NAS and storage server manufacturer Synology sends word this afternoon that they are informing their customers of a currently ongoing and dangerous ransomware attack that is targeting Synology devices.

Dubbed SynoLocker, the ransomware is targeting Internet-exposed Synology servers and utilizing a hereto-unknown exploit to break in to those systems. From there SynoLocker engages in a Cryptolocker-like ransom scheme, encrypting files stored on the server and then holding the key ransom. The attackers are currently ransoming the key for 0.6 Bitcoins (roughly $350 USD), a hefty price to pay to get your files back.

At this time only a portion of Synology servers are affected. Along with being Internet-exposed, Synology has confirmed that SynoLocker attacks servers running out of date versions of DSM 4.3 (Synology’s operating system). Meanwhile they are still researching as to whether the newer DSM 5.0 is affected as well.

With Synology still isolating the vulnerability and affected software versions, the company is asking users to take precautions to secure their servers against SynoLocker. Along with removing external Internet access to the server, Synology is also suggesting all users upgrade their DSM to the latest version and backup all of their data so that if they have or do get it, a backup copy is safe from SynoLocker.

Meanwhile for those users whose servers have been infected, Synology is advising users to immediately shutdown their servers to prevent any further files from being encrypted and to contact Synology support about the issue. Synology is also suggesting that affected users also be on the lookout for fake Synology emails, out of a concern that the ransomware authors may follow up by hitting the infected users with spear phising attacks.

It goes without saying that while Cryptolocker and its ransomware ilk are already dangerous pieces of malware, SynoLocker is especially dangerous due to the larger quantity of data stored on a dedicated storage server compared to an average client machine or workstation, along with the potential value of the information stored on such a server. Furthermore whereas Cryptolocker is principally a “pull” attack delivered via Trojans (drive-bys, phishing, and otherwise), SynoLocker is a “push” attack that is capable of reaching out and directly infecting vulnerable servers without any human intervention.

Finally, Synology tells us that they are hoping to finish identifying which versions of DSM are affected this evening. They are also hoping to have a resolution, though admittedly if SynoLocker is as effectively implemented as Cryptolocker, then there is a distinct possibility that there may be no way to recover the ransomed data other than paying.

We will update this article once we hear more from Synology.

Update (08/05/2014):

Synology has finished analyzing the exploit and confirmed which versions of DSM are vulnerable. The vulnerability in question was patched out of DSM in December of 2013, so only servers running significantly out of date versions of DSM appear to be affected.

In summary, DSM 5.0 is not vulnerable. Meanwhile DSM 4.x versions that predate the vulnerability fix – anything prior to 4.3-3827, 4.2.3243, or 4.0-2259 – are vulnerable to SynoLocker. For those systems that are running out of date DSM versions and have not been infected, then updating to the latest DSM version should close the hole.

As for systems that have been infected, Synology is still suggesting that owners shut down the device and contact the company for direct support.


Full SynoLocker ransom message, courtesy the Synology German User forum (via CSO)

SynoLocker™
Automated Decryption Service

All important files on this NAS have been encrypted using strong cryptography.

List of encrypted files available here.

Follow these simple steps if files recovery is needed:

  • Download and install Tor Browser.
  • Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
  • Login with your identification code to get further instructions on how to get a decryption key.
  • Your identification code is - (also visible here).
  • Follow the instructions on the decryption page once a valid decryption key has been acquired.

Technical details about the encryption process:

  • A unique RSA-2048 keypair is generated on a remote server and linked to this system.
  • The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
  • A random 256-bit key is generated on this system when a new file needs to be encrypted.
  • This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
  • The 256-bit key is then encrypted with the RSA-2048 public key.
  • The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
  • The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
  • The encrypted file is renamed to the original filename.
  • To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
  • Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
  • When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.

Note: Without the decryption key, all encrypted files will be lost forever.
Copyright © 2014 SynoLocker™ All Rights Reserved.

Source: Synology

POST A COMMENT

19 Comments

View All Comments

  • thedeepfriedboot - Monday, August 04, 2014 - link

    No sign of it on my station running DSM5, but I did a remote shutdown until I can get home this evening, check for security issues, and lock down my firewall. Reply
  • JarredWalton - Monday, August 04, 2014 - link

    My dad got the Crytowall ransomware virus a couple months back, which wanted something like $2000 in BTC if you didn't pay within the first week after getting infected. I'm not sure if he ever paid, but he didn't have a backup solution in place so basically he's SOL. Nasty business! Reply
  • ebruddah - Monday, August 04, 2014 - link

    Does anyone know if you can run updates on the fly without service interruption? Reply
  • FordGuy - Monday, August 04, 2014 - link

    Updates will interrupt service (at least on my DS414...).

    The update from DSM4 to DSM5 required a reboot, as did applying the DSM5 updates.

    Updating individual packages (VPN, etc) did not require a server reboot. However, the individual process must be stopped an restarted.
    Reply
  • Beany2013 - Tuesday, August 05, 2014 - link

    Depends on your definition of 'interruption'. If it's a home server that's used for streaming music and video your laptop etc, then it's a couple of minutes to do a minor patch (IE 4.3.x to 4.3.y). For a major version, it's a bit longer, but it's not huge - I don't recall leaving my device overnight or owt, think it was less than an hour. A quick Youtube search suggests about ten to twenty minutes.

    If it's in use at work, is an email server etc, you'll want to schedule some downtime, but we're talking less than an hour. Remember, this is a custom stripped and rebuilt linux distro, not a full on desktop system, and certainly not a Windows Service Pack or inplace upgrade. And everything will be working again as soon as it reboots.

    HTH
    Steven R
    Reply
  • shank15217 - Monday, August 04, 2014 - link

    Lets put files on the cloud some more.. Reply
  • Impulses - Tuesday, August 05, 2014 - link

    Umm, this has little to do with the cloud? It's about malware infecting home NAS boxes and asking a ransom for your data, those boxes usually have net access for a variety of reasons other than cloud sync (remote access etc). In fact I'd dare say a cloud service is possibly less vulnerable to this sorta thing than a Synology NAS, or at least I hope that's the case. Either way, relying on any one solution is folly. Reply
  • KamikaZeeFu - Tuesday, August 05, 2014 - link

    If you needed a reason to store your data in more than 1 physical location then this is as good as it gets. Reply
  • Beany2013 - Tuesday, August 05, 2014 - link

    If you need a reason to run multiple backups (three disks, rotate the disk each day), obfuscated ports, running only essential services, this is also as good as it gets! Reply
  • Bob Todd - Tuesday, August 05, 2014 - link

    How aggressively does DSM update itself? Were any SKUs left at 4.3 and never updated to 5.0? Assuming the current 5.x code base doesn't suffer the same vulnerability, I'm just curious to know the possible footprint for the impact. It's software and software has bugs, but if the numbers are manageable they are better off being exceedingly generous to affected customers. "Sorry for the gadget rage your 2 bay Synology getting hacked has caused, while you are updating DSM and wiping your system to start over, we're shipping you a bonus 4 bay NAS on us. Tell your wife we are sorry about the wedding photos." Reply

Log in

Don't have an account? Sign up now