Users on Twitter and on the Synology Support Forum are reporting cases in which the usual main page on the Synology NAS web server is replaced with a message indicating that the files on the device have been encrypted and are providing information on how to pay to get a decryption key. The nature of the attack is modeled after the CryptoLocker ransomware attack from December 2013, in which users are forced to make a large payment in Bitcoin in order to recover their files.
The current ransom for files encrypted with SynoLocker is 0.6 BTC. At current exchange rates, this is approximately $355 USD. As with the CryptoLocker ransomware attack, the ransom is attached to a timer; if users fail to act within the time limit, the cost of the decryption key doubles in price.
What this attack looks like
Synology owners who have fallen victim to this attack are presented with the following message:
SynoLocker™ Automated Decryption Service All important files on this NAS have been encrypted using strong cryptography
List of encrypted files available here.
Follow these simple steps if files recovery is needed:
1. Download and install Tor Browser.
2. Open Tor Browser and visit [redacted]. This link works only with the Tor Browser.
3. Login with your identification code to get further instructions on how to get a decryption key.
4. Your identification code is [redacted].
5. Follow the instructions on the decryption page once a valid decryption key has been acquired.
Technical details about the encryption process:
Protecting your data
As the Synology DiskStation Manager (DSM) uses standard open-source software components (it is, principally, a Linux-based operating system), the security issues present in this software can be used in an exploit of the DiskStation hardware. As such, Synology DiskStation devices that are accessible via the public internet are vulnerable to the exploit. For example, Synology owners utilizing the EZ-Internet feature (or other DynDNS workalike), or if the Synology DiskStation is manually exposed from the firewall are vulnerable to the SynoLocker attack.
The precise nature of the exploit — that is, what component was vulnerable to allow this attack — is unclear at the time of this writing. Although shielding the hardware from external access is sufficient to protecting your data, particularly paranoid operators can sleep soundly by simply unplugging the Synology DiskStation from the mains.
Although most users reporting that they have been targeted by SynoLocker are using outdated versions of the Synology DSM software, it is presently unclear if users of the most recently patched version of DSM 5.0 are vulnerable. A vulnerability in DSM 4.3 was used earlier this year to install a Bitcoin mining daemon on the hardware, along with modifications to system files to disguise the existence of the resource-stealing daemon.
Synology has acknowledged the vulnerability, and will issue updates on the exploit.
Have you been personally affected by the SynoLocker ransomware, or the BitLocker ransomware from late last year? What precautions have you taken to prevent access to your Synology DiskStation as a result of this vulnerability? Let us know in the comments section.
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.