Skip to Content
Security & privacy

Is your router vulnerable to the VPNFilter malware?

We’ve been warning you about this scary new malware threat that targets routers and network-attached storage devices. It’s so dangerous that the FBI has issued an urgent request to anyone who owns the affected devices to reboot them immediately.

Scarier still, it is suspected that this malicious attack originates from a Russian government-sponsored hacking group known as Sofancy aka Fancy Bear. If you can recall, this group is also being blamed for various cyberattacks including serious attempts to disrupt the 2016 U.S. elections.

This malware is such a critical threat since it’s capable of spying, data collection, reinfection, traffic redirection and it can even render your router unusable!

Read on and I’ll tell you how this malicious software works, what devices are affected and how you can protect yourself from this scary threat.


Revealed last week by Cisco Talos security researchers, the dangerous malware is known as VPNFilter and it has already infiltrated half a million routers in dozens of countries, including the U.S. It’s suspected that the compromised routers will soon be used in a major botnet attack.

Cisco also noticed an uptick in VPNFilter infections in the Ukraine, suggesting that a large-scale attack against the said country is imminent.

A botnet, to refresh your memory, is a group of gadgets that hackers have quietly taken over to be used as minions in cyberattacks, typically that of the distributed-denial-of-service (DDoS) variety.

Note: DDoS is an attack where a targeted website is flooded by an overwhelming amount of requests from millions of connected machines (collectively known as a botnet) in order to bring it down.

And get this, VPNFilter even has remote self-destruct capabilities! Yep, it can delete itself and render infected routers inoperable in the process.

It’s a multi-stage attack, folks

According to cybersecurity firm Symantec, VPNFilter works in multiple stages:

Stage 1 – This initial installation is used to gain a persistent foothold on your device, allowing it to survive even after a reboot. This stage is also used for maintaining contact with its command and control center for further instructions.

Stage 2 – The main payload. At this point, it can execute commands, collect files, intercept data, and configure your device. This is also the stage when its self-destructive features are installed. By taking over a section of your device’s firmware, the attackers can then delete the malware remotely and render your router unusable.

Stage 3 – Additional plugins or modules are installed, giving VPNFilter additional capabilities like traffic spying, website credential theft and secure communications through the Tor network.

Are you affected?

Here’s a list of the targeted devices:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

What is VPNFilter’s endgame?

The ultimate goal of VPNFilter is still unclear at this point but based on its capabilities, it is poised for widespread disruption.

Aside from bringing down websites with DDoS attacks, it can also take down massive numbers of routers with its built-in kill switch. Its spying features are also a major concern.

And with its Swiss Army knife level of functions, VPNFilter can also be used as a smokescreen for other major attacks on key sectors, particularly government and industrial infrastructures.

How to remove VPNFilter (and protect yourself, too)

Detecting the presence of VPNFilter on your gadgets is difficult since routers and network-attached storage devices don’t have anti-virus software. However, since VPNFilter is what is known as firmware malware, here are a few mitigation steps you can employ.

1. Reboot

For your first line of defense, reboot your device immediately. This will clear out Stage 2 and Stage 3 infections right away, removing VPNFilter’s most harmful abilities.

However, since VPNFilter’s Stage 1 components can persist even after reboot, your device will still be vulnerable to Stage 2 and 3 reinfections. To remove VPNFilter completely, you will have to perform the additional steps outlined below.

2. Perform a factory reset (highly recommended)

To make sure the malware is completely gone, you need to to reset the router to factory-default settings as soon as possible. Typically, this involves holding down the router’s reset button in the back for five to 10 seconds.

This will clear out all the known stages of VPNFilter. Keep in mind that resetting your router will also remove all your configuration settings so you will have to enter them again (or restore from a backup).

3. Update your router’s firmware 

Next, make sure you have your router’s latest firmware. You should check for router firmware updates at least once every three months, anyway.

The process is not as hard as it sounds. Once you’re in the router’s admin page, check for a section called “Advanced” or “Management” to look for firmware updates, then just download and apply as required. This practice can also protect your router from future infections.

Click here to learn more about updating your router’s firmware.

4. Change the router’s default password

When you installed your router, did you remember to do this one critical step – changing its default administrator password? Basically, if someone other than you can get in your router’s admin page, then he/she can change any setting they want.

Make sure you’ve changed the default router password. Every hacker worth his or her salt has access to all the default passwords of every router brand, so you need to create one of your own that’s strong.

Click here to learn how to find your router’s password (then change it!)

5. Turn off remote administration

While you’re in your router’s administrator page, you can turn off remote administration for better security. Remote administration is a feature that allows you to log into your router over the internet and manage it. If you’ve ever called tech support, you may have experienced something similar.

Remote administration is a handy tool, especially when you need to fix a problem, but it leaves your computer vulnerable to hackers. Unless you absolutely need it, turn this feature off. You can find this under your router settings, usually under the “Remote Administration” heading.

4 scariest forms of malware spreading right now

Known as firmware malware, VPNFilter is just one example of the scariest cyber threats that are making the rounds right now. There are other potent forms of malware out there that you need to know about. Click here to read more.

Refer friends, earn rewards

Share your source of digital lifestyle news, tips and advice with friends and family, and you'll be on your way to earning awesome rewards!

Get started