Those who use a Synology Diskstations or Rackstations are being warned to take action to prevent being affected by a new ransomware that locks down files. The ransomware, named Synolocker, is similar to the Cryptolocker virus.
Unlike Cryptolocker, which blatantly asks for money, Synolocker masquerades as a courtesy to improve the security of the drive. It informs the user of the the multilayer lockdown that has been carried out on the drive’s files, including RSA 2048-bit keys and 256-bit keys on a per file basis, all carried out on the remote server before being securely overwritten.
The decryption process requires the installation of the Tor web browser, the anonymisation service that allows users to enter websites that are located on the so-called “deep web”. At this point, the victim is asked to pay 0.6 bitcoins to retrieve their files, equivalent to around £209 at time of writing.
It uses devices that are connected to the internet to expose the administration page. If either or both of your Synology NAS’ ports 5000 or 5001 are connected to the internet, you should close those ports immediately.
Synology’s Response
To prevent your NAS from becoming infected:
- Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
- Update DSM to the latest version
- Backup your data as soon as possible
- Synology will provide further information as soon as it is available.
If your NAS has been infected:
- Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
- Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
- Contact Synology Support as soon as possible, here.
Sources: The Register and The Inquirer
