Is my consumer Synology or QNAP NAS really targeted by ransomware?

Yes, beyond any doubt. The DeadBolt (QNAP), eCh0raix (Synology and QNAP) and Qlocker campaigns infected more than 30,000 consumer and SMB NAS devices according to Censys and Shadowserver counts between 2021 and 2024. Threat actors continuously scan public IPs exposing ports 5000, 5001, 8080 and 8443 typical of the DSM and QTS interfaces. Any NAS directly reachable from the Internet via UPnP or port forwarding is a potential target, whether used at home or in a small business.

Can my Synology or QNAP snapshots be encrypted by the ransomware?

It depends on the configuration. Synology BTRFS snapshots (Snapshot Replication) and QNAP snapshots (Storage & Snapshots) rely on filesystem-level copy-on-write: an attacker with regular admin access on the NAS cannot directly modify snapshots once created. However, they can delete them through the UI or CLI. For robust protection you must enable immutable / read-only mode on snapshots (DSM 7.2+, QuTS hero) and strictly limit which admin accounts can manipulate them.

Should I pay the DeadBolt or eCh0raix ransom?

No, never as a first move. CISA, the FBI, the UK NCSC and Europol unanimously recommend not paying. DeadBolt is notable for embedding its payment screen into the hijacked QTS login UI, which creates psychological pressure. Several victims who paid never received a working key. In addition, in 2022 Dutch police seized 155 DeadBolt keys by simulating payments then cancelling the Bitcoin transactions immediately after receiving the key — proof that the group's Bitcoin escrow procedure is exploitable. Before any payment, check the No More Ransom and Emsisoft Decryptor catalogues.

How do I isolate an infected NAS without physically unplugging it?

The right reflex is to cut Internet access without touching the NAS itself. Log into your Internet router and disable all port forwarding rules targeting the NAS local IP, as well as automatic UPnP. Active encryption stops because modern strains communicate with a C2 server to fetch their keys. Do not cut NAS power: RAM may still contain encryption keys in clear, recoverable by a forensic analyst with a memory image.

Should I expose my Synology or QNAP NAS to the Internet?

Safest is not to expose it at all. If you need remote access, use a VPN (WireGuard, OpenVPN, the built-in DSM VPN server or QNAP QVPN) rather than direct port forwarding. Intermediate option: reverse proxy with IP allowlisting and a valid certificate. For occasional file sharing, the vendor cloud services (Synology QuickConnect, myQNAPcloud) are less risky than direct exposure but add a third-party dependency. Golden rule: no NAS service should be reachable from 0.0.0.0 without a strong authentication layer (key, MFA) in front.

Synology and QNAP NAS Ransomware: 2026 Recovery and Prevention

Consumer and SMB Synology and QNAP NAS devices have ranked among the most profitable targets for ransomware groups since 2019. Compact form factors, large storage capacity, often-default configurations and — crucially — direct Internet exposure through UPnP or port forwarding to enable remote access from home or the office. The outcome is documented: DeadBolt, eCh0raix and Qlocker campaigns have infected more than 30,000 devices according to Censys and Shadowserver counts, with a marked acceleration between 2022 and 2026.

This guide explains how these attacks work, how to react in the minutes following an infection, how to restore from built-in snapshots (Synology BTRFS, QNAP ZFS) and how to harden a NAS so it stops being an easy target.

Why consumer NAS devices are massively targeted

Three factors have converged since 2019:

Direct Internet exposure. The typical usage pattern for a family or SMB NAS is to enable remote access for photos or documents from outside the home network. Router UPnP automatically opens ports 5000/5001 (Synology DSM) or 8080/8443 (QNAP QTS) without any manual step. Ransomware operators continuously scan these ports — a full IPv4 sweep takes less than 30 minutes with a Masscan cluster.
Recurring application vulnerabilities. Photo Station, Hybrid Backup Sync, Container Station, Surveillance Station and third-party packages regularly introduce critical CVEs. Many users delay automatic updates for fear of breaking a working configuration.
Weak default configurations. Default admin account enabled, simple password, 2FA disabled, SSH open, no IP auto-block — still the norm for the majority of consumer NAS devices installed before 2023.

The result is an industrialised hunting ground. The DeadBolt and eCh0raix groups operate in automated mode: scan, exploit, encrypt, ransom — without human intervention between the scan and the encryption.

DeadBolt: the most violent QNAP campaign

DeadBolt appeared in January 2022. Its trademark: the group directly hijacks the QTS login screen on the NAS to display the ransom note — the user can no longer access their own NAS, and the interface they see is the attackers'.

Infection vector: exploitation of CVE-2022-27593 (external file reference vulnerability in Photo Station allowing remote code execution). A variant also exploited a flaw in QNAP QTS itself.

Mechanism: AES-256 encryption of user files, .deadbolt extension appended, selective deletion of UI-accessible snapshots. The binary does not touch the QTS firmware itself.

Demand: 0.03 BTC per NAS (around USD 1,200 in 2022, up to USD 2,800 at the 2024 Bitcoin peak). Unusual escrow procedure: payment is sent directly to a Bitcoin address shown in the hijacked QTS UI, and the decryption key is later returned via a Bitcoin transaction containing an OP_RETURN.

Documented impact: more than 12,000 QNAP NAS infected according to Censys at the January-March 2022 peak, roughly 4,900 additional devices on the September 2022 wave, residual waves through 2023-2024. Dutch police intervened in October 2022 and seized 155 DeadBolt keys by simulating payments then cancelling the Bitcoin transactions before attacker-side confirmation — revealing a procedural weakness in the group.

QNAP pushed a forced security QTS update in February 2022 to all registered devices. Any NAS without Internet access or not registered remained vulnerable.

eCh0raix / QNAPCrypt: the long-lived Synology and QNAP strain

eCh0raix (also called QNAPCrypt) appeared in 2019 and remains active in 2026. Unlike DeadBolt, eCh0raix targets both Synology and QNAP, and uses several infection vectors in parallel.

Vectors:

SSH brute force on admin accounts with weak passwords.
Web UI brute force (DSM, QTS) with dictionaries.
Exploitation of application CVEs (HBS3 on QNAP, Photo Station, older DSM versions).
Phishing targeting administrators with malware dropping an SSH key.

Mechanism: AES encryption via the Go crypto library, .encrypt extension appended, README_FOR_DECRYPT.txt or README_HOW_TO_DECRYPT.txt dropped in every affected folder. Sub-kilobyte files and system files are skipped.

Demand: variable per strain, between 0.024 and 0.06 BTC. Payments flow through Tor infrastructure.

Technical quirk: the group long reused a single master key across multiple victims, which allowed Emsisoft to publish a free decryptor in 2019 for the earliest variants. Versions from mid-2020 onward use uniquely generated keys — no free decryptor exists for modern strains.

Qlocker: the April 2021 lightning attack

Qlocker landed in April 2021 and became notorious for its brutal simplicity. The ransomware had no proprietary encryption mechanism: it simply used 7-Zip (the 7z binary installed by default on QNAP) to archive user files into password-protected .7z archives.

Vector: exploitation of CVE-2021-28799 in Hybrid Backup Sync (HBS3), allowing unauthenticated administrator access.

Mechanism: a script ran 7z a -p<password> -mx1 archive.7z files/ for each user folder, deleted the originals and dropped !!!READ_ME.txt. Very fast (compression level 1), very effective, fully reversible if the password can be recovered.

Demand: 0.01 BTC per NAS (~USD 500 in April 2021). Execution speed and the modest ransom led many victims to pay — Emsisoft documented hundreds of payments within a week.

Group weakness: several researchers found a leak in the Tor payment server allowing the password to be retrieved without paying, by analysing HTTP headers. The group shut down its site one week after the campaign started.

Cl0p Synology variants and 2023-2025 campaigns

Between 2023 and 2025, several campaigns specifically targeted exposed Synology DSM devices:

Cl0p Synology (Linux variant of the Cl0p ransomware): Synology DSM targeting via exposed SMB services in Q4 2023.
Cheers / Cheerscrypt: Linux/QNAP adaptations of strains originally aimed at VMware ESXi.
eCh0raix reruns: periodic campaigns in 2024-2025 exploiting CVE-2023-39296 on DSM 7.2.

The common thread: every campaign exploited either an unpatched application CVE or a weakly protected admin account. No campaign exploited a zero-day on the DSM or QTS kernel itself — defences are almost always won at the configuration and exposed-package level.

Key CVEs to track

The following CVEs have been actively exploited in recent NAS ransomware campaigns:

CVE-2024-32962: QNAP QTS and QuTS hero, privilege escalation through a flaw in the network share management module. Patched in May 2024.
CVE-2023-39296: Synology DSM 7.2, authentication bypass through a flaw in the Web Station component. Patched in September 2023.
CVE-2022-27593: QNAP Photo Station, remote code execution via external referenced file (unauthenticated RCE). Primary vector of the first DeadBolt wave.
CVE-2021-28799: QNAP Hybrid Backup Sync (HBS3), broken authentication allowing admin access without credentials. Primary vector of Qlocker.

If you run a NAS that has not received the associated patches, consider the appliance compromised or pre-compromised.

Comparing the three main families

Family	Infection vector	Mechanism	Demand	2026 decryptor status
DeadBolt	CVE-2022-27593 QNAP Photo Station, QTS CVEs	AES-256 encryption, `.deadbolt` extension, hijacked QTS UI	0.03 BTC	Partial: 155 keys seized by Dutch police distributed via No More Ransom
eCh0raix / QNAPCrypt	SSH brute force, HBS3 CVE, DSM exploits	AES encryption via Go crypto, `.encrypt` extension, README_FOR_DECRYPT.txt note	0.024 to 0.06 BTC	Emsisoft decryptor for 2019-mid 2020 strains only
Qlocker	CVE-2021-28799 QNAP HBS3	7-Zip archiving with password, `.7z` extension	0.01 BTC	No official decryptor, recovery possible via leaked Tor server passwords

Emergency procedure: the first 30 minutes

Step 1 — Cut Internet without touching the NAS

Log into your Internet router. Disable:

All port forwarding rules pointing to the NAS local IP.
Automatic UPnP.
DMZ exposure rules if any.

Active encryption stops because most modern strains communicate with a C2 server to fetch or store keys. Do not cut NAS power: RAM may still contain clear-text encryption keys, recoverable by a forensic analyst with a memory image.

Step 2 — Local SSH access for diagnosis

From a PC on the LAN (never from the Internet), open a terminal:

# Connect to the NAS on the local network
ssh admin@192.168.1.100

# List volumes to identify the ransomware extension
ls -la /volume1/
ls -la /share/

# Count how many files are encrypted (adjust extension)
find /volume1 -name "*.deadbolt" | wc -l
find /volume1 -name "*.encrypt" | wc -l
find /volume1 -name "*.7z" -newer /etc/hostname | wc -l

# Read the ransom note
find /volume1 -name "README_FOR_DECRYPT*" -exec cat {} \;
find /volume1 -name "!!!READ_ME*" -exec cat {} \;

# List suspicious running processes
ps -ef | grep -iE "encrypt|7z|deadbolt"

# Check existing snapshots (QNAP QuTS hero)
zfs list -t snapshot

# Check Synology snapshots (BTRFS)
sudo btrfs subvolume list /volume1

The goal is not to repair but to document: identify the extension, the family, the encryption pattern, the scope (how many files, how many shares affected).

Step 3 — Precise identification via ID Ransomware

Download an encrypted file (small size) and the ransom note onto a clean PC. Upload both to ID Ransomware — the MalwareHunterTeam tool covers every known NAS strain. Our ID Ransomware guide details the procedure.

Precise identification tells you whether a free decryptor exists (DeadBolt with the 155 seized keys, older eCh0raix strains).

Step 4 — Check snapshot status

On Synology DSM:

DSM → Snapshot Replication → Snapshots tab.
List existing snapshots per share.
Identify the most recent snapshot dated before the encrypted files appeared.

On QNAP QTS / QuTS hero:

QTS → Storage & Snapshots → Snapshot Manager.
List snapshots per volume.
On QuTS hero (ZFS), snapshots generally resist an attacker who does not hold the dedicated role.

If clean snapshots exist, the recovery path is clear. Otherwise, see the DFIR section below.

Snapshot-based restoration

Synology Snapshot Replication (BTRFS)

Synology snapshots rely on BTRFS copy-on-write and are disabled by default on EXT4 volumes. First check your volume format:

DSM → Storage Manager → Volume tab → format displayed.
If EXT4: snapshots are not available. See the Hyper Backup section.
If BTRFS: snapshots can be enabled and are probably already present if you followed Synology recommendations.

Restoration procedure:

DSM → Snapshot Replication → Recovery tab.
Select the affected share.
Select the snapshot dated before the attack.
Choose Restore → confirm.

Restoration runs at share level. A rollback point is created before restoration, making the operation non-destructive.

To make snapshots resistant to an attacker holding DSM admin:

Enable immutable / read-only mode on snapshots (DSM 7.2+).
Configure long retention (30 days minimum) with automatic scheduling.
Restrict which admin accounts can manipulate snapshots.

QNAP snapshots (ZFS on QuTS hero, EXT4 on QTS)

On QuTS hero, the ZFS filesystem provides robust snapshots by construction:

QTS → Storage & Snapshots → Snapshot Manager.
Select the volume.
Snapshot list → right-click the pre-attack snapshot → Revert.

On classic QTS with EXT4, snapshots are managed by a dedicated module and are less robust than ZFS snapshots. The restoration procedure is similar but isolation against an admin-level attacker is weaker.

Configure Block-Based Snapshot with 30 days minimum retention and enable snapshot replication to a second NAS or an immutable cloud through HBS3.

Hyper Backup Synology and HBS3 QNAP: the layer above snapshots

Snapshots stay local. For defence in depth, add a versioned off-site backup:

Synology Hyper Backup:

Backup to Synology C2, Backblaze B2, Wasabi, Amazon S3, OneDrive, Google Drive.
Client-side AES-256 encryption.
Configurable versioning (up to 256 versions).
Immutable mode available on C2 and B2 through Object Lock — an attacker who controls DSM cannot delete locked versions.

QNAP HBS3 (Hybrid Backup Sync):

Same destinations.
Note: this is the package containing the Qlocker CVE (CVE-2021-28799). Keep it strictly updated.
Immutable configuration supported on S3-compatible destinations.

For an SMB, combining local snapshot + Hyper Backup or HBS3 to immutable cloud + a cold copy on a rotating external disk constitutes a robust 3-2-1 strategy.

★ Éditeur fondé en 2004 · ✓ Garantie 30 jours · Version gratuite jusqu'à 2 Go

3-2-1 strategy with EaseUS Todo Backup→

What to do without snapshot or backup

The hardest case: a NAS on EXT4 without snapshots and without Hyper Backup. Two remaining paths.

Forensic recovery from disk image

Remove the disks from the NAS and connect them to a Linux or Windows PC:

DiskInternals Linux Reader (Windows) reads Synology EXT4 and BTRFS volumes in read-only mode.
R-Studio NAS recognises Synology Hybrid RAID (SHR) and QNAP volume configurations.
EaseUS Data Recovery mounts images and scans by signature: can retrieve unencrypted fragments of files (ransomware often writes the encrypted file into a new inode and marks the previous one as free — the previous content remains readable until overwritten).

The complete method is detailed in our post-ransomware recovery guide.

Free decryptors

If the strain is DeadBolt, first try the 155 keys seized by Dutch police and redistributed through No More Ransom. For 2019-mid 2020 eCh0raix strains, the Emsisoft tool is free. For modern strains, no public decryptor exists as of this writing.

Post-incident hardening

Once the NAS is restored, never put it back on the Internet in the same configuration. Minimum hardening list:

Disable UPnP on the Internet router and on the NAS.
No direct port forwarding to the NAS. If remote access is required: VPN (WireGuard, OpenVPN or the built-in DSM VPN server / QNAP QVPN).
Reverse proxy with IP allowlist if exposure is strictly necessary for a business service.
Mandatory 2FA on all admin accounts (TOTP minimum, ideally FIDO2 keys supported by DSM 7.2+ and QuTS hero).
Disable the default admin account, create a personal admin account with a different name.
IP auto-block after 3 failed attempts on web UI and SSH.
SSH disabled by default, or key-only authentication (no password).
DSM / QTS auto-update enabled, exposed packages (Photo Station, HBS3, Container Station) kept strictly up to date.
Immutable snapshots with 30 days minimum retention.
External 3-2-1 backup: 3 copies of data, on 2 different media, with 1 off-site and immutable. For a family NAS: local snapshot + Hyper Backup to C2 or Backblaze B2 + rotating external disk.

The decisive detail: stop exposing the NAS

The repeated lesson from every NAS ransomware campaign since 2019 is the same: NAS devices not directly exposed to the Internet were not hit. No documented case of eCh0raix, DeadBolt or Qlocker infection on a NAS only reachable through VPN.

If you run a family or SMB NAS and remote access is a real requirement, invest 30 minutes to set up a VPN — WireGuard is trivial, works on smartphones, and provides radical protection. The ergonomic trade-off (launching a VPN app before accessing files) is negligible compared with the scenario of a full encryption of a family NAS holding 8 TB of photos.

For a deeper dive on ransomware defence strategy in business environments, see our guide ransomware protection for business 2026 and the best anti-ransomware software 2026 benchmark. If you suspect an active compromise but are unsure how to proceed, start with our diagnostic tool to scope the next steps.

Official resources