Cryptolocker deviation attacks Synology NAS devices [Update]

vile piece of malware, called Cryptolocker, has been going around the Internet for awhile now, with new variants popping up from time to time in order to remain undetected. The malware works by scanning your mounted drives and quietly encrypting everything. Once finished, the victim receives a notice that the only way to decrypt the files is to pay a ransom for the key. If you don't pay, you will never be able to access your files anymore unless you have a backup that wasn't impacted by the malware.

Someone has taken the base Cryptolocker and found a way to automatically attack Synology devices. Several users have reported that data on their Synology devices are inaccessible. In addition, when accessing the admin console, users are greeted with a ransomware notice telling them to transfer 0.6 BitCoins ($350) for the key. According to a notice we received from Synology, this appears to only impact devices running DSM 4.3, but the company is investigating whether it impacts version 5.x as well or not.

Until Synology figures out exactly what the issue is, they're recommending the following:

A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router

B. Update DSM to the latest version

C. Backup your data as soon as possible

D. Synology will provide further information as soon as it is available.

If your NAS has been infected:

A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “” address suffix.

B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.

C. Contact Synology Support as soon as possible at,

This should also be a reminder to everyone on why backups are extremely important: It's far easier to restore from the backup than to deal with trying to pay the ransom. It's also important to note that ransomware like this can impact anybody's system regardless of operating system.

We'll be sure to keep everyone updated on any new developments as we hear them.

UPDATE: Synology has posted more information about the vulnerability on their website. It's confirmed that this does not impact DSM version 5, and that the hole was patched in December, 2013. To help protect users, the company is blocking access via DDNS and QuickConnect to all insecure NAS devices. Further information is available at their site.

Source: Synology, Updated Information

Report a problem with article
Next Article

Samsung sends out invites for Sept 3, Galaxy Note 4 launch expected

Previous Article

iOS 8 beta 5 and OS X 10.10 preview 5 now available

37 Comments - Add comment