Synolocker 0-Day Ransomware Puts NAS Files At Risk

Deathlizard (115856) writes "Have a Synology NAS? Is it accessible to the internet? If it is, You might want to take it offline for a while. Synolocker is a 0-day ransomware that once installed, will encrypt all of the NAS's files and hold them for ransom just like Cryptolocker does for windows PC's. The Virus is currently exploiting an unknown vulnerability to spread. Synology is investigating the issue."

This is how we learn

not to connect your NAS directly to the internet.

Re:This is how we learn

[jonwil]

It should be attached to a network fire-walled off from the Internet and only accessible if you are on the local LAN.

Re:This is how we learn

[rikkards]

Kind of defeats the cloud feature on Synology NAS doesn't it? Granted you should have it firewalled off except for the specific port it needs.

Re:This is how we learn

[spacefight]

What if the attack surface is the "port it needs"?

Re:This is how we learn

[SuricouRaven]

When did 'server full of hard drives' turn into 'cloud storage?'

The useful thing about the cloud is that no-one knows what it actually is, so any company is free to call their product cloud-based without contest.

Re:This is how we learn

[FireFury03]

Well, by the original usage, a server full of drives would not be "cloud storage"

I want to dispute this - I had a server full of drives that I bought to be my "cloud storage". But when I tried to store my cloud in it, it started to leak out of the server. I ended up with a messy pool of water on the floor and a ruined server!

Re:This is how we learn

[ShaunC]

The useful thing about the cloud is that no-one knows what it actually is, so any company is free to call their product cloud-based without contest.

Reminds me of the quote about "big data" being like sex in high school. Nobody's really sure what it is, but everyone thinks that everyone else is doing it, so everyone says they're doing it, too.

Re:This is how we learn

[AmiMoJo]

It basically runs a dynamic DNS client that lets you connect to your NAS away from home, via a web site. For this to work it must accept connections through your firewall, which it uses UPnP to set up.

Re:Nuke it from orbit, then restore from backups.

Of course. But they are on another similar box connected to the internet of things which was crypted earlier.

Re:Nuke it from orbit, then restore from backups.

[Noughmad]

Backup? What do people usually use NAS for, I always thought it's mostly for ripped/torrented movies and backups of other computers. Neither of these need backups.

Re:"Investagating"?

[wonkey_monkey]

A've encrypted all the farst As (the nanth letter of the alphabet) an each word on Slashdot (except an sags). You must pay me sax mallion dollars to get them back.

Interesting

[rebelwarlock]

So between TOR and bitcoin, they think they finally have a viable method of collecting on ransomware. Also, I found it interesting that they're asking specifically for 0.6BTC - that is, double what Cryptolocker is asking. I wonder if there's an intentional correlation there.

Re:Nuke it from orbit, then restore from backups.

[Thanshin]

The deluxe edition comes with an eye-patch. They initially offered a parrot, but there where some shipment incidences*.

*: There's still some debate about the actual status of the parrots upon arrival. Synology insists on the parrots' being alive, but there have been customer reports on the parrots being: "passed on", "no more", "ceased", "expired and gone to meet it's maker", "a stiff", "Bereft of life", "resting in peace", among others.

Re:Nuke it from orbit, then restore from backups.

[Dutch+Gun]

My Synology NAS is my home-based business' file server, a local machine backup (for my development machine and my digital audio workstation), and a media server for my ripped DVDs and Blurays, although this third function is just a nice bonus for me. Synology NAS devices have a very handy cloud backup application as well, which I use to backup all my most critical files to Amazon S3 services. I hope most people made use of this, because if Cryptolocker has taught us anything, it's that you absolutely need offsite backups that are NOT connected to your network.

I bought it specifically because it makes it easy to set up a multi-tiered backup strategy like that - something that takes on new importance when you spend a few years writing code on your own dime. As a file server, it's fantastic for small operations. I had a drive begin to fail last year, and so had a chance to test out the hot-swapping / RAID rebuilding feature. Worked like a charm - was super simple and zero down-time.

Personally, I've never once considered opening up my NAS to the outside internet. That always seemed crazy risky to me - after all, a single software mistake, a buffer overrun in a protocol stack of some sort, and *poof*, there's direct access to your file server and all it's critical data. I guess sometimes being paranoid pays off, but it gives me no pleasure to say so.

Cheeky bastards

[CurryCamel]

From TFA: the message that pops up to the victims ends with:

Copyright 2014 SynoLocker(TM) All Rights Reserved.

I have a real hard time respecting that copyright...

Re:Cheeky bastards

[drinkypoo]

I have a real hard time respecting that copyright...

And yet you are still required by law to respect it, even though the act of creating and disseminating that code is illegal.

Update from Synology-sec issue patched 12/2013

[bhoar]

Updated posted 8/5/2014 by Jeremie on the English language Synology Forum: [We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.]

Re:Update from Synology-sec issue patched 12/2013

[bhoar]

Hmm, reading more, I think I'm fully or partly wrong about what's going on with the background, since synology states in the updated post that the symptom is that you were running 4.3 or earlier, but now you've got the extortion message and DSM reports it is 5.0. Apologies for posting that last message before I knew what I was talking about.

/.ed

[simplypeachy]

Forum post so far:

Hello Everyone,

We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shut down their system and contact our technical support team here: https://myds.synology.com/supp....

-When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
-A process called “synosync” is running in Resource Monitor.
-DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:
-For DSM 4.3, please install DSM 4.3-3827 or later
-For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
-For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/suppor....

If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.

Apologies for any problems or inconvenience caused. We will keep you updated with latest information as we address this issue.

Re:What a load of FUD!

[Dutch+Gun]

A NAS device is not a toaster. It's a file server running a lightweight but fully-featured operating system. You don't need to be a professional network administrator, but you do need to be careful enough to at least check in regularly for updates. One presumes such hardware was purchased because you had valuable data you wished to manage or protect. Honestly, a NAS is really not a purchase for "normal" people. Power-users and up, I'd say, are the minimum personnel requirements.

Even so, Synology machines are not hard to patch. They download OS updates automatically by default. All you have to do is log in via the administration page once in a while and click the "update" button, since it pops up right on the page after it sees you have an update to install. And every update has a link right next to it that points to a web page detailing exactly what changed or what was fixed. I'd suppose the reason there's no "auto-update" is because an update requires a 5-10 minute patch and reboot cycle, and you generally don't want your file server automatically rebooting at it's own convenience.

I'm presuming (since information is a bit scarce) that users either failed to patch their machines for six months or longer due to neglect, or they made a deliberate choice not to do so for some reason, yet kept their internet-facing services wide open (note that these are not installed or enabled by default). Unfortunately, that's pretty much a guaranteed recipe for an attack of this sort. It's a crappy way to have to learn a lesson.