Synology DiskStation Manager Infected with a CryptoLocker Hack

[btarunr]

Synology DiskStation Manager (DSM), the company's in-house NAS operating system, is vulnerable to a CryptoLocker hack, which the company is referring to as "SynoLocker." The nature of how NAS units get infected by this hack is unknown, but when it is, the malware encrypts portion of data stored on your NAS volumes, and holds it for ransom, for 0.6 BTC (US $350 as of now). It decrypts that data only upon payment of that money. There's no guarantee of your data being held for ransom again. The issue is currently localized to NAS units running non-updated versions of DSM 4.3, but Synology is investigating if the hack works on DSM 5.0 as well.

Synology is urging users to take the following steps - close all ports for external (Internet) access, and unplug your NAS from your local network; and with your NAS plugged into just one machine, update DSM to the latest version; and back-up your data. If your NAS unit is infected, disconnect it from the network, perform a hard-shutdown, and contact Synology. The issue highlights one of the many dangers of a distributed currency, in which the beneficiary of funds is difficult to trace.

Here's an emergency statement from Synology (the company is preparing a press-release):

You may have heard by now that DSM is undergoing a CryptoLocker hack called SynoLocker - as of yesterday (08/03/14). It's a BitCoin Mining hack that encrypts portions of data, and ransoms the decryption key for .6 BitCoin ($350). So far, it looks like the matter is localized to non-updated versions of DSM 4.3, but we are actively working on, and researching the issue to see if it also effects DSM 5.0 as well.

In the interim, we are asking people to take the following precautions:

A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
B. Update DSM to the latest version
C. Backup your data as soon as possible
D. Synology will provide further information as soon as it is available.

If your NAS has been infected:
A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the "synology.com" address suffix.
B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit's power button, until a long beep has been heard. The unit will shut itself down safely from that point.
C. Contact Synology Support as soon as possible at, http://www.synology.com/en-global/support/knowledge_base

View at TechPowerUp Main Site

 

[Steevo]

Bitcoin will save us all!!!

I may have to setup a old system and get it infected with one of the encryption hijacks to see what and where and how it works.

 

[McSteel]

I have a sample of an older crypto-virus, courtesy of my nephew getting his PC infected. It asks for a 100 US$ in ransom money, but sending is limited to MoneyPak, Ucash and cashU. Probably the only major difference is BTC support and spreading method now. The private key is an SHA256 affair, stored on a remote, secure server behind TOR network, and the public key is RSA2048. I still have the infected HDD stored away, and can retrieve it, if you really want to examine the malware... I'd advise against it if you're not a security expert and don't have a tight sandbox or a well-isolated VM handy, though.

 

[Steevo]

If I did it would be on a separate machine, isolated, with a snapshot on one disk and then try different things like encrypting the disk first, removing privileges, create a false network and log packets, put a few files on that may be able to be identified even after encryption by scanning, use a hex editor to look at the boot sectors of the disk and see where the malware loads from.

 

[McSteel]

Sounds like a plan. I only saw one machine listed in your profile, so I ASSumed it was your only one... A different physical machine is always a better solution. I'll see what I can do about that sample.