QNAP has been targeted by ransomware more than any other NAS manufacturer. DeadBolt ransomware hit QNAP devices in January 2022, June 2022, and September 2022 — three waves in nine months. Qlocker ransomware hit in April 2021, encrypting files using 7-Zip. eCh0raix ransomware targeted QNAP in 2019, 2020, and 2021. In each attack, thousands of devices were encrypted and users lost data. QNAP's response was slow — in the DeadBolt attacks, QNAP pushed a forced firmware update that removed the ransomware's unlock interface, meaning victims who were about to pay for decryption keys lost that option too. The most ransomwared NAS brand in history.

Firmware analysis reveals 11 hardcoded cloud endpoints the NAS regularly contacts: quickconnect.to, checkip.synology.com, update.synology.com, autoupdate.synology.com, insight.synology.com, account.synology.com, and others. QuickConnect routes NAS traffic through Synology relay servers when direct connection fails — the relay server uses Synology SSL certificates and can decrypt traffic in transit. Active Insight uploads system health metrics to Synology cloud. Package Center connections reveal what services users run. The "local" NAS phones home to at least 11 Synology servers.

Synology's QuickConnect feature — the primary way most users access their NAS remotely — routes traffic through Synology's relay servers. While the data is encrypted in transit, Synology's servers see the connection metadata: when you connect, from where, and how much data transfers. In 2022, Synology patched critical vulnerabilities (CVE-2022-27624, CVE-2022-27625) allowing remote code execution without authentication on DiskStation Manager. A NAS marketed as self-hosted storage that routes through the manufacturer's cloud and had vulnerabilities allowing unauthenticated remote takeover.