Synolocker ‘Service’ Demands 0.6 Bitcoin To Decrypt Your Photos

synology-synolocker

Any system has its vulnerabilities. But as we get more and more connected, we sometimes expose ourselves to new threats that did not exist before. Many times on this site (and others) we recommended to backup your photos to a safe location. One of the more popular solutions is the Synology disk station.

k.salo at the Synology forums reports that his Disk station was hacked by a ransomeware, his files encrypted and that he is asked demanded to pay 0.6 bitcoins to restore the system.

My Diskstation got hacked last night. When I open the main page on the webserver i get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked. It will cost 0.6 BitCoins. It encrypts file by files. Therefore I started to copy my most important files to another disk while encryption was in progress on other files. After the most important files was copied I turned of my disk.

Quick math shows that 0.6 bitcoins are about $350. The attackers are cleverly maliciously hiding their operations in the TOR network which means that their identities are completely hidden.

As salo notes, there is a way out if you catch it in an early stage as the encryption works file by file. You can copy the critical files and shut the station down until a solution is found.

Twitter Mike Evangelist shows the terrifying screen that you see if you’ve been infected:

It seems that the team over Synology is aware of the issue and is seeking solutions. In the meantime it may be a good idea to disconnect any disk station from the network.

While it is not clear how the Disk station was compromised, current research points at SynoLocker being a variant of Cryptolocker, a ransomware causing headaches to millions worldwide. This is another reminder of the risks we take when we embrace new technologies.

We have contacted Synology and will update with any new info.

[via slashgear]

UPDATE: Synology reports that this maleware only affects older version of the firmware, and recommends upgrading ASAP. They also provide instructions for safekeeping your station:

 
Synology is fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php:
  • When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
  • A process called “synosync” is running in Resource Monitor.
  • DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

  • For DSM 4.3, please install DSM 4.3-3827 or later
  • For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
  • For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.

  • imthedude

    I’d assume someone got access to the box, because it’s not like you’d use it to browse the web. I wonder if it was front facing, or using the router components. Hopefully Synology gets on this, as that’s quite unsettling owning a Synology box myself.

  • Baldor

    According to Synology “this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013.”