• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Synology DiskStation Manager Infected with a CryptoLocker Hack

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
46,277 (7.69/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Synology DiskStation Manager (DSM), the company's in-house NAS operating system, is vulnerable to a CryptoLocker hack, which the company is referring to as "SynoLocker." The nature of how NAS units get infected by this hack is unknown, but when it is, the malware encrypts portion of data stored on your NAS volumes, and holds it for ransom, for 0.6 BTC (US $350 as of now). It decrypts that data only upon payment of that money. There's no guarantee of your data being held for ransom again. The issue is currently localized to NAS units running non-updated versions of DSM 4.3, but Synology is investigating if the hack works on DSM 5.0 as well.

Synology is urging users to take the following steps - close all ports for external (Internet) access, and unplug your NAS from your local network; and with your NAS plugged into just one machine, update DSM to the latest version; and back-up your data. If your NAS unit is infected, disconnect it from the network, perform a hard-shutdown, and contact Synology. The issue highlights one of the many dangers of a distributed currency, in which the beneficiary of funds is difficult to trace.

Here's an emergency statement from Synology (the company is preparing a press-release):

You may have heard by now that DSM is undergoing a CryptoLocker hack called SynoLocker - as of yesterday (08/03/14). It's a BitCoin Mining hack that encrypts portions of data, and ransoms the decryption key for .6 BitCoin ($350). So far, it looks like the matter is localized to non-updated versions of DSM 4.3, but we are actively working on, and researching the issue to see if it also effects DSM 5.0 as well.

In the interim, we are asking people to take the following precautions:

A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
B. Update DSM to the latest version
C. Backup your data as soon as possible
D. Synology will provide further information as soon as it is available.

If your NAS has been infected:
A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the "synology.com" address suffix.
B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit's power button, until a long beep has been heard. The unit will shut itself down safely from that point.
C. Contact Synology Support as soon as possible at, http://www.synology.com/en-global/support/knowledge_base

View at TechPowerUp Main Site
 
Last edited:
Joined
Nov 4, 2005
Messages
11,655 (1.73/day)
System Name Compy 386
Processor 7800X3D
Motherboard Asus
Cooling Air for now.....
Memory 64 GB DDR5 6400Mhz
Video Card(s) 7900XTX 310 Merc
Storage Samsung 990 2TB, 2 SP 2TB SSDs and over 10TB spinning
Display(s) 56" Samsung 4K HDR
Audio Device(s) ATI HDMI
Mouse Logitech MX518
Keyboard Razer
Software A lot.
Benchmark Scores Its fast. Enough.
Bitcoin will save us all!!!

I may have to setup a old system and get it infected with one of the encryption hijacks to see what and where and how it works.
 
Joined
Nov 19, 2012
Messages
753 (0.18/day)
System Name Chaos
Processor Intel Core i5 4590K @ 4.0 GHz
Motherboard MSI Z97 MPower MAX AC
Cooling Arctic Cooling Freezer i30 + MX4
Memory 4x4 GB Kingston HyperX Beast 2400 GT/s CL11
Video Card(s) Palit GTX 1070 Dual @ stock
Storage 256GB Samsung 840 Pro SSD + 1 TB WD Green (Idle timer off) + 320 GB WD Blue
Display(s) Dell U2515H
Case Fractal Design Define R3
Audio Device(s) Onboard
Power Supply Corsair HX750 Platinum
Mouse CM Storm Recon
Keyboard CM Storm Quickfire Pro (MX Red)
I have a sample of an older crypto-virus, courtesy of my nephew getting his PC infected. It asks for a 100 US$ in ransom money, but sending is limited to MoneyPak, Ucash and cashU. Probably the only major difference is BTC support and spreading method now. The private key is an SHA256 affair, stored on a remote, secure server behind TOR network, and the public key is RSA2048. I still have the infected HDD stored away, and can retrieve it, if you really want to examine the malware... I'd advise against it if you're not a security expert and don't have a tight sandbox or a well-isolated VM handy, though.
 
Joined
Nov 4, 2005
Messages
11,655 (1.73/day)
System Name Compy 386
Processor 7800X3D
Motherboard Asus
Cooling Air for now.....
Memory 64 GB DDR5 6400Mhz
Video Card(s) 7900XTX 310 Merc
Storage Samsung 990 2TB, 2 SP 2TB SSDs and over 10TB spinning
Display(s) 56" Samsung 4K HDR
Audio Device(s) ATI HDMI
Mouse Logitech MX518
Keyboard Razer
Software A lot.
Benchmark Scores Its fast. Enough.
If I did it would be on a separate machine, isolated, with a snapshot on one disk and then try different things like encrypting the disk first, removing privileges, create a false network and log packets, put a few files on that may be able to be identified even after encryption by scanning, use a hex editor to look at the boot sectors of the disk and see where the malware loads from.
 
Joined
Nov 19, 2012
Messages
753 (0.18/day)
System Name Chaos
Processor Intel Core i5 4590K @ 4.0 GHz
Motherboard MSI Z97 MPower MAX AC
Cooling Arctic Cooling Freezer i30 + MX4
Memory 4x4 GB Kingston HyperX Beast 2400 GT/s CL11
Video Card(s) Palit GTX 1070 Dual @ stock
Storage 256GB Samsung 840 Pro SSD + 1 TB WD Green (Idle timer off) + 320 GB WD Blue
Display(s) Dell U2515H
Case Fractal Design Define R3
Audio Device(s) Onboard
Power Supply Corsair HX750 Platinum
Mouse CM Storm Recon
Keyboard CM Storm Quickfire Pro (MX Red)
Sounds like a plan. I only saw one machine listed in your profile, so I ASSumed it was your only one... A different physical machine is always a better solution. I'll see what I can do about that sample.
 
Top