Users on Twitter and on the Synology Support Forum are reporting cases in which the usual main page on the Synology NAS web server is replaced with a message indicating that the files on the device have been encrypted and are providing information on how to pay to get a decryption key. The nature of the attack is modeled after the CryptoLocker ransomware attack from December 2013, in which users are forced to make a large payment in Bitcoin in order to recover their files.

The current ransom for files encrypted with SynoLocker is 0.6 BTC. At current exchange rates, this is approximately $355 USD. As with the CryptoLocker ransomware attack, the ransom is attached to a timer; if users fail to act within the time limit, the cost of the decryption key doubles in price.

What this attack looks like

Synology owners who have fallen victim to this attack are presented with the following message:

SynoLocker™ Automated Decryption Service All important files on this NAS have been encrypted using strong cryptography

List of encrypted files available here.

Follow these simple steps if files recovery is needed:

1. Download and install Tor Browser.

2. Open Tor Browser and visit [redacted]. This link works only with the Tor Browser.

3. Login with your identification code to get further instructions on how to get a decryption key.

4. Your identification code is [redacted].

5. Follow the instructions on the decryption page once a valid decryption key has been acquired.

Technical details about the encryption process:

  • A unique RSA-2048 keypair is generated on a remote server and linked to this system.
  • The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
  • A random 256-bit key is generated on this system when a new file needs to be encrypted.
  • This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
  • The 256-bit key is then encrypted with the RSA-2048 public key.
  • The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
  • The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
  • The encrypted file is renamed to the original filename.
  • To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
  • Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
  • When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.
  • Note: Without the decryption key, all encrypted files will be lost forever.
  • Copyright © 2014 SynoLocker™ All Rights Reserved.

    Protecting your data

    As the Synology DiskStation Manager (DSM) uses standard open-source software components (it is, principally, a Linux-based operating system), the security issues present in this software can be used in an exploit of the DiskStation hardware. As such, Synology DiskStation devices that are accessible via the public internet are vulnerable to the exploit. For example, Synology owners utilizing the EZ-Internet feature (or other DynDNS workalike), or if the Synology DiskStation is manually exposed from the firewall are vulnerable to the SynoLocker attack.

    The precise nature of the exploit — that is, what component was vulnerable to allow this attack — is unclear at the time of this writing. Although shielding the hardware from external access is sufficient to protecting your data, particularly paranoid operators can sleep soundly by simply unplugging the Synology DiskStation from the mains.

    Although most users reporting that they have been targeted by SynoLocker are using outdated versions of the Synology DSM software, it is presently unclear if users of the most recently patched version of DSM 5.0 are vulnerable. A vulnerability in DSM 4.3 was used earlier this year to install a Bitcoin mining daemon on the hardware, along with modifications to system files to disguise the existence of the resource-stealing daemon.

    Synology has acknowledged the vulnerability, and will issue updates on the exploit.

    Speak out

    Have you been personally affected by the SynoLocker ransomware, or the BitLocker ransomware from late last year? What precautions have you taken to prevent access to your Synology DiskStation as a result of this vulnerability? Let us know in the comments section.