Synology, a NAS manufacturer and storage server, has informed their customers that there is a dangerous and current ransomware attack that has been targeting the company’s devices.
The ransomware has been named SynoLocker and it is targeting Synology servers that are exposed on the internet. It is using an exploit for breaking into the systems that is not yet known. Once it breaks into the system it will engage in a Cryptolocker ransom scheme. It encrypts the files that are stored within the server and then holds the key ransom. Currently, the attackers are holding the key for a ransom price of 0.6 Bitcoins. This is equal to around $350, which is a big price to pay in order to get your files returned.
What Servers are Affected?
Currently, there are only a certain number of Synology servers that are affected. In addition to being internet exposed, the company has confirmed that SynoLocker will attack the servers that are running versions of DSM 4.3 that are out of date. Synology is still looking into whether or not the newer version, DSM 5.0 is also affected.
What you Should do
Currently, Synology is still working on isolating the vulnerability and the software versions that have been affected. Synology is requesting that their users take the necessary precautions to protect their servers against the ransomware. In addition to removing external internet access of the server, the company also suggests that every user upgrades their DSM to the newest version and to make sure to backup all their data just in case. If you back up your data and your files do get taken by SynoLocker, there will be a safe backup copy available.
If your server has been infected, the company is advising that you shut down your servers immediately to stop more of your files from becoming encrypted. You should contact Synology support and tell them about the issues that you are having. In addition, they are suggesting that users that have been affected be on the lookout for emails that are sent from a fake Synology account. It is thought that the authors of the ransomware may try to follow up by attacking the infected users with a spear phishing attack as well.
After this, contact Synology support: https://myds.synology.com/support/support_form.php Even it seems that the only way out may well be paying, it’s still worth to take contact, and get provided with latest information from Synology.
Ransomware and cryptolocker
Cryptolocker and other ransomware of this type are extremely dangerous pieces of malware. Synolocker is even more dangerous because of the large amount of data that is stored on the dedicated server that it is targeting compared to an average workstation or client machine. In addition, where Cryptolocker is primarily a pull attack that is delivered using Trojans, Synolocker push attacks and is capable of infecting servers that are vulnerable without any type of human intervention.
Hopefully, Synology will be able to have an answer as to which DSM versions have been affected. In addition, the company is working on a solution for the problem. However, if Synolocker is implemented in the same way as Cryptolocker, the only way that you may be able to get your ransomed data back is to pay the ransom for it.