NAS and storage server manufacturer Synology sends word this afternoon that they are informing their customers of a currently ongoing and dangerous ransomware attack that is targeting Synology devices.

Dubbed SynoLocker, the ransomware is targeting Internet-exposed Synology servers and utilizing a hereto-unknown exploit to break in to those systems. From there SynoLocker engages in a Cryptolocker-like ransom scheme, encrypting files stored on the server and then holding the key ransom. The attackers are currently ransoming the key for 0.6 Bitcoins (roughly $350 USD), a hefty price to pay to get your files back.

At this time only a portion of Synology servers are affected. Along with being Internet-exposed, Synology has confirmed that SynoLocker attacks servers running out of date versions of DSM 4.3 (Synology’s operating system). Meanwhile they are still researching as to whether the newer DSM 5.0 is affected as well.

With Synology still isolating the vulnerability and affected software versions, the company is asking users to take precautions to secure their servers against SynoLocker. Along with removing external Internet access to the server, Synology is also suggesting all users upgrade their DSM to the latest version and backup all of their data so that if they have or do get it, a backup copy is safe from SynoLocker.

Meanwhile for those users whose servers have been infected, Synology is advising users to immediately shutdown their servers to prevent any further files from being encrypted and to contact Synology support about the issue. Synology is also suggesting that affected users also be on the lookout for fake Synology emails, out of a concern that the ransomware authors may follow up by hitting the infected users with spear phising attacks.

It goes without saying that while Cryptolocker and its ransomware ilk are already dangerous pieces of malware, SynoLocker is especially dangerous due to the larger quantity of data stored on a dedicated storage server compared to an average client machine or workstation, along with the potential value of the information stored on such a server. Furthermore whereas Cryptolocker is principally a “pull” attack delivered via Trojans (drive-bys, phishing, and otherwise), SynoLocker is a “push” attack that is capable of reaching out and directly infecting vulnerable servers without any human intervention.

Finally, Synology tells us that they are hoping to finish identifying which versions of DSM are affected this evening. They are also hoping to have a resolution, though admittedly if SynoLocker is as effectively implemented as Cryptolocker, then there is a distinct possibility that there may be no way to recover the ransomed data other than paying.

We will update this article once we hear more from Synology.

Update (08/05/2014):

Synology has finished analyzing the exploit and confirmed which versions of DSM are vulnerable. The vulnerability in question was patched out of DSM in December of 2013, so only servers running significantly out of date versions of DSM appear to be affected.

In summary, DSM 5.0 is not vulnerable. Meanwhile DSM 4.x versions that predate the vulnerability fix – anything prior to 4.3-3827, 4.2.3243, or 4.0-2259 – are vulnerable to SynoLocker. For those systems that are running out of date DSM versions and have not been infected, then updating to the latest DSM version should close the hole.

As for systems that have been infected, Synology is still suggesting that owners shut down the device and contact the company for direct support.


Full SynoLocker ransom message, courtesy the Synology German User forum (via CSO)

SynoLocker™
Automated Decryption Service

All important files on this NAS have been encrypted using strong cryptography.

List of encrypted files available here.

Follow these simple steps if files recovery is needed:

  • Download and install Tor Browser.
  • Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
  • Login with your identification code to get further instructions on how to get a decryption key.
  • Your identification code is - (also visible here).
  • Follow the instructions on the decryption page once a valid decryption key has been acquired.

Technical details about the encryption process:

  • A unique RSA-2048 keypair is generated on a remote server and linked to this system.
  • The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
  • A random 256-bit key is generated on this system when a new file needs to be encrypted.
  • This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
  • The 256-bit key is then encrypted with the RSA-2048 public key.
  • The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
  • The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
  • The encrypted file is renamed to the original filename.
  • To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
  • Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
  • When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.

Note: Without the decryption key, all encrypted files will be lost forever.
Copyright © 2014 SynoLocker™ All Rights Reserved.

Source: Synology

POST A COMMENT

19 Comments

View All Comments

  • icrf - Tuesday, August 05, 2014 - link

    Synology is kind of Nvidia-like when it comes to updates. They have one code base ported to support pretty much everything they've released. The DS411j I bought for my parents 3-4 years ago is updated to DSM 5.0, and receives updates every month or so. That's one of the main reasons I picked Synology over any of the other NAS options. It sounded like it would be supported much longer. It may have made a larger attack target with such homogeneous software, though.

    The update to 5.0 seems to be more aggressive about updates, too. It sends me an email every time one is available and a few times a week until I install it. I don't remember 4.3 doing that.
    Reply
  • Bob Todd - Tuesday, August 05, 2014 - link

    Thanks! I figured it was probably like most NAS software that harassed you via email about updates but didn't apply them automatically. Understandable for large updates like 4.x to 5.x that could potentially bork the system for a small number of users and drive contact rates for support. It would be nice if they at least had the ability to flag security critical updates and have the NAS self-update (i.e. from 4.3.0 -> 4.3.1 with a patch to the old release branch). Reply
  • Beany2013 - Tuesday, August 05, 2014 - link

    I read somewhere that automatically installed updates are coming in a future release - I can't find an explicit option in the current latest version to have it, say, automatically install the latest patch at 2pm on a Wednesday or anything - but it can currently automatically download updates in DSM 5 (can't remember if that's it's default state). Reply
  • brucek2 - Tuesday, August 05, 2014 - link

    If we have to have a super expensive and super invasive NSA world-wide spying apparatus, could they at least please take a few seconds out from their normal business to locate these jerks, recover all the encryption keys, then send out a couple drones? Thanks! Reply
  • sneaky999 - Tuesday, August 05, 2014 - link

    Haha loved that comment. However that would mean that said government institutions revealed their capabilities to the public by actually using them to help the public...Not going to happen any day soon I reckon Reply
  • CBauer00010010 - Tuesday, August 05, 2014 - link

    Dose anyone know if paying the ransome works? I have paper copies of all my files but the time it would take to rescan them would cost my company thousands. Reply
  • imaheadcase - Tuesday, August 05, 2014 - link

    Not always. People have reported paying, only to get it locked back again. Why wouldn't they if they know you are willing to pay in the first place?

    I personally would not care, i have everything backed up. I would simply disconnect from internet, format nas, and copy everything back. Only THEN would I pay, but not them, some hacker for revenge. I would pay more than they wanted, just to see them suffer. Oh not the simple suffering, i would make them suffer real pain in the real world.
    Reply
  • josephPHPagoda - Tuesday, August 05, 2014 - link

    Don't pay. These kind of things continue to happen because people create incentive to do so. There is no promise it will work, and you are funding this sort of behavior if you pay. My recommendation is to deal with the pain knowing that at least you aren't giving criminals funding to continue this sort of behavior. To mitigate this sort of risk, make sure you have proper backups in the future. I had a friend get hit with something similar to this, but since he had backups, it took a simple copy/paste and he was back up and running with nothing lost (just 5 minutes or so). Reply
  • Beany2013 - Tuesday, August 05, 2014 - link

    Reports from the Syno forums are that it does work (they even provide you with full instructions on how to do it over SSH) but three portable HDDs to back up to, with the disk changing every day, would be cheaper and more efficient overall - and if you notice on Thursday that all your data is encrytped, you can go back to Wednesdays backup and recover from that.

    It's cheaper than rescanning and better than paying the scumsucking little bastards who came up with this (as others have noted, correctly)
    Reply

Log in

Don't have an account? Sign up now