Synology users told to update DiskStation NAS drives after 'SynoLocker' ransom attack

Previously unknown malware exploits flaw

Users of Synology's market-leading DiskStation NAS drives are being urged to update their drive's management software immediately after what appears to be an unprecedented targeted attack by CryptoLocker-like ransom malware.

Currently, the only descriptions of the attack are on the firm's user forums, which over the weekend started to fill up with complaints that trying to open the DiskStation web console was throwing up a message from something called 'SynoLocker' demanding a ransom of 0.6 Bitcoins (worth about $350).

"When I open the main page on the webserver i get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked," read the first complaint on Synology's online forum.

From the descriptions, the mysterious malware seem to be triggered when users access the drive's interface which suggests that an infection on the workstation is exploiting a known vulnerability to attack the drives at that moment.

Needless to say, SynoLocker is completely new and it is unlikely that any workstation antivirus products will detect it.

The malware starts encrypting files, telling users that this process is under way. This implies that unencrypted files can still be copied at that point although how many will depend on the number of files on the affected drive. The best course of action remains to turn off the drive immediately and take advice.

An official Synology statement said that the issue seemed to be affecting DiskStations running Disk Station Manager 4.3-3810 or earlier.

"Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM, by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0."

The flaw being exploited appears to be connected to CVE-2013-6955, which would allow an attacker (running on the PC) to gain root privileges, in effect taking over the system.

Read more: Synology says SynoLocker hasn't hit NAS servers on DSM 5.0

Users should update to the latest version as soon as possible by going to Control Panel > DSM Update or manually by visiting their support site, the firm said.

"If users notice any strange behaviour or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at where a dedicated team will look into their case," the statement added.

Synology users might also want to think about how the malware reached their NAS in the first place. The method remains unconfirmed but an attack from a local workstation is highly likely and so that will need to be traced too.

For attackers to target NAS workstations in this way is brand new for a form of malware that has cut a swathe through hard drives on PCs in the last year. It is also logical; ransom malware such as CryptoLocker and Cryptowall were always targeted primarily at SMEs whose data is valuable. Because a lot of this sits on NAS drives, attacking them is an obvious ploy if a way can be found to beat any security in place.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecuritysynology

More about NASSynology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts