SynoLocker: Ransomeware for Synology NASes

[Eug]

Ouch:

http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware

NAS and storage server manufacturer Synology sends word this afternoon that they are informing their customers of a currently ongoing and dangerous ransomware attack that is targeting Synology devices.

Dubbed SynoLocker, the ransomware is targeting Internet-exposed Synology servers and utilizing a hereto-unknown exploit to break in to those systems. From there SynoLocker engages in a Cryptolocker-like ransom scheme, encrypting files stored on the server and then holding the key ransom. The attackers are currently ransoming the key for 0.6 Bitcoins (roughly $350 USD), a hefty price to pay to get your files back.

At this time only a portion of Synology servers are affected. Along with being Internet-exposed, Synology has confirmed that SynoLocker attacks servers running out of date versions of DSM 4.3 (Synology’s operating system). Meanwhile they are still researching as to whether the newer DSM 5.0 is affected as well.

 

[dave_the_nerd]

*shudders*

*double checks his firewall settings*

 

[Eug]

Update (08/05/2014):

Synology has finished analyzing the exploit and confirmed which versions of DSM are vulnerable. The vulnerability in question was patched out of DSM in December of 2013, so only servers running significantly out of date versions of DSM appear to be affected.

In summary, DSM 5.0 is not vulnerable. Meanwhile DSM 4.x versions that predate the vulnerability fix – anything prior to 4.3-3827, 4.2.3243, or 4.0-2259 – are vulnerable to SynoLocker. For those systems that are running out of date DSM versions and have not been infected, then updating to the latest DSM version should close the hole.

 

[sao123]

Wonder how this vulnerability is exploited... my synology is only available on the web as a forwarded SFTP port... no other services are enabled.

Hmm more research needed.

 

[Eug]

I just closed up all my remaining open ports on the router, except for the few individual ports needed to access my security cams. No port ranges, and no ports that would be used by the NAS. I assume that should be sufficient.

According to this page, these ports should remain closed:

For the time being, owners of Synology devices should make sure that they are not directly reachable from the Internet, for example by configuring firewall rules on their router. In particular, the following ports should not be accessible from the Internet: 5000, 5001, 21, 22, 23, 80 and 443.

That's quite inconvenient for those who want access to the unit remotely. 5000 and 5001 for example are the main ports for the Synology mobile and web applications. Not a major issue for me though.