waspsoton

SynoLocker Ransomware Affecting DSM 4.3-3810

Recommended Posts

EDIT by Trantor:

 

Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

 

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

-For DSM 4.3, please install DSM 4.3-3827 or later

-For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later

-For DSM 4.0, please install DSM 4.0-2259 or later

 

Source : Synology forum

Share this post


Link to post
Share on other sites

Thanks for the reply, looks like is very new. I am going to try something this evening. But I won't be paying for the ransom

Share this post


Link to post
Share on other sites

Try to update to nanoboot and latest DSM or keep your machine off the internet by deleting all port forwarding.

If this is true, it's pretty big shit!

Share this post


Link to post
Share on other sites
i just tired t log into my server and this came up (See attachment) any ideas??? i can't be the first person this has ever happened to

 

Is your DSM "visible" from the Internet? If it's not, then it's worrying.

Share this post


Link to post
Share on other sites
i just tired t log into my server and this came up (See attachment) any ideas??? i can't be the first person this has ever happened to

 

Is your DSM "visible" from the Internet? If it's not, then it's worrying.

 

Yes I use remote acces on it think this could be a start of a very big problem. I am going to try a restore of the os in a bit. Will report back when I know more

Share this post


Link to post
Share on other sites

No offense but if you're not on the latest version and you keep your box on the internet, hacking like this is gonna happen all the time and you're kinda' asking for it.

Share this post


Link to post
Share on other sites
No offense but if you're not on the latest version and you keep your box on the internet, hacking like this is gonna happen all the time and you're kinda' asking for it.

 

No offence taken mate, I know it's pretty much my own fault for not updating, just pissed off more than anything and the fact when I first posted this no one on the internet had posted anything

Share this post


Link to post
Share on other sites

I have a way to get my data back and get my server working, will post in a few days a full walk through. The short version is pull all the hard drives out apart from one u are happy to wipe, reinstall the os so the server will boot fully. Then use Linux to get ur data back and put onto the hd u pulled out of ur server

Share this post


Link to post
Share on other sites

Hi everyone,

 

It seems there's a workaround for this problem for "legacy" Synology NAS

 

1. Shut down the NAS

2. Remove all the hard drives from the NAS

3. Find a spare hard drive that you will not mind wiping and insert it into the NAS

4. Use Synology Assistant to find the NAS and install the latest DSM onto this spare hard drive (use the latest DSM_file.pat from Synology)

5. When the DSM is fully running on this spare hard drive, shut down the NAS from the web management console.

6. Remove the spare drive and insert ALL your original drives.

7. Power up the NAS and wait patiently. If all goes well after about a minute you will hear a long beep and the NAS will come online.

8. Use Synology Assistant to find the NAS. It should now be visible with the status "migratable".

9. From Synology Assistant choose to install DSM to the NAS, use the same file you used in step 4 and specify the same name and IP address as it was before the crash.

10. Because the NAS is recognized as "migratable", the DSM installation will NOT wipe out the data on either the system partition nor the data partition.

11. After a few minutes, the installation will finish and you will be able to log in to your NAS with your original credentials.

 

That means, in your case where you're running a non upgraded 4.3 version that you can definitively pass on Trantor's Beta 8 version, and then use local upgrades to go until the latest version (update 5 I think) ... just by flashing your USB startup key with latest you'll obtain the "migratable" state and being able to "reinstall" DSM without loosing data

 

- Link to Trantor's (thanks again Trantor) DSM 4.3 Beta 8: viewtopic.php?f=2&t=1361&p=17406#p17406

- Tutorial to use DSM internal update to go to the latest DSM update version (tested myself, it's working great, thanks Stanza): viewtopic.php?f=15&t=2999&hilit=3827

 

Hope this helps you waspsoton taking the control back on your NAS... :wink:

Share this post


Link to post
Share on other sites

I just powered down. Synology will not bail out xpenology of course.

Share this post


Link to post
Share on other sites

For real synology product, I would suggest that don't use their free DDNS services, It just let the hacker know that you are using synology DSM

 

Besides that the hackers may mass scanning the ip Address ports 5000, 5001 to test it is synology product, using free synology domain name (such as synology.me) is very dangerous and vulnerable to attack

 

I think it is very stupid to use such manufacturer specific DDNS services, it just draw the hackers attention

Share this post


Link to post
Share on other sites

If you're using both v5 or v4 updated to the latest version, you're safe.

You could just isolate it from the internet and you'll be safe.

Share this post


Link to post
Share on other sites

what daemon was compromised and what versions? how do you know this?

Share this post


Link to post
Share on other sites

Hands up those who work in IT? Keep your hand up if you have pinged your Network guru guys and inquired about opening ports on your one and only retail ready router. Keep your hands up if after they made you a VISIO, drew a picture on a white board or explained in some detail what happens when you do that? Keep your hands up if you ignored every piece of advice and said, "this will not happen to me"

 

Sorry but it's been a tough day at the coal face

MF

Share this post


Link to post
Share on other sites

:!: New ransomware that is effecting Synology DSM NAS's :!:

 

Have a Synology NAS? Is it accessible to the internet? If it is, You might want to take it offline for a while. Synolocker is a 0-day ransomware that once installed, will encrypt all of the NAS's files and hold them for ransom just like Cryptolocker does for windows PC's. The Virus is currently exploiting an unknown vulnerability to spread. Synology is investagating the issue.

 

We'd like to give you an update regarding SynoLocker, a randsomware affecting certain Synology servers. When trying to access DSM, it displays the message below, in addition to instructions for paying a fee to unlock your data:

 

"All important files on this NAS have been encrypted using strong crypotgraphy"

 

What should you do?

 

If you are seeing this message when trying to login to DSM, please:

 

1-power off your DiskStation immediately to avoid more files being encrypted

2-contact our Support team so we can investigate further

 

Source:

http://hardware.slashdot.org/story/14/08/05/0344244/synolocker-0-day-ransomware-puts-nas-files-at-risk

 

More Info on Forums

http://forum.synology.com/enu/viewtopic.php?f=108&t=88770

Share this post


Link to post
Share on other sites

Further info here:

 

http://www.theregister.co.uk/2014/08/05 ... y_attacks/

 

Although according to the comments it's been patched?

 

I'll ask the same questions on here as I have on theregister:

 

I disabled the admin account and created a new one.

I have SSH turned off.

I have SSL turned on and auto-redirected.

I have auto-block IP on 2 password fuck-ups.

 

Am I doing everything I should to keep safe?

Share this post


Link to post
Share on other sites
Further info here:

 

http://www.theregister.co.uk/2014/08/05 ... y_attacks/

 

Although according to the comments it's been patched?

 

I'll ask the same questions on here as I have on theregister:

 

I disabled the admin account and created a new one.

I have SSH turned off.

I have SSL turned on and auto-redirected.

I have auto-block IP on 2 password fuck-ups.

 

Am I doing everything I should to keep safe?

 

hackers do not necessary need to try your admin password, once the hackers identified your device is synology NAS, and have some security vulnerabilities that haven't been fixed, it is possible hackers can remote access your nas as root user

 

- disable port forwards 5000, 50001 ... ports

- stop using synology free DDNS, synology domain is unsafe

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now