Some Synology users have reported that they have been infected with a cryptolocking malware that encrypts all files on the compromised system. Read on for Synology’s position on what victims should do.
Some Synology users have reported that they have been infected with a cryptolocking malware that encrypts all files on the compromised system. The perpetrators demand a ransom for the encryption keys to unlock their system. All files on the compromised system are unavailable without the encryption key.
Synology has released two statements related to this issue; here they are:
++++++++++++++++++++++++++
We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.
We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.
For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php:
- When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
- A process called “synosync” is running in Resource Monitor.
- DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.
For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:
- For DSM 4.3, please install DSM 4.3-3827 or later
- For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
- For DSM 4.0, please install DSM 4.0-2259 or later
DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.
If users notice any strange behaviour or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com where a dedicated team will look into their case.
We sincerely apologise for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.
++++++++++++++++++++++++++
Synology® Encourages Users to Update as SynoLocker Ransomware Affects Older DSM Versions
Milton Keynes, United Kingdom – 6th August 2014—Synology has been investigating and working with users affected by a recent ransomware called “SynoLocker.” Synology has confirmed the ransomware affects Synology NAS servers running older versions of DiskStation Manager, by exploiting a vulnerability that was fixed in December, 2013, at which time Synology released patched software and notified users to update via various channels. Affected users may encounter the following symptoms:
- When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
- Abnormally high CPU usage or a running process called “synosync” (which can be checked at Main Menu > Resource Monitor).
- DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.
For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support here: https://myds.synology.com/support/support_form.php. However, Synology is unable to decrypt files that have already been encrypted. For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any version below:
- DSM 4.3-3827 or later
- DSM 4.2-3243 or later
- DSM 4.0-2259 or later
- DSM 3.x or earlier is not affected
Users can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update.
Synology sincerely apologises for any problems or inconvenience this issue has caused our users. As cybercrime proliferates and increasingly sophisticated malware evolves, Synology continues to devote resources to mitigate threats and is dedicated to providing users with reliable solutions. If users notice their DiskStation behaving suspiciously even after being upgraded to the latest DSM version, please contact security@synology.com
+++++++++++++++++++++++++++++++++++++++++
What Does This Mean?
First, if your system is compromised, your data is gone. Unless you fancy downloading Tor and sending Bitcoin to the people who attacked you, with no guarantee of an encryption code for your trouble, you can’t recover the data. Period. Factory reset time. No one, including Synology, is likely to be able to help you.
Second, if your system is not compromised and is running older DSM, upgrade immediately. Don’t wait, just go and do it. I recommend automatically updating firmware whenever possible to prevent these types of surprises. Anyone who upgraded after December 2013 should be safe from this exploit so please go and update DSM immediately.
As a side note, I lost my Windows 7 tablet last summer to a similar exploit that nailed me via an outdated Java installed on the system. I did not realize that Java updated the system and left exploitable versions intact. I lost everything on that machine as my WHS011 backups were compromised, so I was forced to factory reset the PC. That was painful, so I feel for anyone who lost everything on their Synology NAS unit due to this exploit.
