Any hard drive connected to the infected PC is at risk, and any mapped drive NOT just the My Cloud or Smartware program is at risk.
It is not a huge deficiency in backup software, its how PC’s and software work. Its why one must ensure they stop threats at the edge of their network and not after the network is already infected. This includes safe surfing habits and running up to date anti virus/security software and running scans often.
There are some more expensive NAS boxes, including some of the My Cloud line that have virus/malware scanning modules that can scan data. However that won’t prevent certain types of infections. AV and malware scanning programs will only catch what they’re programmed to catch.
About the only way to stop such an infection is to NOT map the My Cloud to the computer, to set all Shares on the My Cloud to Private, do not store any data in the Public Share, and to NOT save the login credentials to access those private Shares.
Generally nothing will prevent a backup program from backing up an infected PC unless that backup program scans the data for malware/viruses prior to backing it up. Once an infected PC is backed up there isn’t much you can do with the backup set other than destroy it. The only way to ensure one is 100% clean from an infection is to wipe the hard drive and reinstall the OS and any programs from original media. There is always a chance the backup set could contain the infection and one could simply reinfect their PC after restoring it from original media.