Synology disk HACKED (Synolock)

Discuss with the community any ideas you'd love to see in future DiskStations and DSM updates! We do our best to monitor and forward all of them, but we recommend to also use this form as our team will systematically see your suggestion:
http://www.synology.com/support/inquiry ... enu&type=1
Forum rules
We do our best to monitor and forward your ideas to our team, but due to the large amount, we may not see every single one and recommend to also use this form as our team will systematically see your suggestion:
http://www.synology.com/support/inquiry ... enu&type=1

Synology disk HACKED (Synolock)

Postby k.salo » Sun Aug 03, 2014 10:03 am

My Diskstation got hacked last night. When I open the main page on the webserver i get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked. It will cost 0.6 BitCoins. It encrypts file by files. Therefore I started to copy my most important files to another disk while encryption was in progress on other files. After the most important files was copied I turned of my disk.

I have also tried to use the hard reset button on the disk as described in your dosuments. I wanted to just reinstall the OS. But the Diskstation did not respond properly to the button.

Hope you soon find a solution so I can save the rest of the files.



Other disks is also infected:

http://www.av100fun.com/viewtopic.php?f ... &sk=t&sd=a
k.salo
I'm New!
I'm New!
 
Posts: 3
Joined: Thu Mar 08, 2012 8:32 am

Re: Synology disk HACKED (Synolock)

Postby maxxfi » Sun Aug 03, 2014 11:35 am

From the description and the name, it seems they made a customized version of the notorious Cryptolocker virus for Synology stations (which BTW makes totally sense as a NAS is a place where often important documents are collected).

If you haven't done it yet, please DO report it to Synology, e.g. via their web form (they have a special flag to report security issues) or by email to security AT synology dot com.
DS-411 (DSM 4.3-3827u5) w/ 2x WD20EFRX + 1x WD10EFRX
DS-106j (DSM 3.0-1357), PATA-to-SATA adapter, 2.5" HM250HI
User avatar
maxxfi
Programmer
Programmer
 
Posts: 5793
Joined: Sun Dec 27, 2009 12:13 pm
Location: Espoo, Finland

Re: Synology disk HACKED (Synolock)

Postby MikeEvangelist » Sun Aug 03, 2014 5:12 pm

Got me too. Sent notes via the Synology support form and to the security email address. Luckily I have a backup. But sucks nevertheless.
User avatar
MikeEvangelist
I'm New!
I'm New!
 
Posts: 9
Joined: Sun Aug 03, 2014 5:09 pm

Diskstation hacked by Onion ransomware

Postby MikeEvangelist » Sun Aug 03, 2014 5:22 pm

So far, the data is still accessible over the network, but no way to get to admin functions.

The admin GUI is replaced with a ransomware page.

Anyone else hit with this?

PS - I reported it to Synology via the web support page and to their security at synology dot com address. Hopefully they'll have some ideas.
User avatar
MikeEvangelist
I'm New!
I'm New!
 
Posts: 9
Joined: Sun Aug 03, 2014 5:09 pm

Re: Synology disk HACKED (Synolock)

Postby Lemansky » Sun Aug 03, 2014 6:56 pm

I have the same issue, contacted Synology support this morning and they are trying to help with it at the moment, have been in email conversation with them. Definitely report it as soon as you can!
Lemansky
I'm New!
I'm New!
 
Posts: 1
Joined: Sun Aug 03, 2014 9:17 am

Re: Synology disk HACKED (Synolock)

Postby magicm1ke » Sun Aug 03, 2014 7:17 pm

K.Salo,

I had a customer of mine get attacked yesterday with the same issue. We have a small business and use a DS1513+ with DSM 4.3-3810. We could not open any files. They were all corrupt or damaged. We rebooted and received the Synolocker message and could not access the DSM other then the message. I am familar with Ransomware but never this one. I googled to find nothing. Today there are 8 results on google. I even searched TOR but nothing. I immediately email synology security. Here is a step I have performed to get back into DSM. My files are still locked.

Here is how you do it:
1. Shut down the NAS
2. Remove all the hard drives from the NAS
3. Find a spare hard drive that you will not mind wiping and insert it into the NAS
4. Use Synology Assistant to find the NAS and install the latest DSM onto this spare hard drive (use the latest DSM_file.pat from Synology)
5. When the DSM is fully running on this spare hard drive, shut down the NAS from the web management console.
6. Remove the spare drive and insert ALL your original drives.
7. Power up the NAS and wait patiently. If all goes well after about a minute you will hear a long beep and the NAS will come online.
8. Use Synology Assistant to find the NAS. It should now be visible with the status "migratable".
9. From Synology Assistant choose to install DSM to the NAS, use the same file you used in step 4 and specify the same name and IP address as it was before the crash.
10. Because the NAS is recognized as "migratable", the DSM installation will NOT wipe out the data on either the system partition nor the data partition.
11. After a few minutes, the installation will finish and you will be able to log in to your NAS with your original credentials.

I received email today from Synology that they are aware and looking into the issue.

Thanks
Mike
Last edited by magicm1ke on Mon Aug 04, 2014 3:00 pm, edited 1 time in total.
User avatar
magicm1ke
I'm New!
I'm New!
 
Posts: 1
Joined: Sun Aug 03, 2014 7:08 pm

Re: Synology disk HACKED (Synolock)

Postby k.salo » Sun Aug 03, 2014 9:11 pm

Thanks to Synology for fast support. I sent them an email and got help. They can of course not decrypt the files, but they helped me to reinstall DSM. The trick is to restart the Diskstation WITHOUT the Harddrives. Then after a short while you can insert your HDD's and use Synology assistant to reinstall DSM. I guess Synology support will give us more info about this.

I was going to halt the system before the installation so that Synology could have a look at my system before I installed the new DSM. I forgor to halt the system si now I cant help them. If someone still havent updated I know that Synology is interested in inspecting your diskstation so they can see how an infected DiskStation looks like.
k.salo
I'm New!
I'm New!
 
Posts: 3
Joined: Thu Mar 08, 2012 8:32 am

Re: Synology disk HACKED (Synolock)

Postby iknowtech » Sun Aug 03, 2014 9:18 pm

What version of DSM were you running?

What services/ports were available outside your firewall?

What if any of the Synology security features did you have in place?

This type of info might help others avoid the issue.
iknowtech
Trainee
Trainee
 
Posts: 18
Joined: Thu Jun 19, 2014 8:11 am

Diskstation Hacked by SynoLocker

Postby susujeeps » Mon Aug 04, 2014 6:12 am

Hi Technical Support,

Suspect Synology disk-station been compromise!!!

So far, I received calls from 3 customer saying they can’t open their data files in their local network!

I notice one of the disk-station was been compromise past 'Saturday 02/08/14 08:20pm'.
I have screen through all folders and found as long any 'originated files' not been modify for the same date 'Saturday 02/08/14 08:20pm' are still {safe}, I strongly suggest move it to another folder or backup to another location immediately.

Unfortunately, I try login to one of the disk-station admin page, it pointed to an hi-jack page, SynoLocker! No way to attached a screen shot of the hi-jack page here for all references..
I had try reseting this disk-station by pressing the reset button behind, it didn't help!

Any quick advise how to get back the admin page will be most appreciated?

Best regards,
susuj
susujeeps
I'm New!
I'm New!
 
Posts: 2
Joined: Thu Apr 04, 2013 3:49 pm

Re: Diskstation Hacked by SynoLocker

Postby Puzzle » Mon Aug 04, 2014 6:57 am

Hello susujeeps

That might help you:
http://www.cso.com.au/article/551527/sy ... s_devices/

Also I really recommend you to open a ticket with Synology tech support.
Puzzle
Apprentice
Apprentice
 
Posts: 94
Joined: Tue Oct 30, 2012 8:43 am

Re: Synology disk HACKED (Synolock)

Postby SKL » Mon Aug 04, 2014 7:08 am

I got the same problem. My NAS is running abnormal at night ( expected there should be low CPU usage). Therefore, I turn it off. After I restart it today morning, I found the admin page is hijacked and saying the files in nas had been encrypted. Can't login the page, no login from SSH. Can't login via ds disk station apps.

However, I can connect it via my Mac mini. Some of files are still able to access. Since I need to work, I need to check it later.

My nas is ds213j
Dsm version 4.3
SKL
I'm New!
I'm New!
 
Posts: 2
Joined: Mon Aug 04, 2014 6:39 am

Re: Synology disk HACKED (Synolock)

Postby Yorkie71 » Mon Aug 04, 2014 7:16 am

Yes it would be useful to have an idea of DSM version and what ports were open. I assume there must have been some open. Were they the common ports that get attacked; 80, 22 etc?
Yorkie71
I'm New!
I'm New!
 
Posts: 8
Joined: Fri May 03, 2013 9:04 pm

Re: Synology disk HACKED (Synolock)

Postby herrmc » Mon Aug 04, 2014 7:32 am

- I have a DS212J that has been hacked... I have not reset it yet...

- It is located in a remote datacenter, will not have physical access to it until tomorrow...
herrmc
I'm New!
I'm New!
 
Posts: 2
Joined: Mon Aug 04, 2014 7:28 am

Re: Synology disk HACKED (Synolock)

Postby herrmc » Mon Aug 04, 2014 8:16 am

- I do not know what version DSM -- it is not used much.... was simply a test box we played with
- Ports open were 80,443,22,5000

--- I notice that the Synology is sending out packets to 194.1.247.250 tcp port 9555 .... I have completely cut the synology off from online


herrmc wrote:- I have a DS212J that has been hacked... I have not reset it yet...

- It is located in a remote datacenter, will not have physical access to it until tomorrow...
herrmc
I'm New!
I'm New!
 
Posts: 2
Joined: Mon Aug 04, 2014 7:28 am

Re: Synology disk HACKED (Synolock)

Postby SKL » Mon Aug 04, 2014 9:06 am

SKL wrote:I got the same problem. My NAS is running abnormal at night ( expected there should be low CPU usage). Therefore, I turn it off. After I restart it today morning, I found the admin page is hijacked and saying the files in nas had been encrypted. Can't login the page, no login from SSH. Can't login via ds disk station apps.

However, I can connect it via my Mac mini. Some of files are still able to access. Since I need to work, I need to check it later.

My nas is ds213j
Dsm version 4.3


More details, if there is no official new Dsm update in 2014, I guess I am using the latest one. And I used the packages in package center, so no other software installed. SSH, WEB, MySQL , Mail server and git are enabled. Auto block for 5 invalid password also enable to block those ip.

Hope it help for people to investigation
SKL
I'm New!
I'm New!
 
Posts: 2
Joined: Mon Aug 04, 2014 6:39 am

Next

Return to Feature Requests & Product Improvement Suggestions

Who is online

Users browsing this forum: No registered users and 9 guests