Synolocker 0-Day Ransomware Puts NAS Files At Risk

Deathlizard (115856) writes "Have a Synology NAS? Is it accessible to the internet? If it is, You might want to take it offline for a while. Synolocker is a 0-day ransomware that once installed, will encrypt all of the NAS's files and hold them for ransom just like Cryptolocker does for windows PC's. The Virus is currently exploiting an unknown vulnerability to spread. Synology is investigating the issue."

This is how we learn

not to connect your NAS directly to the internet.

Re:This is how we learn

[jonwil]

It should be attached to a network fire-walled off from the Internet and only accessible if you are on the local LAN.

Re:This is how we learn

[Thanshin]

If it was meant to be connected to the internet it would be called ASOTAS

Re:This is how we learn

[rikkards]

Kind of defeats the cloud feature on Synology NAS doesn't it? Granted you should have it firewalled off except for the specific port it needs.

Re:This is how we learn

[rikkards]

Oh also it can act as a firewall as well (not saying much for its capabilities though)

Re:This is how we learn

[spacefight]

What if the attack surface is the "port it needs"?

Re:This is how we learn

[SuricouRaven]

When did 'server full of hard drives' turn into 'cloud storage?'

The useful thing about the cloud is that no-one knows what it actually is, so any company is free to call their product cloud-based without contest.

Re:This is how we learn

[jythie]

Well, by the original usage, a server full of drives would not be "cloud storage", but as with any new term that gets popular marketers use it to describe products that only kinda function a little like the new stuff.

Re:This is how we learn

[drinkypoo]

Kind of defeats the cloud feature on Synology NAS doesn't it?

It's called VPN. Learn it, live it, love it. Also, welcome to slashdot. You must need a welcome, because we know about VPNs here.

Re:This is how we learn

[FireFury03]

Well, by the original usage, a server full of drives would not be "cloud storage"

I want to dispute this - I had a server full of drives that I bought to be my "cloud storage". But when I tried to store my cloud in it, it started to leak out of the server. I ended up with a messy pool of water on the floor and a ruined server!

Re:This is how we learn

[ShaunC]

The useful thing about the cloud is that no-one knows what it actually is, so any company is free to call their product cloud-based without contest.

Reminds me of the quote about "big data" being like sex in high school. Nobody's really sure what it is, but everyone thinks that everyone else is doing it, so everyone says they're doing it, too.

Re:This is how we learn

[AmiMoJo]

It basically runs a dynamic DNS client that lets you connect to your NAS away from home, via a web site. For this to work it must accept connections through your firewall, which it uses UPnP to set up.

Re:This is how we learn

[SpzToid]

Technology Students in Southern California and Florida have managed to achieve a breakthrough in cloud-storage. Imagine for a moment, if you could possibly harness the entire storage volume of The Cloud, and then increase that by a trillion-fold! That's exactly what these students have achieved by a technique having to do with their ability to create an environment with sustained, extremely cold temperatures over a lengthy period of time. Imagine all the clouds you could see across the Wyoming horizon, and then holding all of them in something a lot like an ordinary ice cube tray. That's the power of the cloud, where the lightening comes from(tm)!

However I'm still somewhat foggy as to how they implement it. I've even heard there's even a subgroup of those technology students that "likes to crush the cloud", whatever that's supposed to mean.

Now excuse me while I water that last patch of grass you're standing on please, using only cloud energy, of course as I'm write publicly on The Slashdots to be read worldwide and forever.

Re:This is how we learn

[saleenS281]

The problem is Synology advertises it as a replacement for your router/firewall as well. I always thought that was stupid. I mean, I get the draw of "only having one box", but I don't know why you'd ever directly expose your personal data to the internet that way.

Re:This is how we learn

[mrchaotica]

That's the power of the cloud, where the lightening comes from(tm)!

For the love of $DIETY, enforce that trademark so no real company uses that catch phrase!

Re:This is how we learn

[hawkinspeter]

I always thought that "cloud" meant "on someone else's computer", so as long as you don't own the storage, it's "in the cloud".

Re:This is how we learn

[Lazere]

Yep, I have to "fuck with VPNs" whenever I need to access my stuff. Hitting that "connect" button is really hard, you know.

Re:This is how we learn

[s.petry]

Really? So we had "Cloud" back in 1984 when NFS was released?

Re:This is how we learn

[s.petry]

Pretty much a standard architecture decisions that people are making, then bothered by the predictable results.

Client < - > Server ( Firewall < - > Application Layer with authentication < - > NAS )

You can scale any of the 3 server side layers as needed, add encryption to the client or application layer, and have granular control.

The issue is really that people (E.G. CEO/CFO/Shareholders) don't want to "PAY" for a proper architecture. If you don't build it secure, don't bitch when the solution is not secure. If you don't build it to scale, don't bitch when the solution can not scale.

Re:This is how we learn

[EvilJoker]

Is there a consumer-grade router that supports IPv6, and by default has a firewall enabled that's as effective as PAT?

While I realize NAT (PAT) isn't technically a firewall, it does provide much of the same security as one.

Re:This is how we learn

Ironically enough, the Synology NAS has an OpenVPN package that can be installed to act as a SSL/TLS VPN server. Simple and easy

Re:This is how we learn

[benjymouse]

It should be attached to a network fire-walled off from the Internet and only accessible if you are on the local LAN.

But it is based on Linux, right? Why would it need to be fire-walled off from the Internet when so many Linux servers and appliances are on the Internet?

Re:This is how we learn

[RatherBeAnonymous]

Unfortunately, no one can be told what The Cloud is. You have to see it for yourself.

Re:This is how we learn

Yes.

Re:This is how we learn

[Applehu+Akbar]

Are we sure this exploit only affects Synology users who have the web access feature turned on?

Re:This is how we learn

[tepples]

Do all VPNs use the same protocol? Are implementations of all VPNs' protocols available at reasonable cost for all platforms?

Re:This is how we learn

[Lazere]

The simplest one is PPTP. Windows (at least the professional version) has a server for this. Set it up in the Windows network center and open the port on your router. Just about every OS out there (including Android and iOS) has a VPN client capable of PPTP. Point that to your external IP, put in the username and password, and you're off to the races. After that, all that information is saved and all you have to do is hit "connect". There are various other protocols with extra levels of security and difficulty, but PPTP will get you a basic VPN pretty quickly that will still be more secure than exposing a private NAS to the internet.

Nuke it from orbit, then restore from backups.

[heypete]

You do have backups, right?

Re:Nuke it from orbit, then restore from backups.

Of course. But they are on another similar box connected to the internet of things which was crypted earlier.

Re:Nuke it from orbit, then restore from backups.

[Noughmad]

Backup? What do people usually use NAS for, I always thought it's mostly for ripped/torrented movies and backups of other computers. Neither of these need backups.

Re:Nuke it from orbit, then restore from backups.

[fuzzyfuzzyfungus]

They may have some unhappy customers right now; but 'NAS', in Synology's product lineup, includes a variety of devices that are aimed either at reasonably serious users or very serious pirates.

Re:Nuke it from orbit, then restore from backups.

They may have some unhappy customers right now; but 'NAS', in Synology's product lineup, includes a variety of devices that are aimed either at reasonably serious users or very serious pirates.

Translation: They have a built-in torrent client and FTP server. Therefore you can practically smell the salt water reeking from ye digital box.

I love how certain tools label people as scurvy dogs hell-bent on illegal activities.

Re:Nuke it from orbit, then restore from backups.

[Thanshin]

The deluxe edition comes with an eye-patch. They initially offered a parrot, but there where some shipment incidences*.

*: There's still some debate about the actual status of the parrots upon arrival. Synology insists on the parrots' being alive, but there have been customer reports on the parrots being: "passed on", "no more", "ceased", "expired and gone to meet it's maker", "a stiff", "Bereft of life", "resting in peace", among others.

Re:Nuke it from orbit, then restore from backups.

[Dutch+Gun]

My Synology NAS is my home-based business' file server, a local machine backup (for my development machine and my digital audio workstation), and a media server for my ripped DVDs and Blurays, although this third function is just a nice bonus for me. Synology NAS devices have a very handy cloud backup application as well, which I use to backup all my most critical files to Amazon S3 services. I hope most people made use of this, because if Cryptolocker has taught us anything, it's that you absolutely need offsite backups that are NOT connected to your network.

I bought it specifically because it makes it easy to set up a multi-tiered backup strategy like that - something that takes on new importance when you spend a few years writing code on your own dime. As a file server, it's fantastic for small operations. I had a drive begin to fail last year, and so had a chance to test out the hot-swapping / RAID rebuilding feature. Worked like a charm - was super simple and zero down-time.

Personally, I've never once considered opening up my NAS to the outside internet. That always seemed crazy risky to me - after all, a single software mistake, a buffer overrun in a protocol stack of some sort, and *poof*, there's direct access to your file server and all it's critical data. I guess sometimes being paranoid pays off, but it gives me no pleasure to say so.

Re:Nuke it from orbit, then restore from backups.

[fuzzyfuzzyfungus]

Quite the opposite. Being satisfied with the built in bittorrent clients, or FTP in general, suggests somewhat casual activity; but if you are buying your piracy gear based on its support for lots of iSCSI LUNs, 10GbE, and availability of rackmount expansion enclosures with redundant power supplies I would say that you are pretty serious about it...

I don't know how successful they've been in terms of market share; but their pitch for most of the 'rackstation' line suggests that they are hoping for relatively demanding applications by the standards that 'NAS' has historically evoked.

Re:Nuke it from orbit, then restore from backups.

[neoform]

Synology's NAS OS has a nice built in BT client with built in search that goes to all your favorite sites.

Re:Nuke it from orbit, then restore from backups.

[TerryC101]

I didn't think it was known yet if it was the same attack vector.

Re:Nuke it from orbit, then restore from backups.

[Chris+Mattern]

Synology now insists that this in fact reflective of their move to quantum computing technology, and that the parrot is both alive and dead.

Re:Nuke it from orbit, then restore from backups.

[TyFoN]

The NAS OS is linux and the BT client is just transmission with a web interface.

But it is nicely put together :)

Re:Nuke it from orbit, then restore from backups.

[pnutjam]

Backups need backups too. Your data isn't safe unless there are 3 copies, working, backup, archive (minimum), one should be offline.

Re: Nuke it from orbit, then restore from backups.

[maroberts]

No I think it was a Norwegian Blue, but I'm not sure we can af-fjord any more references to that sort of thing

Re:Nuke it from orbit, then restore from backups.

[Noughmad]

Backups need backups too. Your data isn't safe unless there are backups all the way down.

But seriously, having two copies is enough most of the time, provided they are somewhat separate (i.e. not on two identical, connected NAS machines).

Re:Nuke it from orbit, then restore from backups.

[saleenS281]

S3? Yuck. Their pricing is horrendous. I'd suggest crashplan.

http://www.code42.com/crashplan/
http://forum.synology.com/wiki/index.php/CrashPlan_Headless_Client

Although the synology forums are currently getting destroyed (guessing from this article).

Re:Nuke it from orbit, then restore from backups.

[saleenS281]

I think you're lost. This thread is about integrated synology backups; not rsync, not virtual servers. Please move along.

Re:Nuke it from orbit, then restore from backups.

[fuzzyfuzzyfungus]

Arguably, 'should have used FreeNAS' is close to the BSD equivalent of 'should have used debian'. Probably good advice, unless you prefer the nas4free fork; but not closely related to the OS used.

(That said, I'm always a bit surprised at how many awful embedded firmwares are elderly-linux-with-dubious-GPL-compliance rather than BSD. It's not as though putting a dangerously awful proprietary web interface and lighthttpd on one is all that different from doing so on the other. I can only assume that the ones hacking together the BSPs for today's cheap embedded boards support linux better.)

Re:Nuke it from orbit, then restore from backups.

[fuzzyfuzzyfungus]

This is quite true; but I suspect that trying to get .6 bitcoins out of somebody for some files that they can re-download is going to be harder than doing the same for the smallish business customers who are presumably the target for their $1000-and-up devices.

Network attached storage is all kinds of convenient; but if you are the attacker, and building a vendor-specific ransom package, it needs to be a vendor who sells enough devices that store important files, particularly ones that aren't just backups of somebody's PC, to get people to pay the ransom.

Re:Nuke it from orbit, then restore from backups.

[rahvin112]

You do realize that for the S3 backup to work Synology or the NAS (and the NAS has you Synology login info) has your login information for S3, and that if this thing is owning the NAS there is a pretty damn good chance the malware has owned your S3 instance as well right? The only way it wouldn't is if the S3 backup is totally manual.

Re:Nuke it from orbit, then restore from backups.

[Dutch+Gun]

That's actually a very good point. The S3 backup is completely automated which means, of course, that everything the malware would need to screw with your S3 (or other) account is right there for the taking - the keys have to be local and accessible. Granted, we haven't heard any confirmation of this malware having those sorts of capabilities, but we've seen incredibly sophisticated banking trojans out in the wild that do things that are far more sophisticated.

Damn. Well, all the more reason to stay patched up, and to avoid exposing any more of an attack surface to the internet than you absolutely need to. Fortunately, the way my local network is set up, it's pretty much impossible for a single trojan to access all of the redundant copies of my critical files, since the multiple workstations all sync to a Mercurial repository on the NAS, and none of those workstations share their drives, providing some degree of protection from potential malware on the other machines in the network. I guess you can never really have too many backups.

Re:Nuke it from orbit, then restore from backups.

[heypete]

You do realize that for the S3 backup to work Synology or the NAS (and the NAS has you Synology login info) has your login information for S3, and that if this thing is owning the NAS there is a pretty damn good chance the malware has owned your S3 instance as well right? The only way it wouldn't is if the S3 backup is totally manual.

Amazon has a very extensive authentication system -- you can easily configure the Synology with an S3 access key that only has "List Files" and "Upload Files" permissions, but not "Delete Files" or "Overwrite Files". This way, even if the Synology box gets owned or a user fat-fingers something, the files on S3 aren't at risk. You don't (and shouldn't) need to use your AWS root access keys for S3.

I have a similar setup with Amazon's Glacier: my standard access key has only list, upload, and retrieve permissions. A separate access key is required to delete files (I've configured my Glacier client, FastGlacier, to prompt me for a password when I switch to the "delete" key) so that I don't accidentally end up deleting important backups.

Re:Nuke it from orbit, then restore from backups.

[rahvin112]

If the keys are stored on the box in any way then they are compromised because the box is. The synology box is rooted, any information stored on that box is compromised. If for example your root key for S3 is backed up on the NAS then it's compromised.

People are glossing over this, if the box is rooted everything it knows and stores is compromised, that's how people need to be analyzing this instead of blowing it off as no big deal.

Re:Nuke it from orbit, then restore from backups.

[heypete]

If the keys are stored on the box in any way then they are compromised because the box is. The synology box is rooted, any information stored on that box is compromised. If for example your root key for S3 is backed up on the NAS then it's compromised.

Agreed. That's why you shouldn't use the root S3 access key for anything (in fact, don't generate one at all). Use service-limited, least-access keys for AWS accounts: there's no reason a NAS should have an access key capable of creating EC2 instances. It should have list+write access only to S3 (and/or Glacier). If users want to delete files from S3, they should have to log in with a different user (perhaps to the AWS console) and specifically do that.

Amazon provides good options in this regard, and it's too bad if users aren't taking advantage of them.

People are glossing over this, if the box is rooted everything it knows and stores is compromised, that's how people need to be analyzing this instead of blowing it off as no big deal.

In this specific case, the malware does not seem to want to steal user data, only to encrypt it and ransom it back to users. Sure, it could steal data, but it doesn't seem to do so. It's a big deal to those who are unprepared and don't have proper backups, but it could definitely be worse.

Re:Nuke it from orbit, then restore from backups.

[saleenS281]

It's not a reasonable question, because it's not the topic at hand. If you want a virtual machine running linux, go get a virtual machine running linux. This is about backup services. Synology S3 integration isn't a VM on amazon with rsync, it's Synology making native S3 api calls.

No, crashplan isn't a vm running linux with rsync, it's a backup service. If you bothered to spend 30 seconds clicking on either link, you'd have seen that. Instead you started babbling about "serious backups" using rsync which is completely and utterly inferior to the crashplan or s3 option for 99%+ of Synology's target market.

"Investagating"?

[fnj]

Really?

Re:"Investagating"?

[wonkey_monkey]

A've encrypted all the farst As (the nanth letter of the alphabet) an each word on Slashdot (except an sags). You must pay me sax mallion dollars to get them back.

Re:"Investagating"?

[Thanshin]

Well, they need gates. And gates aren't free.

Re:"Investagating"?

[wonkey_monkey]

Goddammit. There are three Is in "investigating."

*palmface*

RTFS

[hoboroadie]

Amazing! Somebody is paying attention.

Interesting

[rebelwarlock]

So between TOR and bitcoin, they think they finally have a viable method of collecting on ransomware. Also, I found it interesting that they're asking specifically for 0.6BTC - that is, double what Cryptolocker is asking. I wonder if there's an intentional correlation there.

Re:Interesting

[GNious]

My bit of pondering is whether that 0.6btc can be tracked/identified at companies handling bitcoins, and especially at companies converting between btc and real money?

Could you basically get the police (Europol/Interpol?) involved, and when a company reports that a user is trying to use/convert the btc you paid with, have that user charged with ransoming data, or taking stolen goods (i.e. either as the original thief, or as a fence)?

If the 0.6btc is acquired by the person via a laundry-service, charge him/her with engaging in activities meant to conceal the original crime?

Re:Interesting

[radarskiy]

Clearly, ransoms are Veblen goods.

Re:Interesting

[TangoMargarine]

Wasn't the whole objective of Bitcoin to create a system where you *couldn't* do that?

Re:Interesting

[GNious]

Bitcoins must, as far as I can tell, have something that identifies them; at the very least, you need to be sure that only 1 person mined a given coin (solved a given mathematical challenge), to avoid endless, easily mined coins.

Am starting to think one should investigate the possibility of making a blacklist of coins known to be acquired via illegal methods.

Re:Interesting

[TangoMargarine]

Rereading your post, it looks like you weren't implying the link between a person and a bitcoin userid like I thought. But still, part of the value of bitcoins is that there is no central authority to revoke your currency. Hence the use in black market applications etc.

Well, until that one group that has 50%+1 of the coins decides it wants to become that authority, I suppose.

Cheeky bastards

[CurryCamel]

From TFA: the message that pops up to the victims ends with:

Copyright 2014 SynoLocker(TM) All Rights Reserved.

I have a real hard time respecting that copyright...

Re:Cheeky bastards

[drinkypoo]

I have a real hard time respecting that copyright...

And yet you are still required by law to respect it, even though the act of creating and disseminating that code is illegal.

Update from Synology-sec issue patched 12/2013

[bhoar]

Updated posted 8/5/2014 by Jeremie on the English language Synology Forum: [We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.]

Re:Update from Synology-sec issue patched 12/2013

[bhoar]

Theory is that the DSM 5.0 looking background is a background image snapshot and what is displayed is a simpler webpage with just the countdown timer and links. Why program the payload as an actual DSM module when you can just put a much simpler webpage in place? Synology appears to think similarly, as they say one of the symptoms is that you didn't upgrade to 5.0 but the background looks like 5.0.

Re:Update from Synology-sec issue patched 12/2013

Also hopefully you have a newer version of the hardware. They EOL'd a bunch last year and people were not happy. In other words they get 4.0 and thats it. Think mine EOLs in 2 years.

I get that some want full control but shouldn't the default be to auto-install?
The upgrades have been haphazard from synology. They usually take 1-3 patches before they fix everything. Also sometimes they tell it to do 'scrubbing'. Which then has the effect of overheating the drives. Then people lose their data and blame the patch. Many have got stuck also in the 'indexing' issue. The cpu goes to 100% and then sits there digging thru the files doing something (no one is really sure).

I usually wait a couple of weeks then patch. I have seen too many people on their forums lose their entire array. I do not feel like restoring that much data any time soon.

They are also using a 2.6.30ish kernel. You know from about 3-4 years ago... So all those ext4 updates have not been put in there. When I saw that I thought do not think I will be using the openssh tool they put into this thing. Maybe on my router where rmerlin and asus have been keeping it up to date...

But for a plug and play nas they are way cool... Use mine everyday.

Re:Update from Synology-sec issue patched 12/2013

[bhoar]

Hmm, reading more, I think I'm fully or partly wrong about what's going on with the background, since synology states in the updated post that the symptom is that you were running 4.3 or earlier, but now you've got the extortion message and DSM reports it is 5.0. Apologies for posting that last message before I knew what I was talking about.

Re:Update from Synology-sec issue patched 12/2013

[MachDelta]

[quote]Unlike a desktop OS, browser, or other software, the DiskStation does not normally remind you to do this. You have to check manually.[/quote]
It's trivially easy to set up a Synology NAS to email/sms/skype/etc you about both OS and package upgrades being available, at least on the versions of DSM I've used.

Re:Update from Synology-sec issue patched 12/2013

[Arkh89]

Unlike a desktop OS, browser, or other software, the DiskStation does not normally remind you to do this.

My NAS on DSM 5 popups the update window shortly after connecting if a new update is available...

Re:What a load of FUD!

[Fringe]

That's not entirely fair. That's still a pretty recent version - if you purchase from Amazon or NewEgg you have a good bet of getting it even on an x14 model, and certainly will get that or older on any other model - and there's no "Automatic Update" mechanism on Synology systems. Plus they're essentially storage appliances; users aren't expected to log into and manage them frequently. And the feature that seems to put people at risk is a selling point of the device.

I'm not bashing Synology; I have two Syns running in my system (both current, both firewalled, neither has the rumored susceptible port open, neither infected.) But you're not spending enough time around regular people if you think people expect to be logging into the admin screen of their external hard drive - or their fridge, toaster oven or coffee maker - frequently to check for updates. ;)

Not a Zero Day

[JamieKitson]

There is no mention in the article of this being a zero day vulnerability, in fact the article specifically says "it’s not clear yet how SynoLocker’s operators installed the malware".

As others have said Synology is reporting the vulnerability was patched in December. Hardly a zero day.

Re:What a load of FUD!

[h2okies]

There is however the constant Nag from Synology to upgrade to the latest versions that system automatically kicks out to you along with the emails they send about the current patches that they recommend you apply to your system. No one auto-patchs NAS devices as bad things can happen to peoples data.

/.ed

[simplypeachy]

Forum post so far:

Hello Everyone,

We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shut down their system and contact our technical support team here: https://myds.synology.com/supp....

-When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
-A process called “synosync” is running in Resource Monitor.
-DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:
-For DSM 4.3, please install DSM 4.3-3827 or later
-For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
-For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/suppor....

If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.

Apologies for any problems or inconvenience caused. We will keep you updated with latest information as we address this issue.

Article needs a rewite, simple, yet just the same.

[Trax3001BBS]

As for the article...

First part says "According to the user, there’s a small window of opportunity to minimise the damage. That is, if you can backup files faster than the program encrypts them."

Then buried where many don't wonder (towards the end, it mentions "1) Power off the DiskStation immediately to avoid more files being encrypted"

I would think the wise thing would be to exchange the location of the two sentences. least you have some would be hero actually try to find where to start saving at.

Re:What a load of FUD!

[Dutch+Gun]

A NAS device is not a toaster. It's a file server running a lightweight but fully-featured operating system. You don't need to be a professional network administrator, but you do need to be careful enough to at least check in regularly for updates. One presumes such hardware was purchased because you had valuable data you wished to manage or protect. Honestly, a NAS is really not a purchase for "normal" people. Power-users and up, I'd say, are the minimum personnel requirements.

Even so, Synology machines are not hard to patch. They download OS updates automatically by default. All you have to do is log in via the administration page once in a while and click the "update" button, since it pops up right on the page after it sees you have an update to install. And every update has a link right next to it that points to a web page detailing exactly what changed or what was fixed. I'd suppose the reason there's no "auto-update" is because an update requires a 5-10 minute patch and reboot cycle, and you generally don't want your file server automatically rebooting at it's own convenience.

I'm presuming (since information is a bit scarce) that users either failed to patch their machines for six months or longer due to neglect, or they made a deliberate choice not to do so for some reason, yet kept their internet-facing services wide open (note that these are not installed or enabled by default). Unfortunately, that's pretty much a guaranteed recipe for an attack of this sort. It's a crappy way to have to learn a lesson.

Re:What a load of FUD!

[SuiteSisterMary]

and there's no "Automatic Update" mechanism on Synology systems.

Mine nags me every time there's an update released. There's no unattended update option, but that makes sense for a NAS.

Re:Nothing to see here

[hawkinspeter]

Why don't you just restore from your offsite backup?

Re:Windows

[hawkinspeter]

I don't think many manufacturers made network equipment that ran on Windows, so it's not that useful to compare their relative security in this instance. Also, "more secure" is not a synonym of "perfectly secure". You may also note that this ransomware targets an older firmware that has since been patched.

Synology history of security vulnerabilities

[zerofoo]

A while back synology had a problem with unauthorized bitcoin miners running on their devices:

http://www.cvedetails.com/vuln...

There seems to be a culture of fast and loose with regards to software development at Synology.

I love my Synology NAS, but you have to be nuts to put these things on the internet.

Re:What a load of FUD!

[Just+Some+Guy]

That's still a pretty recent version - if you purchase from Amazon or NewEgg you have a good bet of getting it even on an x14 model, and certainly will get that or older on any other model - and there's no "Automatic Update" mechanism on Synology systems. [...]

I'm not bashing Synology; I have two Syns running in my system

I'm having a hard time reconciling those statements because it doesn't match my experience at all. First, it's my understanding that all Synologys come "bare" and you have to download and install the OS when you first power them on. My DS412+ that I bought a couple of months ago certainly did. It's initial boot gave me a web page with instructions for downloading and installing the most recent OS version.

Second, Synologys don't automatically reboot themselves, but can easily be configured (as in truly easily, right through the settings UI) configured to email you every time a new OS comes out. Perhaps that should be required, though, before allowing you to enable external services.

Re:If you know you need a NAS, why buy it?

[Strider-]

There's plenty of free options out there, if you really need that much storage, you need to care how it works and how well.

Sure, but the free options generally don't come in something the size of a shoe-box, with nearly silent fans, and 8 hot-swappable drive bays. Besides, as others have said, I've got better thigns to do with my time than futz around with mass storage.

Re:Nothing to see here

[tepples]

Why don't you just restore from your offsite backup?

Airfare would probably be just as expensive.

Dyslexia makes things more interesting

[r_jensen11]

Here I was, reading the headline as:

Synolocker 0-Day Ransomware Puts NSA Files At Risk

If only....

Re:If you know you need a NAS, why buy it?

[Just+Some+Guy]

It has a huge Wife Acceptance Factor, for one. We have iPhone apps that let you select any of the movies I've ripped onto it and play them back directly to our Apple TV (or any of another of settop boxes). Throw music onto it and the songs show up in iTunes for people on our LAN. Save a file to a certain folder on our laptop home directories and it gets synced to the NAS (ala Dropbox), made available on our iPads, then backed up to Amazon Glacier.

In short, it does everything you'd ever want a NAS to do but smoothly and nicely. My DS412+ replaced the FreeBSD system I'd assembled and installed from scratch, because there's other stuff I'd rather be doing and because I couldn't possibly make the experience as pleasant as Synology has.

Re:Oh! NAS files, not NSA files

[I_Lost_My_Puppy]

Damn, moderation fail