SynoLocker demands 0.6 Bitcoin to decrypt Synology NAS devices

Synology network attached storage (NAS) devices, capable of storing terabytes of data, have been targeted by ransomware that encrypts victims’ files.

Owners of Synology's NAS devices might want to unplug their storage boxes now to avoid being affected by ransomware that uses strong encryption to lock files on the brand’s machines and demands US$350 for the decryption key.

The new attack on Synology kit comes within a year of Synology NAS devices being struck by fraudulent Bitcoin mining operators, with several owners on Sunday reporting that they had found a message from the “SynoLocker Automated Decryption Service” — when accessing the main page of the Web-server for their NAS device — stating that “all important files on this NAS have been encrypted using strong cryptography”.

As one victim on Synology’s English user forum commented, the SynoLocker “service” asks for 0.6 Bitcoins to unlock the encrypted files, which at today’s exchange rate is around USD$350. According to the user, there’s a small window of opportunity to minimise the damage. That is, if you can backup files faster than the program encrypts them.

“My Diskstation got hacked last night. When I open the main page on the webserver i get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked. It will cost 0.6 BitCoins. It encrypts file by files. Therefore I started to copy my most important files to another disk while encryption was in progress on other files. After the most important files was copied I turned of my disk.”

It’s not clear yet how SynoLocker’s operators installed the malware, for example, if they had exploited a vulnerability in Synology devices. CSO Australia has asked Synology for comment and will update the story if it receives one.

According to the victim, Synology’s support team are interested in hearing from victims who have not reinstalled its Linux-based DiskStation Manager NAS operating system.

Synology’s NAS devices were hit late last year by scammers looking to use their compute power to mine several cryptocurrencies, including Bitcoin.

The ransomware gang has set up a website hiding behind The Onion Router (Tor) to handle the payments and the decryption key exchange.

Read more: Synology says SynoLocker hasn't hit NAS servers on DSM 5.0

A German speaking victim on Synology’s German user forum posted the full message, which is written in English and details the Tor website that victims need to visit to acquire the key:

Automated Decryption Service

All important files on this NAS have been encrypted using strong cryptography.

List of encrypted files available here.

Follow these simple steps if files recovery is needed:

  1. Download and install Tor Browser.
  2. Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
  3. Login with your identification code to get further instructions on how to get a decryption key.
  4. Your identification code is - (also visible here).
  5. Follow the instructions on the decryption page once a valid decryption key has been acquired.

Technical details about the encryption process:

  • A unique RSA-2048 keypair is generated on a remote server and linked to this system.
  • The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
  • A random 256-bit key is generated on this system when a new file needs to be encrypted.
  • This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
  • The 256-bit key is then encrypted with the RSA-2048 public key.
  • The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
  • The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
  • The encrypted file is renamed to the original filename.
  • To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
  • Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
  • When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.

Note: Without the decryption key, all encrypted files will be lost forever.
Copyright © 2014 SynoLocker™ All Rights Reserved.

Synology also responded to CSO Australia:

"When trying to access DSM, it displays the following message 'All important files on this NAS have been encrypted using strong cryptography', in addition to instructions for paying a fee to unlock your data.

"What should you do? If you are seeing this message when trying to login to DSM:

"1) Power off the DiskStation immediately to avoid more files being encrypted

"2) Contact our Support team so we can investigate further. If you are in doubt as to whether your DiskStation may be affected, please don't hesitate to contact us at

"We apologise for any issue this has created, we will keep you updated with latest information as we address this issue. Our support team can be reached here."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags SynoLockernetwork attached storage (NAS)ransomwaresynologyBitcoin

More about CBCCSOLinuxNASRSASynology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place