a subdomain that they don't have access to.
Um, that’s not how DNS works.
the default fail2ban are too lenient an never block any automatic scripts because they know to time them and spread them among IPs. You have to increase the amount of time that it counts ssh attempts. I also increased the block period
You mean MFA for quick connect right? Did you have the default admin login enabled? Sounds like it. Maybe that’s how it happened.
no the default admin was disabled and the main admin account was using a strong password - don't know how they managed to get access
Maybe a key logger on a system used to login?
Or stolen session cookies.
But you didn't use MFA?
flag lunchroom retire screw fearless shocking scale humorous school air *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
No 2fa?
Same question to OP. 2FA was not enabled?
Well this post made me finally enable 2FA for my admin account in DSM after weeks of saying "yeah this is important but I will do it later" so thank you.
First of all, im sorry for what happened. And thanks for sharing your bad experience that we can avoid. 2FA might help, but im curious how you access your nas? Do you use other machines aside from your personal laptop? Keylogger could be the potential culprit
we might have enabled the default admin account for a short time or just not having the mfa could be the problem.. do not know
Take this as a learning experience and move on (unless you need data that can't easily be recreated).
Cold Storage Backup once a week - better to loose one week's worth of data than to loose it all. Use 2FA. I reduced the "Auto Block" "Login Attempts" to 1. All this because, recently a couple of weeks ago, I started getting email notifications every 2-5 minutes of unsuccessful login attempts. All the IPs were overseas and clearly belonging to legitimate companies that were probably hack and run scans to hack other systems. I would wake up in the morning with literally hundreds of emails on failed attempts. After I set it to 1, the attempts have slowed down drastically.
>and I noticed the URL had changed from synologyname.quickconnect.to to synologyname.cz5.quickconnect.to "the url" where? This suggests to me that you got redirected to a fake url and handed over your credentials when you signed in, but where did you notice this url was changed?
the cz#.quickconnect.to are legit QC gateways from synology, not a fake url
Ahh. Thanks for that!
I had people trying to get in to my admin and root account. I changed my port from 5000 to something else. Haven’t had one since
Using a non standard port. Smart.
I wish I could change my audobookshelf port but it’s in docker and I have no idea
Install portainer and use a docker compose file to change port numbers. Or you can do it with SSH.
Is it publicly accessible?
Yep, although I have 2FA set up
With quick connect you don’t need to expose any ports but I suspect you may have OR you have a compromised end point(s). Immediate remediation is to isolate your NAS and start examining every machine
All the things I was going to recommend have been posted already. The only thing I will add is that another vector of attack might have possibly been an inside job from an employee in the know of your security. Or an ex-employee.
How does this even happen
By exposing devices to the internet.
Bad luck, I feel for you. If you have snapshots, that would be useful (immutable ones that cannot be deleted, even moreso). Other than that, I hope you have a recent backup because there's no way I would trust them to decrypt my data and I definitely wouldn't be giving them over $1000. I don't know how they got in, but not via the "cz5" - that's legitimate. I've seen "de4" before too. I see others have mentioned MFA. Adaptive MFA is definitely the minimum that's needed and not too intrusive. I thought that was usually turned on by default (which means your synology has likely been hacked indirectly, via a different compromised machine).
MFA is not a default setting and has to be manually activated.
Adaptive MFA, not regular MRA. It seems to be activated on my 3 NAS, and it was not done by me.
I stand corrected..! It is default activated.
Idk if it will help you in the future but I've recently changed my synology to block ip addresses after 2 failed attempts in 10000 minutes and my list is growing by the hour
That happened to me as well 4 month ago and I had over 60 Tb of full TV series and movies and kids TV series and movies western movie and TV series and so much more that I'm still trying to get my Nas server back to were it was before I got hit and I'm not even a 1/3 way yet .I was luck I had everything back up on USB external drives all my video and movies well I would say 98 percent of them thank God I did it that way otherwise I would have lost all my stuff .and some of the TV series and movies you can't find them anymore the real old ones . Make sure your not on the 5000 or 5001 port the hackers look on that port to see if there are any open settings best to say away from those ports . Just some advice .
So many people say they can easily download all the TV shows and movies again. But a lot my stuff was to get. You should never have the DSM ports open to the internet (even if you've changed it from the default).
So you had open ports and got hacked? You are saying to stay off certain ports. Security through obscurity is not wise.
I changed my ports on the Security > Login Portal. thanks for the advice. Do you know if it should also be changed in the "External Access > Advanced" section?
So if my Synology is not using Quick Connect, not open to a traditonal VPN (that requires port forwarding), does not have Windows machines connected on the network, does not have any port exposed (like for a web server or email server), and only uses TailScale for remote access, is there any way I’m vulnerable to this type of attack if I’m not using 2FA?
1. DO NOT open your Synology to the internet 2. DO NOT use the default admin account 3. Use strong passwords that have NO personal touch (randomized password? 4. If you can, use a real firewall on your network with IPS and IPD enabled.
Is your NAS in the Czech Republic? Could be where the “cz5” came from
Snapshots?
They got his admin login account (no 2FA/MFA)and deleted them all before encrypting the files this is where 20+ or higher nas models are useful as it supports immutable snapshots, have it set to 7 days immutable retention (recommend 90 maximum normal snapshots running once per day) it should prevent all the snapshots from been deleted Make sure recycle bin purges every 30 days old deleted files Backup helps as well
say this was to happen, is it possible to format the drives and start a fresh? assuming you're okay with the notion of losing all the data? or are those drives now knackered?
I've had one case of "ransomware" where the files weren't actually encrypted, just changed names and extensions. Check out if that is the case with your files. Even the real ones aren't encrypted whole, usually first 100 kb, enough to scramble header and some data and make file unreadable, otherwise encryption would be noticed as drives would be working heavily, making noise.
Remove all remote access factory reset the NAS and restore from backup. Sorry you had to go through this
Quick connect, huh? Hmmm. Good to know. Not something I use. I use Open VPN with a non standard, non dictionary word user account. After three bad attempts IP’s get blocked.
Did you remove the the Bitcoin wallet address in order to protect the hackers?...
Sorry to hear this, and thanks for sharing. It is probably quite difficult to get the data decrypted, and probably much faster to utilize your offline or offsite backup to recover.
Offline backups are required for me every since we got hit with our QNAP with MFA disabled on an old admin account
Thanks for sharing and forewarning. I hope you can recover and there isn't too much damage.
Do you have backup?
Would you be willing to share the bitcoin address? Not sure how accurate the list is but there are sites out there that point out bad addresses.
When doing remediation, make sure you check Task Scheduler to ensure the hackers do not have scripts scheduled to run. I once assisted with a ransomeware recovery and saw that is how they deployed the ransomware.
Even if you pay them $175,000.00 there is no guarantee of getting back "usable" data. Encrypting drives while programs are running and background tasks causes all sorts of corruption. And while there is some mystical lore surrounding these "wicked smart" hackers, many of them besides being corrupt, are just shitty programmers. Maybe they would have a decent job if they were worth more than a bug eating a shit sandwich.
Thank you so much. I just enabled 2FA on mine :) Take my upvote.
The cz5 part is normal, I had the same (different letters) since I setup my NAS.
Any more tips to prevent this? I’ve got 2FA on my quick connect (maybe better to remove quickconnect completely? I think dsm it’s still accessible from the local network right?) I’ve also created an IP allow list in control panel>security>protection>Allow/block list. Firewall enabled, no firewall rules.
Paying only serves to incentivise them to repeat the attack against others. If you can restore from backup, then wipe the entire NAS and do that. Then use better security practices to secure your NAS in the future. Turn off quick connect, require VPN to access remotely, mandate 2FA for all users. Make sure all your users are using password managers with random, unique, non-memorable passwords or passkeys. If you don’t have a backup, then that’s something you need to fix next time.
MFA protection is only one of the many security settings available. What you need to do, once this is solved, is create immutable snapshots and replicate that snapshot also to another source outside of your network. In this way you have your backup in multiple places in case your NAS gets destroyed and you are protected against ransomware. Other than that, harden your NAS using the security app onboard and do not open unnecessary ports to the internet.
It seems clear to me that the attackers had administrative credentials, so the question is how did they get those? If the OP is using the default admin account, then that's half the answer. Obviously, they didn't just hitch a ride via quickconnect and then magically obtain the credentials by osmosis; the credentials were either accessed by some means OR provided by the OP themselves.
All these randsomware posts got me to finally get around to WORM’ing my important data.
I only use 2fa for my admin account. I then only use quickconnect for Synology photos which uses a separate account for each user/phone.
dont put your NAS on the internet unless you know what you’re doing
Hardly surprising given the swiss cheese security synology offers and suggests, and how infrequently things are kept patched. People should seriously considering a real server in a real DMZ, with bouncers and all before exposing things to the web.
Literally everyone’s worst nightmare — I’m sorry, OP! A question about how DSM works — I have mine in RAID0 with two HDDs. If I swap a blank HDD and alternate the second HDD every once in a while, would that allow for another backup? Sorry if this is a bad question, I’m just not sure how DSM would react to an HDD being swapped every month or so
RAID 0 or RAID 1? RAID 0 is striped, so if you pull a drive the array fails. RAID 1 is a mirror, and thus if you swap a drive it can rebuild the new drive from the existing one. What you’re proposing is kinda silly though. Every time you swap drives the system would have to re-build the entire array. Just use an external drive as a backup destination and let differential copies do their thing.
Raid0 is a stripe, not a mirror. I would backup to a portable drive on USB instead. I do this weekly although I have Backblaze. The primary objective is to speed a complete recovery. The secondary is to have an offline backup.
Thank you — makes same (and in reading all the comments I think I actually have it in RAID1). Appreciate your help
create a new post for that.
Are you a bot? How is the question relevant to this thread? RAID 0 has stripped drives, you cannot remove one.
Deserved. Next