SynoLocker gang planning to move on?

The crooks behind SynoLocker have made some changes to the website sporting the payment instructions. They are trying to spur more victims to pay up by saying that the website will be take offline soon and, once that happens, they will not be able to get the private keys needed to decrypt their files:

They are offering to sell the encryption keys that have not yet been claimed for 200 Bitcoin (around $103,000). It seems that they might be thinking about ending this particular campaign.

It’s still unclear how SynoLocker specifically infects Synology NAS devices, but the company has noted that only Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier) have been affected, and it’s all because they sported a specific vulnerability that has been patched in later versions.

According to F-Secure‘s Artturi Lehtio, the malware does not come in the form of a single malicious binary, but is actually a collection of files that get uploaded to the target device via this infection vector.

“On the surface, SynoLocker and CryptoLocker share many similarities, not the least of which are a similar name, similar choice of encryption algorithms and the idea of extorting money from victims. Under the surface however, the similarities quickly end,” noted Lehtio.

Despite initial claims, it seems that the two ransomware families are not connected.