Synology DSM attacked by SynoLocker malware

August 5, 2014 // 10:31 a.m.

Tags: #bitcoin #cryptlocker #diskstation-manager #dsm-43 #dsm-50 #linux #nas #ransom #ransomware #security #synolocker #synology #vulnerability

Storage specialist Synology has warned its users that its DiskStation Manager software, used across its entire network attached storage (NAS) range, is being attacked by file-encrypting malware known as SynoLocker.

Launched by attackers unknown late last week, SynoLocker appears to be a version of the CryptoLocker ransom malware modified to specifically target an as-yet unknown security vulnerability in Synology's DiskStation Manager. When a vulnerable system is found, the malware locks the user out of the control panel and proceeds to encrypt all files stored on the NAS. If the user wants to regain access to his or her files, a ransom of 0.6 Bitcoins - around £210 - is demanded, with the fee rising over time.

User reports, which began to trickle in earlier this week, indicate that all models of NAS running both DSM 4.3 and the latest DSM 5.0 are vulnerable to the malware. Although Synology has confirmed the existence of SynoLocker, it has not yet provided its users with a timescale for development of a patch that will close whatever hole is being exploited.

For now, the company's official advice is to shut down any affected system before the encryption process can complete, and to contact the company's support team. For those not yet infected, a good precaution would be to disable all external access to the NAS until a patch can be released to close the vulnerability.

UPDATE:
Synology has dismissed user reports that DiskStation Manager 5.0 systems are being affected by the flaw, stating that it is a problem only on DSM 4.3 and prior. 'We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013,' a spokesperson has told us. 'At present, we have not observed this vulnerability in DSM 5.0.'

Users whose servers are displaying the SynoLocker message, running a process called 'synosync' or have an older version of DSM installed but declare themselves to be up-to-date when the DSM Update tool is executed from the Control Panel are advised to shut their systems down and contact support. All other users are advised to update their systems though the DSM Update tool, to close the hole used by SynoLocker, before restoring external connectivity.

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU