Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Data Storage Security IT

Synolocker 0-Day Ransomware Puts NAS Files At Risk 150

Deathlizard (115856) writes "Have a Synology NAS? Is it accessible to the internet? If it is, You might want to take it offline for a while. Synolocker is a 0-day ransomware that once installed, will encrypt all of the NAS's files and hold them for ransom just like Cryptolocker does for windows PC's. The Virus is currently exploiting an unknown vulnerability to spread. Synology is investigating the issue."
This discussion has been archived. No new comments can be posted.

Synolocker 0-Day Ransomware Puts NAS Files At Risk

Comments Filter:
  • by Anonymous Coward on Tuesday August 05, 2014 @05:10AM (#47605423)

    not to connect your NAS directly to the internet.

  • You do have backups, right?

    • by Anonymous Coward on Tuesday August 05, 2014 @05:21AM (#47605441)

      Of course. But they are on another similar box connected to the internet of things which was crypted earlier.

    • Backup? What do people usually use NAS for, I always thought it's mostly for ripped/torrented movies and backups of other computers. Neither of these need backups.

      • They may have some unhappy customers right now; but 'NAS', in Synology's product lineup, includes a variety of devices that are aimed either at reasonably serious users or very serious pirates.
      • by Anonymous Coward on Tuesday August 05, 2014 @05:55AM (#47605535)

        Backup? What do people usually use NAS for, I always thought it's mostly for ripped/torrented movies and backups of other computers. Neither of these need backups.

        Meh, if you ripped it you can rip it again (assuming you didn't get rid of the disc), if you torrented it you can torrent it again, if you backed up another machine onto it you can back it up again. Maybe it was about time you did another backup anyway. It'll be a load of hassle but not the end of the world unless you really wanted to keep older versions of things.

        If it is the end of the world for some of your important files then maybe they should have been backed up again to a different machine/location. I thought that was standard in case your house burnt down/machine was nicked/crazy ex threw it out the window.

      • by Dutch Gun ( 899105 ) on Tuesday August 05, 2014 @07:13AM (#47605715)

        My Synology NAS is my home-based business' file server, a local machine backup (for my development machine and my digital audio workstation), and a media server for my ripped DVDs and Blurays, although this third function is just a nice bonus for me. Synology NAS devices have a very handy cloud backup application as well, which I use to backup all my most critical files to Amazon S3 services. I hope most people made use of this, because if Cryptolocker has taught us anything, it's that you absolutely need offsite backups that are NOT connected to your network.

        I bought it specifically because it makes it easy to set up a multi-tiered backup strategy like that - something that takes on new importance when you spend a few years writing code on your own dime. As a file server, it's fantastic for small operations. I had a drive begin to fail last year, and so had a chance to test out the hot-swapping / RAID rebuilding feature. Worked like a charm - was super simple and zero down-time.

        Personally, I've never once considered opening up my NAS to the outside internet. That always seemed crazy risky to me - after all, a single software mistake, a buffer overrun in a protocol stack of some sort, and *poof*, there's direct access to your file server and all it's critical data. I guess sometimes being paranoid pays off, but it gives me no pleasure to say so.

        • S3? Yuck. Their pricing is horrendous. I'd suggest crashplan.

          http://www.code42.com/crashplan/ [code42.com]
          http://forum.synology.com/wiki/index.php/CrashPlan_Headless_Client [synology.com]

          Although the synology forums are currently getting destroyed (guessing from this article).
        • by rahvin112 ( 446269 ) on Tuesday August 05, 2014 @12:30PM (#47607287)

          You do realize that for the S3 backup to work Synology or the NAS (and the NAS has you Synology login info) has your login information for S3, and that if this thing is owning the NAS there is a pretty damn good chance the malware has owned your S3 instance as well right? The only way it wouldn't is if the S3 backup is totally manual.

          • by Dutch Gun ( 899105 ) on Tuesday August 05, 2014 @01:13PM (#47607597)

            That's actually a very good point. The S3 backup is completely automated which means, of course, that everything the malware would need to screw with your S3 (or other) account is right there for the taking - the keys have to be local and accessible. Granted, we haven't heard any confirmation of this malware having those sorts of capabilities, but we've seen incredibly sophisticated banking trojans out in the wild that do things that are far more sophisticated.

            Damn. Well, all the more reason to stay patched up, and to avoid exposing any more of an attack surface to the internet than you absolutely need to. Fortunately, the way my local network is set up, it's pretty much impossible for a single trojan to access all of the redundant copies of my critical files, since the multiple workstations all sync to a Mercurial repository on the NAS, and none of those workstations share their drives, providing some degree of protection from potential malware on the other machines in the network. I guess you can never really have too many backups.

          • You do realize that for the S3 backup to work Synology or the NAS (and the NAS has you Synology login info) has your login information for S3, and that if this thing is owning the NAS there is a pretty damn good chance the malware has owned your S3 instance as well right? The only way it wouldn't is if the S3 backup is totally manual.

            Amazon has a very extensive authentication system [amazon.com] -- you can easily configure the Synology with an S3 access key that only has "List Files" and "Upload Files" permissions, but not "Delete Files" or "Overwrite Files". This way, even if the Synology box gets owned or a user fat-fingers something, the files on S3 aren't at risk. You don't (and shouldn't) need to use your AWS root access keys for S3.

            I have a similar setup with Amazon's Glacier: my standard access key has only list, upload, and retrieve permissions. A separate access key is required to delete files (I've configured my Glacier client, FastGlacier, to prompt me for a password when I switch to the "delete" key) so that I don't accidentally end up deleting important backups.

            • by rahvin112 ( 446269 ) on Tuesday August 05, 2014 @03:09PM (#47608395)

              If the keys are stored on the box in any way then they are compromised because the box is. The synology box is rooted, any information stored on that box is compromised. If for example your root key for S3 is backed up on the NAS then it's compromised.

              People are glossing over this, if the box is rooted everything it knows and stores is compromised, that's how people need to be analyzing this instead of blowing it off as no big deal.

              • If the keys are stored on the box in any way then they are compromised because the box is. The synology box is rooted, any information stored on that box is compromised. If for example your root key for S3 is backed up on the NAS then it's compromised.

                Agreed. That's why you shouldn't use the root S3 access key for anything (in fact, don't generate one at all). Use service-limited, least-access keys for AWS accounts: there's no reason a NAS should have an access key capable of creating EC2 instances. It should have list+write access only to S3 (and/or Glacier). If users want to delete files from S3, they should have to log in with a different user (perhaps to the AWS console) and specifically do that.

                Amazon provides good options in this regard, and it's too bad if users aren't taking advantage of them.

                People are glossing over this, if the box is rooted everything it knows and stores is compromised, that's how people need to be analyzing this instead of blowing it off as no big deal.

                In this specific case, the malware does not seem to want to steal user data, only to encrypt it and ransom it back to users. Sure, it could steal data, but it doesn't seem to do so. It's a big deal to those who are unprepared and don't have proper backups, but it could definitely be worse.

      • Backups need backups too. Your data isn't safe unless there are 3 copies, working, backup, archive (minimum), one should be offline.
  • by Anonymous Coward on Tuesday August 05, 2014 @05:28AM (#47605463)

    because all my files are encrypted. I can see the list of files, but it only makes me want to puke. I am fucked, screwed, and borked, all at once. Thanks Syno. Damn Chinese software! Never again. They can make cheap hardware but they can't make software worth ... my files! All my pretty files. Gone.

  • by fnj ( 64210 ) on Tuesday August 05, 2014 @05:40AM (#47605483)

    Really?

  • Interesting (Score:4, Interesting)

    by rebelwarlock ( 1319465 ) on Tuesday August 05, 2014 @05:54AM (#47605531)
    So between TOR and bitcoin, they think they finally have a viable method of collecting on ransomware. Also, I found it interesting that they're asking specifically for 0.6BTC - that is, double what Cryptolocker is asking. I wonder if there's an intentional correlation there.
    • by GNious ( 953874 ) on Tuesday August 05, 2014 @07:10AM (#47605705)

      My bit of pondering is whether that 0.6btc can be tracked/identified at companies handling bitcoins, and especially at companies converting between btc and real money?

      Could you basically get the police (Europol/Interpol?) involved, and when a company reports that a user is trying to use/convert the btc you paid with, have that user charged with ransoming data, or taking stolen goods (i.e. either as the original thief, or as a fence)?

      If the 0.6btc is acquired by the person via a laundry-service, charge him/her with engaging in activities meant to conceal the original crime?

      • by TangoMargarine ( 1617195 ) on Tuesday August 05, 2014 @04:39PM (#47608855) Journal

        Wasn't the whole objective of Bitcoin to create a system where you *couldn't* do that?

        • by GNious ( 953874 ) on Wednesday August 06, 2014 @02:11AM (#47611975)

          Bitcoins must, as far as I can tell, have something that identifies them; at the very least, you need to be sure that only 1 person mined a given coin (solved a given mathematical challenge), to avoid endless, easily mined coins.

          Am starting to think one should investigate the possibility of making a blacklist of coins known to be acquired via illegal methods.

          • by TangoMargarine ( 1617195 ) on Wednesday August 06, 2014 @10:25AM (#47613897) Journal

            Rereading your post, it looks like you weren't implying the link between a person and a bitcoin userid like I thought. But still, part of the value of bitcoins is that there is no central authority to revoke your currency. Hence the use in black market applications etc.

            Well, until that one group that has 50%+1 of the coins decides it wants to become that authority, I suppose.

    • by Xenna ( 37238 ) on Tuesday August 05, 2014 @07:50AM (#47605835)

      That's what I was thinking.

      Now this is just data, but what if this kind of thing gets used for real ransom demands?
      Like kidnapping someone's child and demanding ransom in bitcoin.
      Is it feasible that one could get away with that?

      Wouldn't that be the death of TOR and bitcoin?
      I mean I'm all for privacy but not if it facilitates kidnapping.

    • by radarskiy ( 2874255 ) on Tuesday August 05, 2014 @02:29PM (#47608149)

      Clearly, ransoms are Veblen goods.

  • by Anonymous Coward on Tuesday August 05, 2014 @06:51AM (#47605645)

    Is it. Is it really.

    'Investigating', not 'investAgating'. American cretins.

  • by CurryCamel ( 2265886 ) on Tuesday August 05, 2014 @07:22AM (#47605739) Journal

    From TFA: the message that pops up to the victims ends with:

    Copyright 2014 SynoLocker(TM) All Rights Reserved.

    I have a real hard time respecting that copyright...

  • by bhoar ( 1226184 ) on Tuesday August 05, 2014 @07:52AM (#47605839)
    Updated posted 8/5/2014 by Jeremie on the English language Synology Forum: [We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.]
  • by JamieKitson ( 757690 ) on Tuesday August 05, 2014 @08:46AM (#47606025) Homepage Journal

    There is no mention in the article of this being a zero day vulnerability, in fact the article specifically says "it’s not clear yet how SynoLocker’s operators installed the malware".

    As others have said Synology is reporting the vulnerability was patched in December [synology.com]. Hardly a zero day.

  • /.ed (Score:5, Interesting)

    by simplypeachy ( 706253 ) on Tuesday August 05, 2014 @09:22AM (#47606169)

    Forum post so far:

    Hello Everyone,

    We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

    Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

    For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shut down their system and contact our technical support team here: https://myds.synology.com/supp... [synology.com].

    -When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
    -A process called “synosync” is running in Resource Monitor.
    -DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

    For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:
    -For DSM 4.3, please install DSM 4.3-3827 or later
    -For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
    -For DSM 4.0, please install DSM 4.0-2259 or later

    DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/suppor... [synology.com].

    If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.

    Apologies for any problems or inconvenience caused. We will keep you updated with latest information as we address this issue.

  • As for the article...

    First part says "According to the user, there’s a small window of opportunity to minimise the damage. That is, if you can backup files faster than the program encrypts them."

    Then buried where many don't wonder (towards the end, it mentions "1) Power off the DiskStation immediately to avoid more files being encrypted"

    I would think the wise thing would be to exchange the location of the two sentences. least you have some would be hero actually try to find where to start saving at.

  • by MikeTheGreat ( 34142 ) on Tuesday August 05, 2014 @11:18AM (#47606851)

    I misread this as

    Synolocker 0-Day Ransomware Puts NSA Files At Risk

    That would have been a much more interesting article to read, methinks :)

  • by account_deleted ( 4530225 ) on Tuesday August 05, 2014 @11:38AM (#47606977)
    Comment removed based on user account deletion
  • by cciRRus ( 889392 ) on Tuesday August 05, 2014 @12:25PM (#47607253)

    The Virus is currently exploiting an unknown vulnerability to spread.

    Are all the security geeks busy at Blackhat such that nobody realized this mistake?

  • by r_jensen11 ( 598210 ) on Tuesday August 05, 2014 @03:25PM (#47608483)

    Here I was, reading the headline as:

    Synolocker 0-Day Ransomware Puts NSA Files At Risk

    If only....

Their idea of an offer you can't refuse is an offer... and you'd better not refuse.

Working...