Synology boxes being targeted for ransomware

PaulB

PaulB

PaulB

Associate
Joined
15 Nov 2002
Posts
816
Afternoon all,

Did a very quick search, but couldn't find anything so apologies if I've missed a thread somewhere.

It seems like Synology boxes are currently being targeted by ransomware similar to CryptoLocker (but called Synolocker) which is encrypting files on the devices and asking for payment in Bitcoin for the unlock key.

http://www.cso.com.au/article/551527/synolocker_demands_0_6_bitcoin_decrypt_synology_nas_devices/

If you have your device accessible from the Internet, you might want to check/disable this for the time being.
 
I got caught with the malware on it a few months ago, hope I dont get this.

What is safest way to block internet but keep on local network?

Also I just got an update a couple of days ago, I wonder if this was to fix this?
 
Have my qnap setup so I can snapshot the most important files to a usb drive via the usb copy port (only connected to do the sync) and rotate between 2 drives so as to have an extra level of defense against cryptolocker type stuff (Main concern was due to it possibly infecting a pc with network drives logged in).
 
I give myself read-only access to all my media files. Only when specifically logging in as a more privalidged account can I add more media to it.
 
From the Synology forums.

K.Salo,

I had a customer of mine get attacked yesterday with the same issue. We have a small business and use a DS1513+ with DSM 4.3-3810. We could not open any files. They were all corrupt or damaged. We rebooted and received the Synolocker message and could not access the DSM other then the message. I am familar with Ransomware but never this one. I googled to find nothing. Today there are 8 results on google. I even searched TOR but nothing. I immediately email synology security. Here is a step I have performed to get back into DSM. My files are still locked.

Here is how you do it:
1. Shut down the NAS
2. Remove all the hard drives from the NAS
3. Find a spare hard drive that you will not mind wiping and insert it into the NAS
4. Use Synology Assistant to find the NAS and install the latest DSM onto this spare hard drive (use the latest DSM_file.pat from Synology)
5. When the DSM is fully running on this spare hard drive, shut down the NAS from the web management console.


Thanks
Mike
6. Remove the spare drive and insert ALL your original drives.
7. Power up the NAS and wait patiently. If all goes well after about a minute you will hear a long beep and the NAS will come online.
8. Use Synology Assistant to find the NAS. It should now be visible with the status "migratable".
9. From Synology Assistant choose to install DSM to the NAS, use the same file you used in step 4 and specify the same name and IP address as it was before the crash.
10. Because the NAS is recognized as "migratable", the DSM installation will NOT wipe out the data on either the system partition nor the data partition.
11. After a few minutes, the installation will finish and you will be able to log in to your NAS with your original credentials.

I received email today from Synology that they are aware and looking into the issue.
 
Synology have mentioned it on their Facebook page now too and it seems a couple of people have commented that they've been affected by it.
 
Here's an emergency statement from Synology (the company is preparing a press-release):


You may have heard by now that DSM is undergoing a CryptoLocker hack called SynoLocker – as of yesterday (08/03/14). It’s a BitCoin Mining hack that encrypts portions of data, and ransoms the decryption key for .6 BitCoin ($350). So far, it looks like the matter is localized to non-updated versions of DSM 4.3, but we are actively working on, and researching the issue to see if it also effects DSM 5.0 as well.

In the interim, we are asking people to take the following precautions:

A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
B. Update DSM to the latest version
C. Backup your data as soon as possible
D. Synology will provide further information as soon as it is available.

If your NAS has been infected:
A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
C. Contact Synology Support as soon as possible at, http://www.synology.com/en-global/support/knowledge_base
Click to expand...
 
Another update from Synology:

Synology has been investigating and working with users affected by a recent ransomware called "SynoLocker." Synology has confirmed the ransomware affects Synology NAS servers running older versions of DiskStation Manager, by exploiting a vulnerability that was fixed in December, 2013, at which time Synology released patched software and notified users to update via various channels.

Affected users may encounter the following symptoms: •When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

•Abnormally high CPU usage or a running process called "synosync" (which can be checked at Main Menu > Resource Monitor).
•DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.

For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support here. However, Synology is unable to decrypt files that have already been encrypted.
For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any version below: •DSM 4.3-3827 or later
•DSM 4.2-3243 or later
•DSM 4.0-2259 or later
•DSM 3.x or earlier is not affected

Users can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update.
Synology sincerely apologizes for any problems or inconvenience this issue has caused our users. As cybercrime proliferates and increasingly sophisticated malware evolves, Synology continues to devote resources to mitigate threats and is dedicated to providing users with reliable solutions.
Click to expand...
 
I'm glad I stuck with my monthly backups to a SATA drive. At least I know a virus won't attack my backup when the harddrive is turned off and stored somewhere safe.
 
Luckily I keep mine up to date, usually I upgrade the firmware before the email announcing it arrives! Lots of commercial users have stuck with older DSMs as there has been talk of bricking boxes or breaking functionality, stuck between a rock and a hard place!
 
Another update this morning:

Dear Synology users,

We have discovered security vulnerabilities on the software currently installed on your Synology product. These vulnerabilities might result in unauthorized parties compromising your Synology product.

We strongly suggest you install the newest version of DSM as soon as possible. To do so, please visit our Download Center and download DSM 5.0-4493, DSM 4.3-3827, DSM 4.2-3250, or DSM 4.0-2263 according to your current version. Then, log in to DSM and go to Control Panel > Update & Restore > DSM Update > Manual DSM Update (for DSM 4.3 and earlier, please go to Control Panel > DSM Update > Manual DSM Update) and manually install the patch file.

For more information about security issues related to Synology products, please check our Synology Product Security Advisory page.

Running the latest version of DSM is essential to guarantee your Synology product is protected from threats fixed in previous versions. In this respect, we are no longer providing DDNS and QuickConnect services for Synology products that are running vulnerable versions of DSM. To continue enjoying Synology’s DDNS and QuickConnect service, please follow the instructions above to update your Synology product.

We apologize for any inconvenience caused by this issue. Should you encounter any further problems, please feel free to contact our technical support team.
Sincerely,
Synology Development Team
Click to expand...
 
Scary!
Just updateding our companies Digital Shared Drive.

Is it still the case of turning off remote access even with the latest firmare 5.0-4493?

edit: Love the new interface seems a lot quicker.
 
Last edited:
Personally I turn as much off as possible when it comes to remote access. One vpn link in is fine for me
 
Only remote access I've got enabled to my synology is file manager using second-factor authentication too (for admin access, a couple of other users have just straight file access but limited to two folders only).

Will this be an issue for me? (using latest DSM 5 software).
 
So after upgrading the Synology to the latest DSM5, we can't rewrite .PSD files from our own internal network but works externally.

I checked the users and groups permission/privilages, everything is the same as before with read/write ticked, and I'm still able to edit existing text, html and docs file formats, and I can delete, copy and add new files.
The only way to edit/save .PSD file is if I create it as new file into the Synology drive, all existing .PSD (over 1000) won't allow me to rewrite/save on the fly.

Anyone know why this would happen?

Bit strange, and extremely annoying.
 
You must log in or register to reply here.
Back
Top Bottom