Synology NAS users hit with Cryptolocker variant

You know that your products are getting to be very popular when cybercriminals target users with a customized version of the Cryptolocker ransomware.

The products in question are NAS (network-attached storage) appliances manufactured by Taiwan-based Synology. As it could be witnessed in a couple of posts on different online help forums, the malware has started wreaking havoc over the weekend.

“My Diskstation got hacked last night. When I open the main page on the webserver I get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked,” a user shared his experience on Synology’s forum.

“It will cost 0.6 BitCoins. It encrypts file by files. Therefore I started to copy my most important files to another disk while encryption was in progress on other files. After the most important files was copied I turned off my disk.”

The ransom message identifies the attack as the the result of a “SynoLocker” infection, explains how the files are encrypted (and threatens that “without the decryption key, all encrypted files will be lost forever”), and urges affected users to visit an .onion domain in order to get further instructions on how to get the key.

Synology is working on fixing the problem, but it’s still unknown how the malware manages to compromise the devices. One guess is the exploitation of a vulnerability, as was the case with the recent instances of Synology DiskStations infected with Bitcoin miners.

Users whose devices have been compromised are advised to try to backup files as soon as they spot the ransomware message – the malware encrypts the data on a file-by-file basis, so some files can possibly be salvaged before they get encrypted.

Other than that, there are not many other options for the users: they can pay the ransom and risk not receiving the key, or chose not to and risk losing all the data (if they don’t do regular back-up).

The ransomware message blocks access to the DiskStation Manager (DSM), the products’ OS, but there is a way to restore access. This will not, unfortunately, help with the fact that files are encrypted.

Users who haven’t been affected by the malware are advised to backup their files as soon as possible and to unplug the devices until it is discovered how the malware gets in and how to prevent it from doing so.

UPDATE: While they are working on a solution to the threat, Synology has issued advice on how to foil the malware and limit the damage it has done.

Don't miss