First, to clarify: the Synology DiskStation Manager (DSM) software that drives its various NAS models is Linux. You already have a Linux server; just one that comes preconfigured for a certain task and with non-standard software (the web-based user interface) installed. To the meat of the question: the only stupid thing you have to do is to open the management port to the internet by port-forwarding (or UPnP) on your router, which is the official way you get access to your files from outside your home. That, coupled with not having installed the security patch from December, is enough to get yourself infected. It's a remote code execution vulnerability; no user interaction required. You don't need to visit any sites, download any software, or install anything on the NAS itself; if the port is forwarded and December's security update isn't installed, then SynoLocker will find it and infect it. Such is the price we pay for convenience, sadly. I can only access my NAS using SSH, and then only from pre-approved systems that have a private key matching public keys stored on the server itself. Not as convenient as Synology's software, but very secure.