Posted on 08/05/2014 10:42:14 AM PDT by Utilizer
Synology network attached storage (NAS) devices, capable of storing terabytes of data, have been targeted by ransomware that encrypts victims’ files.
Owners of Synology's NAS devices might want to unplug their storage boxes now to avoid being affected by ransomware that uses strong encryption to lock files on the brand’s machines and demands US$350 for the decryption key.
The new attack on Synology kit comes within a year of Synology NAS devices being struck by fraudulent Bitcoin mining operators, with several owners on Sunday reporting that they had found a message from the “SynoLocker Automated Decryption Service” — when accessing the main page of the Web-server for their NAS device — stating that “all important files on this NAS have been encrypted using strong cryptography”.
As one victim on Synology’s English user forum commented, the SynoLocker “service” asks for 0.6 Bitcoins to unlock the encrypted files, which at today’s exchange rate is around USD$350. According to the user, there’s a small window of opportunity to minimise the damage. That is, if you can backup files faster than the program encrypts them.
(Excerpt) Read more at cso.com.au ...
Only this company hit so far but other NAS owners might wish to take a look at the article and consider taking their units offline for a bit as well until this new exploit is delved further into.
Cryptolocker stores the key they used to encrypted the drive on the workstation in a clear text file.
That’s helpful. So this is much ado about nothing? I note in the comments section of the article that people have paid the ransom in order to get their data back, but no word yet if they were successful.
There are a couple of different versions of it out there. Not all are this easy to work around. Its a serious issue though.
Generally those who pay get their data back. Its one reason I make backups and don’t have them attached via a mapped drive.
*ping* FYI.
Hmmm. I was thinking this was somewhat serious, as the payment is demanded in BitCoin denominations (0.6 BitCoins), which are not cheap. People appear to be paying it, however.
Its serious, no question about it. In the earlier versions of the virus there put the file.
Here’s an article on it. - http://www.pcworld.com/article/2084002/how-to-rescue-your-pc-from-ransomware.html
Appreciate the link. Saved for posterity and further perusal.
Why are these maggots not shot when caught? For them to get paid, there has to be a trail leading to them. Maybe hidden by uncooperative countries and businesses, but their participation needs addressed too.
Primarily because they are working it through the Tor network for anonymity. Also most of these sorts tend to be located in rather lawless countries or ones where bribes are a common and inevitable way of life such as Croatia, Ukraine, and Russia to name but a few. Identifying them is only part of the battle.
This is different from Cryptolocker. Synology uses BusyBox (Linux) as a foundation while all of the NAS configuration is done through a web interface.
These are becoming very popular for people to save their libraries of pictures, documents, home movies, etc. I personally have 2 of them, but I use them solely for iSCSI LUNs mapping to my VMware server. I turned off the Internet-facing components a long while back, as they’re not very useful to me.
Encrypting the contents of these devices would be devastating for someone who uses them for personal memory storage.
I can see why this is a big deal, however, note that the proven affected revision of the DSM software is < DSM 5.0. If you’re keeping your NAS software up to date, you’re relatively safe. Take it off of your home network, out of the DMZ, setup firewalls to ensure it’s insulated from the Internet, and you should be okay. The terrifying part about this is it’s a PUSH operation whereas Cryptolocker was phished.
There are weaknesses to the cloud storage model. I firmly believe in having backups including offsite backups. Offsite meaning geographical as well as not mapped so these types of hacks can find them.
This is beginning to sound more serious.
I actually had not had any experience with the Synology products, but some of the machines I work with do have some NAS devices attached so this I thought might bear some looking into.
Think I’ll start doing some checking when I go out and about today to perform some security checks.
Synology disk HACKED (Synolock)
If you remove your disks from the NAS, boot to an empty/clean single disk, install DSM to that disk, shutdown, and replace the old disks, it can update the firmware without corrupting your personal data.
That being said, it appears the Synolocker loads into a local Linux module, sits in memory, and blocks access to the admin page. If you get the message on your admin page, you shutdown the NAS and your data might be safe. It appears that accessing the data via UNC despite the admin page message proves the data is not immediately affected.
I backup all of my LUNs on one NAS to the other which is on a completely separate VLAN and behind a hardware firewall. Those LUNS are then backed up to Amazon Glacier weekly and to a large USB hard drive once a month which is then placed into a fireproof safe.
I’m not completely insulated, but then no one is.
Sounds like I could use your help setting up my backups
SynoLocker Ransomware Affecting Synology DiskStation
From the post:
Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.
Thanks for the tip.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.