Ransomware Targeting Synology NAS Servers Encrypts User Data

Ransomware that is currently going after Synology network attached storage (NAS) servers has been disclosed by the Taiwan-based storage hardware maker Synology.

According to the company, the malware named "Synlocker" has been exploiting a vulnerability in unpatched versions of the servers to remotely encrypt all data on the server using either RSA 2048-bit keys and 256-bit keys, depending on the file type. Once the data has been encrypted, the user is displayed a screen saying that the data will be decrypted only after paying a fee (in Bitcoins) to the malware operators. The hardware maker is currently investigating the incident after reports of the ransomware started to appear online earlier this week.

"We are fully dedicated to investigating this issue and possible solutions," said the company in a released statement. "Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013."

It's currently unknown how many Synology users have been hit with the Synlocker malware.

The company said that if users see any suspicious activities originating from their hardware, they should shut it down immediately and contact the Synology technical support team as soon as possible. It also said that upgrading to DSM 5.0 should protect users from the ransomware attack. Also, those running unpatched versions are strongly advised to shut down Synology NAS' ports 5000 or 5001 to the Internet to avoid attack.

CryptoLocker Ransomware Gets Unlocked
This week's emergence of the Synlocker ransomware is very reminiscent of another malware that has operated by encrypting user files and demanding money to decrypt. The "CryptoLocker" malware first appeared in 2013 and has used the same tactics to block an estimated 500,000 systems from accessing locally stored data.

Coincidentally, as one encrypting ransomware surfaces, CryptoLocker is put to rest. While the malware, which used infected e-mail attachments to gain access to systems, was halted from spreading thanks to a joint international law enforcement mission called "Operation Tovar" back in May, those users that did not pay the ransom before the seizure of the database and the arrest of those believed to be responsible went down in Russia were left unable to access the encrypted data.

Researchers from security firms FireEye and Fox-It announced today that they had obtained the private decryption keys and have set up the Web site to help those still locked out to regain access to their data.  Affected users will then be asked to provide an e-mail address and to upload the encrypted files. A decryption key will then be sent to the users to unlock all affected files on that system.

"We are excited to work with Fox-IT to offer a free resource that can help thousands of businesses affected by the spread of CryptoLocker over the last few months," said Darien Kindlund, director of threat intelligence, FireEye, in a press release. "No matter the type of cyber breach that a business is impacted by, it is our goal to resolve them and get organizations back to normal operations as quickly as possible."

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

comments powered by Disqus
Most   Popular