Synology NAS targeted by SynoLocker ransomware

Synology users told to update DiskStation NAS drives after SynoLocker, a ‘cryptolocker’ style ransom attack. Synolocker is not a variant of the infamous Cryptolocker virus we reported on earlier, but is of the same type – a ransomware style virus which hold its victim’s files to ransom. Their methods involve encrypting the victim’s files and then demanding money to obtain the decryption key, usually the payment is in the form of BitCoin, and anonymous digital currency.

bitcoinUsers on the weekend reported finding a message from the crypto-ransomware operators demanding 0.6 Bitcoin (or around $350 US), for the decryption key. Victims would need to install a Tor browser to access the hidden website where they could make the payment and receive the key and to allow decryption. At this time their is no other method to recover files, short of recovering from backup.

According to Synology, users have been reporting that the attacks are only affecting Synology NAS devices running version 4.3 of its DiskStation Manager (DSM) and not DSM 5.0, which included fixes released last December for two critical flaws that give unauthorised access via the Windows File Service and File Station.

The malware starts encrypting files, telling users that this process is under way. This implies that unencrypted files can still be copied at that point but how many will depend on the number of files on the affected drive and how long the encyption process has been running. The best course of action remains to turn off the drive immediately and take advice.

Detection and prevention rates will be very low as SynoLocker is completely new and attacks the NAS directly, thus it is unlikely that any workstation antivirus products will detect it.

Synology users will also need to think about how the malware reached their NAS in the first place and check their modem security, especially opened ports to the NAS and their computer(s).

An official Synology statement said that the issue seemed to be affecting DiskStations running Disk Station Manager 4.3-3810 or earlier.

Update the DSM

Users should update to the latest version by going to Control Panel > DSM Update or manually via the Synology support site.

Updated Information

For more updated information see the Bleeping Computer article and discussion at Bleeping Computer’s article & posts on Synlocker.