Cryptolocker deviation attacks Synology NAS devices [Update]

vile piece of malware, called Cryptolocker, has been going around the Internet for awhile now, with new variants popping up from time to time in order to remain undetected. The malware works by scanning your mounted drives and quietly encrypting everything. Once finished, the victim receives a notice that the only way to decrypt the files is to pay a ransom for the key. If you don't pay, you will never be able to access your files anymore unless you have a backup that wasn't impacted by the malware.

Someone has taken the base Cryptolocker and found a way to automatically attack Synology devices. Several users have reported that data on their Synology devices are inaccessible. In addition, when accessing the admin console, users are greeted with a ransomware notice telling them to transfer 0.6 BitCoins ($350) for the key. According to a notice we received from Synology, this appears to only impact devices running DSM 4.3, but the company is investigating whether it impacts version 5.x as well or not.

Until Synology figures out exactly what the issue is, they're recommending the following:

A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router

B. Update DSM to the latest version

C. Backup your data as soon as possible

D. Synology will provide further information as soon as it is available.

If your NAS has been infected:

A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.

B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.

C. Contact Synology Support as soon as possible at, http://www.synology.com/en-global/support/knowledge_base

This should also be a reminder to everyone on why backups are extremely important: It's far easier to restore from the backup than to deal with trying to pay the ransom. It's also important to note that ransomware like this can impact anybody's system regardless of operating system.

We'll be sure to keep everyone updated on any new developments as we hear them.

UPDATE: Synology has posted more information about the vulnerability on their website. It's confirmed that this does not impact DSM version 5, and that the hole was patched in December, 2013. To help protect users, the company is blocking access via DDNS and QuickConnect to all insecure NAS devices. Further information is available at their site.

Source: Synology, Updated Information

Report a problem with article
Previous Story

iOS 8 beta 5 and OS X 10.10 preview 5 now available

Next Story

Samsung sends out invites for Sept 3, Galaxy Note 4 launch expected

37 Comments

Commenting is disabled on this article.

So basically the problem was lazy admins that failed to update their firmware? Got it.

And who has external access to NAS anyway? (I can think of only a handful of cases this would be useful, and that doesn't make it any less dangerous!)

Raa said,
So basically the problem was lazy admins that failed to update their firmware? Got it.

And who has external access to NAS anyway? (I can think of only a handful of cases this would be useful, and that doesn't make it any less dangerous!)


Lots of people do. These devices are used in home settings a lot, and having access to your files anywhere in the world at any time is kinda what people want. Instead of using Dropbox or other online tools, you can use your own hardware and have all of the advantages of those other sites. A "personal cloud" so to speak.

Sorry, when I think NAS, I think enterprise users...

You're right, you can get cheap NAS devices for home use and have external access to them of course... and obviously at a risk.

Raa said,
Sorry, when I think NAS, I think enterprise users...

You're right, you can get cheap NAS devices for home use and have external access to them of course... and obviously at a risk.

not so much of a risk if you only allow secure vpn connections over the internet

So just to be clear, this only affects Synology NAS devices right? Already went through the cryptolocker phase and ended up buying a WD NAS to back things up on

wv@gt said,
So just to be clear, this only affects Synology NAS devices right? Already went through the cryptolocker phase and ended up buying a WD NAS to back things up on

This specific variant only affects Synology NAS running version DSM 4.3 (as far as we know).

That said, there's no technical reason why the code can't be modified to find an exploit on any other NAS device if they find a security hole. In addition, if a machine that mounts any NAS gets infected, it doesn't matter where the data resides -- CryptoLocker can encrypt any network share from a PC.

Ever since plex and synology collaborated on a version of PMS that ran on the unit itself via DMS...this made me kind of nervous. Even though all of my media is on the nas, the pms is on my mac mini. That being said...I will double check all of my security settings.

Athlonite said,
Just don't have your NAS open to the WWW and it's safe from this attack

That's what I was thinking. My current NAS solutions aren't allowed to call home until I let them for updates. But sadly I do have customers who like remote access to their files.

Athlonite said,
Just don't have your NAS open to the WWW and it's safe from this attack

100% correct. However people still need to be careful because if you open a piece of malware that encrypts all of the mounted drives on your PC... It could get to your NAS (any NAS!) that way too. Different attack vector though.

Fezmid said,

100% correct. However people still need to be careful because if you open a piece of malware that encrypts all of the mounted drives on your PC... It could get to your NAS (any NAS!) that way too. Different attack vector though.

I use CrashPlan to backup my NAS. Nothing like off site backup with file versioning.

TurboAAA said,

That's what I was thinking. My current NAS solutions aren't allowed to call home until I let them for updates. But sadly I do have customers who like remote access to their files.

If they really must have remote access then setup a Secure VPN for them

These F###ing Ransomware Devs. - Hope they such a bad karma... - But in the other side - Thats the users fault too... Since over 60% of infected Users pay the ransom! (Kaspersky Institute Stats.) - Like this they make money and develop this method even further... Best way to go - Closed VPN Networks with Friends and Family and F### the Internet. ;) - Look like someone tryes to force an official Internet Police group ;)

I don't get the tech world. Its a hypocritical world.

Make sure you back everything up. Buy a NAS to do backups with which gets hacked.

This is a reminder to back up your already very expensive backup.

Nashy said,
I don't get the tech world. Its a hypocritical world.

Make sure you back everything up. Buy a NAS to do backups with which gets hacked.

This is a reminder to back up your already very expensive backup.

Depends how many copies you have. If you have the 1 and only copy on your already very expensive backup then it's not a backup.

Nashy said,
I don't get the tech world. Its a hypocritical world.

Make sure you back everything up. Buy a NAS to do backups with which gets hacked.

This is a reminder to back up your already very expensive backup.

You should always have a READ ONLY backup... today that's still on something like DLT / LTO or another type of tape, or on some other read only media like Blu-ray or DVD... and test every so often to validate their integrity

Nashy said,
I don't get the tech world. Its a hypocritical world.

Make sure you back everything up. Buy a NAS to do backups with which gets hacked.

This is a reminder to back up your already very expensive backup.

I've got a NAS, but it aint for backup lol. And yeah, you should backup your backup.

A backup is only good if you can restore it. I've ran into plenty of clients who rave that they've got backups, but then struggle to restore them.

Nashy said,
I don't get the tech world. Its a hypocritical world.

Make sure you back everything up. Buy a NAS to do backups with which gets hacked.

This is a reminder to back up your already very expensive backup.

NAS is about having shared files accessible across the network. The RAID functionality of these devices is about High Availability. Backups is about Disaster Recovery.

Sounds to me like the issue here is ignorance -- not hypocrisy ;)

pmdci said,

NAS is about having shared files accessible across the network. The RAID functionality of these devices is about High Availability. Backups is about Disaster Recovery.

Sounds to me like the issue here is ignorance -- not hypocrisy ;)

This. Don't put your backups on a nas-shnas. Especially not these overpriced boxes of crap. Make your own, keep it off the public network and, if possible, even your own network. Airgap when not in use.

To this day, the only good backup is tape... I can't wait for this to attack all methods besides read only tape... everyone wanted to get away from tape and have off site online backups, but the more malware progresses, the harder it is to avoid at least a monthly backup tape

Enron said,
I got tapes for the Commodore 64.

Ah the old day, audio cassette tapes.. I use to have a bunch for the TI 99/4A and the disk drive expansion also

neufuse said,
To this day, the only good backup is tape... I can't wait for this to attack all methods besides read only tape... everyone wanted to get away from tape and have off site online backups, but the more malware progresses, the harder it is to avoid at least a monthly backup tape

I have offsite backups and I don't use Synology :)
Tapes are slow and expensive. They are fine for Banks who have the money for vast autoloaders, tape robots etc, but for an average company, local backup on decent enterprise grade storage and a mirror to either Azure / a n other cloud company or reciprocal arrangement with another data centre / company will suffice.

snuffy said,

I have offsite backups and I don't use Synology :)
Tapes are slow and expensive. They are fine for Banks who have the money for vast autoloaders, tape robots etc, but for an average company, local backup on decent enterprise grade storage and a mirror to either Azure / a n other cloud company or reciprocal arrangement with another data centre / company will suffice.

I don't work for a bank, and I don't work for a huge company, local backup is not an option because of regulations, and neither is cloud because of regulations and the sheer size of our data... we have a few terrabytes of data... Even for medium size businesses a read only copy every once an a while is a must... It is possible you could lose your online backup just as easily as your real copy... then what? if you have a monthly read only backup you at least have something to go back to if you had the file at the last backup point... In our case we have to keep 7yrs of backups, due to HIPAA and other regulations... Tape is the real answer for archived backups.. you don't need a huge robotic library. We have REO disk arrays that we do backup to disk with and then duplicate that to tape... We also have an off site backup that every 15 minutes locally by looking for block level changes on all our servers and backs up them incrementally then merges all the changes at night and sends them off site daily to a server we have hosted in another building far away.

if you think tape is the only way to back things up, then you're old and unwilling to learn new things. "what if your online backup goes out" -- yes, what if a multimillion dollar corporation just goes out of existence in the blink of an eye and takes their entire data center with them, that sounds more likely to you than your tape or tape drive failing?
"we keep it in a safe at x location" oh, and so, the huge datacenter is going to vanish in the blink of an eye, but the little local building you keep your tapes in is resistant to alien attack?
and then after all that you're like "oh yeah and we have a realtime offsite backup" but its on your own server, vs a vast cluster of machines at amazon, etc.
do you have redundant internet connections and power sources and your data center is located next to a hydroelectric dam too?

hapbt said,
if you think tape is the only way to back things up, then you're old and unwilling to learn new things. <snip>

I've got the same argument at work. They insist on using tapes, and I've been trying to migrate them to large EHDD's for backup.
Even after we've had 3 tape drives replaced and a dozen tapes fail... nope, gotta stick to tape. :rolleyes:

hapbt said,
if you think tape is the only way to back things up, then you're old and unwilling to learn new things. "what if your online backup goes out" -- yes, what if a multimillion dollar corporation just goes out of existence in the blink of an eye and takes their entire data center with them, that sounds more likely to you than your tape or tape drive failing?
"we keep it in a safe at x location" oh, and so, the huge datacenter is going to vanish in the blink of an eye, but the little local building you keep your tapes in is resistant to alien attack?
and then after all that you're like "oh yeah and we have a realtime offsite backup" but its on your own server, vs a vast cluster of machines at amazon, etc.
do you have redundant internet connections and power sources and your data center is located next to a hydroelectric dam too?

You are completely missing the point, a read only backup is a fail safe, you should always have a fail safe... We have online backups at a remote location and IN ADDITION we have monthly read only backup tapes... we'd have to have three systems fail before we lost data... which in our case is REQUIRED by regulations.. it's not people not adapting to change, it's being safe.. Backup tapes are just another method that you can keep data, and since it's read only after you make it such you do not have to worry about a virus or malware working its way somehow into it and damaging your data.. I'm not talking about billion dollar companies here with massive multi location data centers... I'm talking medium size businesses 100 - 500 employees

Yep, don't forget to backup! Also an Offsite backup is nice too! Like I always say when I buy one hard drive I buy 2, the 2nd one to backup the 1st drive.

I do that, but the backup to the backup is not connected 24/7 in case something wanted to infect it over the network. Then I have two backups that I cycle for off site, but that's only updated once a month.

I also back up a lot to OneDrive, since I got 1.4 TB there.

So in order for your Synology to get this malware, you'd have to have it on a local PC first for it to spread to the NAS, right?

Or is this something that's just finding Synologys at random over the Internet and infecting them?

Enron said,
So in order for your Synology to get this malware, you'd have to have it on a local PC first for it to spread to the NAS, right?

Or is this something that's just finding Synologys at random over the Internet and infecting them?

"SynoLocker is a “push” attack that is capable of reaching out and directly infecting vulnerable servers without any human intervention...whereas Cryptolocker is principally a “pull” attack delivered via Trojans"