SynoLocker Ransomware Affecting Synology DiskStation

Discuss the current and beta software currently supported by Synology.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.

SynoLocker Ransomware Affecting Synology DiskStation

Postby Jeremie » Mon Aug 04, 2014 4:34 pm

[Update: 5/8/2014]

Hello Everyone,

We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shut down their system and contact our technical support team here: https://myds.synology.com/support/support_form.php.

-When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
-A process called “synosync” is running in Resource Monitor.
-DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:
-For DSM 4.3, please install DSM 4.3-3827 or later
-For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
-For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.

If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.

Apologies for any problems or inconvenience caused. We will keep you updated with latest information as we address this issue.
Jeremie
Synology Inc
Synology Inc
 
Posts: 662
Joined: Wed Apr 25, 2012 2:22 am

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby william.chuang » Mon Aug 04, 2014 4:39 pm

This is too little, too late.
william.chuang
Trainee
Trainee
 
Posts: 18
Joined: Sat Dec 26, 2009 2:05 am

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby kevinnn » Mon Aug 04, 2014 4:48 pm

Jeremie wrote:Hello Everyone,
What should you do?

What should we do if NOT affected?
Is it safe to keep CloudStation running?
kevinnn
I'm New!
I'm New!
 
Posts: 9
Joined: Sun Jun 08, 2014 7:50 pm

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby frason » Mon Aug 04, 2014 4:53 pm

This is pretty ridiculous, tell us what has been compromised so anyone out there not affected can take preventive actions.

Thanks
frason
I'm New!
I'm New!
 
Posts: 6
Joined: Sun Dec 02, 2012 11:10 pm

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby william.chuang » Mon Aug 04, 2014 5:05 pm

If you have not been hacked yet, you should immediately change your router to stop forwarding Internet traffic to your Synology. Make sure that you have a backup of all data on your Synology. Upgrade to the latest DSM. If you need remote access to your files, change your Synology password to something really complex. Change the default port in your router from 5000 and 5001. Make the External Port something crazy like 18237 then forward that to 5000 or 5001 internally.

You have to plan on removing all remote access from your Synology and plan on using OpenVPN to access your files.
william.chuang
Trainee
Trainee
 
Posts: 18
Joined: Sat Dec 26, 2009 2:05 am

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby john2012 » Mon Aug 04, 2014 5:21 pm

Just got home, and not affected. But I was not that worried as all important docs on my synology are also backed up with Crashplan to the cloud with versioning. So could have gotten it back in all cases. Just shows that you should never trust a single location for storage.
john2012
I'm New!
I'm New!
 
Posts: 1
Joined: Sat Oct 26, 2013 7:01 am

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby ethuesen » Mon Aug 04, 2014 5:28 pm

kevinnn wrote:What should we do if NOT affected?

Keep a backup of all your files.

I would like to ask Synology three questions:
1. Has anyone actually reported an incidence to security@synology.com?
2. In case someone has, have you managed to get hands on an infected NAS?
2. What do you know so far about SynoLocker? Do you know how it gets into the system?
Last edited by ethuesen on Mon Aug 04, 2014 5:54 pm, edited 3 times in total.
NAS: DS 412+ with 4x3TB WD Red (RAID 5 + spare)
UPS: APC CS 500
Router: Cisco RW220w
Stuff: Retina MBP, iPad and iPhone..
ethuesen
Versed
Versed
 
Posts: 223
Joined: Sun May 06, 2012 11:44 pm
Location: Denmark

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby kstrauser » Mon Aug 04, 2014 5:28 pm

To clarify: use a VPN not provided by your Synology NAS. If it turns out that the problems is with DSM's VPN implementation, that would actually make the situation worse.
kstrauser
Trainee
Trainee
 
Posts: 18
Joined: Mon May 26, 2014 8:26 pm

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby myleftbollock » Mon Aug 04, 2014 5:41 pm

And what about those using their Synology as a mail server? - turning off public access isn't ideal as those users could miss emails.

@Synology: Is it yet known which component/service is vulnerable?


Affected users:
  • What services were publicly accessible?
  • Were weak passwords being used on DSM user accounts for those serving DSM (5000 or 5001) to the internet?
  • Was primary protocol for accessing DSM directly over the internet HTTP or HTTPS?
  • Were you using DSM firewall rules?

What may be simpler is listing the pin-holed ports on your fw/Router.

I think Synology should state ASAP whether this attack vector is potentially via their Quickconnect service. Perhaps one of their intermediary nodes has been compromised?

I won't publish my config for infosec reasons.
Last edited by myleftbollock on Mon Aug 04, 2014 5:49 pm, edited 1 time in total.
meh.
myleftbollock
Trainee
Trainee
 
Posts: 18
Joined: Tue Jan 31, 2012 2:17 pm
Location: UK

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby william.chuang » Mon Aug 04, 2014 5:45 pm

I believe that the problem is with DSM 4.xx because my systems with DSM 5.xx were not compromised. If you are running the system as a mail server, you're probably keeping everything up to date.

The fallout from this is that Synology should allow users to enable auto-update of the Synology. This might increase their customer-support costs from borked updates, but at the same time, stuff like this would not happen. At the very least, Synology has to use its registration emails to alert users as to updates with security vulnerabilities.
william.chuang
Trainee
Trainee
 
Posts: 18
Joined: Sat Dec 26, 2009 2:05 am

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby antenne » Mon Aug 04, 2014 5:52 pm

ethuesen wrote:1. Has anyone actually reported an incidence to security@synology.com?

I'm not Synology, but yes, at least I did report this.

ethuesen wrote:2. In case someone has, have you managed to get hands on an infected NAS?

Synology has not contacted me yet, but I have an infected NAS here, which I unplugged while encrypting. It has not been turned on since. So, if someone from Synology wants access, be my guest.

Since many people seem to be interested: I am running DSM 4.3 and had ports 5000, 5001, 5006 and 6690 forwarded from my router, mostly to access CloudStation from outside (not saying that this is the entry point, I am as clueless as everyone else).
antenne
I'm New!
I'm New!
 
Posts: 5
Joined: Tue May 01, 2012 2:16 am

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby myleftbollock » Mon Aug 04, 2014 5:55 pm

@antenne,

Did you regularly log in to DSM over 5000 unencrypted?
Do any of the accounts with Cloudstation access have weak passwords?

edit: Do _any_ accounts have weak passwords? also, was quickconnect configured?
meh.
myleftbollock
Trainee
Trainee
 
Posts: 18
Joined: Tue Jan 31, 2012 2:17 pm
Location: UK

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby antenne » Mon Aug 04, 2014 6:06 pm

myleftbollock wrote:Did you regularly log in to DSM over 5000 unencrypted?

If, then only using https.

myleftbollock wrote:Do _any_ accounts have weak passwords?

Since multiple people use it, how shall I know? There should not have been any, but I can't exclude it.

myleftbollock wrote:was quickconnect configured?

No.
antenne
I'm New!
I'm New!
 
Posts: 5
Joined: Tue May 01, 2012 2:16 am

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby maxxfi » Mon Aug 04, 2014 6:06 pm

antenne wrote:Since many people seem to be interested: I am running DSM 4.3 and had ports 5000, 5001, 5006 and 6690 forwarded from my router

May I ask you a couple of details?
- Were you running the latest 4.3 version, including the Updates (i.e. 3827 Update 3) ?
- Were you using one of those X.synology.me DDNS domain names to reach your station?
DS-411 (DSM 4.3-3827u5) w/ 2x WD20EFRX + 1x WD10EFRX
DS-106j (DSM 3.0-1357), PATA-to-SATA adapter, 2.5" HM250HI
User avatar
maxxfi
Programmer
Programmer
 
Posts: 5792
Joined: Sun Dec 27, 2009 12:13 pm
Location: Espoo, Finland

Re: SynoLocker Ransomware Affecting Synology DiskStation

Postby Richard - CCWH » Mon Aug 04, 2014 6:07 pm

What's up for "old Syno", like model running DSM 3.1 ??
User avatar
Richard - CCWH
Apprentice
Apprentice
 
Posts: 80
Joined: Sun Apr 20, 2008 10:00 pm
Location: France - Richwiller

Next

Return to DSM Beta and New Release Discussion

Who is online

Users browsing this forum: No registered users and 3 guests