Corporate Partners

SynoLocker demands 0.6 Bitcoin to decrypt Synology NAS devices

Synology network attached storage (NAS) devices, capable of storing terabytes of data, have been targeted by ransomware that encrypts victims’ files.

Owners of Synology's NAS devices might want to unplug their storage boxes now to avoid being affected by ransomware that uses strong encryption to lock files on the brand’s machines and demands US$350 for the decryption key.

The new attack on Synology kit comes within a year of Synology NAS devices being struck by fraudulent Bitcoin mining operators, with several owners on Sunday reporting that they had found a message from the “SynoLocker Automated Decryption Service” — when accessing the main page of the Web-server for their NAS device — stating that “all important files on this NAS have been encrypted using strong cryptography”.

As one victim on Synology’s English user forum commented, the SynoLocker “service” asks for 0.6 Bitcoins to unlock the encrypted files, which at today’s exchange rate is around USD$350. According to the user, there’s a small window of opportunity to minimise the damage. That is, if you can backup files faster than the program encrypts them.

“My Diskstation got hacked last night. When I open the main page on the webserver i get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked. It will cost 0.6 BitCoins. It encrypts file by files. Therefore I started to copy my most important files to another disk while encryption was in progress on other files. After the most important files was copied I turned of my disk.”

It’s not clear yet how SynoLocker’s operators installed the malware, for example, if they had exploited a vulnerability in Synology devices. CSO Australia has asked Synology for comment and will update the story if it receives one.

According to the victim, Synology’s support team are interested in hearing from victims who have not reinstalled its Linux-based DiskStation Manager NAS operating system. Synology’s NAS devices were hit late last year by scammers looking to use their compute power to mine several cryptocurrencies, including Bitcoin.

The ransomware gang has set up a website hiding behind The Onion Router (Tor) to handle the payments and the decryption key exchange.

Read more: Synology says SynoLocker hasn't hit NAS servers on DSM 5.0

A German speaking victim on Synology’s German user forum posted the full message, which is written in English and details the Tor website that victims need to visit to acquire the key:

SynoLocker™
Automated Decryption Service

All important files on this NAS have been encrypted using strong cryptography.

List of encrypted files available here.

Follow these simple steps if files recovery is needed:

  1. Download and install Tor Browser.
  2. Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
  3. Login with your identification code to get further instructions on how to get a decryption key.
  4. Your identification code is - (also visible here).
  5. Follow the instructions on the decryption page once a valid decryption key has been acquired.

Technical details about the encryption process:

  • A unique RSA-2048 keypair is generated on a remote server and linked to this system.
  • The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
  • A random 256-bit key is generated on this system when a new file needs to be encrypted.
  • This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
  • The 256-bit key is then encrypted with the RSA-2048 public key.
  • The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
  • The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
  • The encrypted file is renamed to the original filename.
  • To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
  • Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
  • When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.

Note: Without the decryption key, all encrypted files will be lost forever.
Copyright © 2014 SynoLocker™ All Rights Reserved.

Synology also responded to CSO Australia:

"When trying to access DSM, it displays the following message 'All important files on this NAS have been encrypted using strong cryptography', in addition to instructions for paying a fee to unlock your data.

"What should you do? If you are seeing this message when trying to login to DSM:

"1) Power off the DiskStation immediately to avoid more files being encrypted

"2) Contact our Support team so we can investigate further. If you are in doubt as to whether your DiskStation may be affected, please don't hesitate to contact us at security@synology.com

"We apologise for any issue this has created, we will keep you updated with latest information as we address this issue. Our support team can be reached here."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Read more: SynoLocker victims who paid but still couldn’t unlock files get a second crack

Tags network attached storage (NAS)SynoLockerransomwareBitcoinsynology

More about CBCCSOLinuxNASRSASynology

21 Comments

gonzague

1

Hmm this just happened to one of mine

Omar

2

Happened here too to a DS212j

Fred

3

This happened to several customers.
What can we do?

Twiny

4

What everyone should do, use the last backup^^
Or pay and show them that they should do it again, without even being sure you'll get the data back...
Thin chances to get the files back...

Javier

5

please help same problem here. :S

Ian

6

Our company has a big problem with this situation.
Need a solution...please.

Robert

7

Ian, there is no solution. You will not break the lock. If you pay the ransom you will not get the info needed to decrypt...you will simply lose your money. It's not like you'll have a support number you can call. If you don't have a backup, your data is gone...completely and forever gone. If you rebuild your NAS I would strongly recommend either attaching a backup drive or use a cloud based backup solution that is compatible with Synology.

David

8

Any idea what the attack vector is for this ? Does it require your Synology NAS to have ports forwarded from the internet? or is it coming through some other means like a fraudulent package update/etc?

Omar

9

"If you pay the ransom you will not get the info needed to decrypt...you will simply lose your money."

This information is not correct. We have paid and they gave us the decrypt key, now the Device is decrypting, will post an update to the situation soon.

infsec prof

10

what versions of DSM are you folks running?

Omar

11

4.3 here.

5.0 versions seems immune.

Griff

12

If you're posting a version, please post Major, Minor, and Update (if known.) This will help narrow down vulnerable versions.

For example, 4.3-3810 Update 1...

saul

13

Omar, did you have any luck with the decrypt process? has it worked?

Has anyone else payed the ransom?

Please let me know, I can't loose my information.

Brian

14

@Saul: we paid the ransom, and got the private key to decrypt the data. It took a day to decrypt all our files.

Webb

15

I have a question. If I have a backup file in another disk. Is there any method to compare the encrypted file and original file, and get the unique RSA-2048 keypair?

Dave

16

@Webb, no, only the hackers will have the private key which you need to decypt.

saul

17

Thanks Brian!!

Mike

18

Omar Did you get your files back? I NEED the files back and am willing to pay if you got it back, please let me know

Ash N.

19

I am little confused. If the NAS devices are behind your firewall, how exactly are the SynoLocker people able to access the devices? For those already attacked, do you have the web management accessible via the Internet? A little bit of details on how the NAS devices are placed in your network may help those of us that have not been attcaked yet.

gandiwerner

20

One of our client's were hacked with this. They paid the 'ransom' and they're at 75% decrypted. We're wondering, since a couple of others have paid, if the data was indeed restored after the process ended, the decrypter uninstalled and the unit rebooted. Also - what steps did you take to ensure there was nothing left over for it to start all over again?

gandiwerner

21

Just a follow up - we got our data back. As much as I hate to encourage people to pay a ransom - if you're desperate, the process does indeed release the data from it's prison.

Comments are now closed

Market Place