Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SynoLocker ransomware targets Synology NAS Devices


  • Please log in to reply
27 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 PM

Posted 05 August 2014 - 03:20 PM

A new file encrypting ransomware has been developed called SynoLocker that targets Synology Network Attached Storage (NAS) devices. Unlike typical encrypting malware, this one does not infect your computer, but rather exploits vulnerabilities in older versions of Synology's Diskstation Manager (DSM) operating system. Devices running DSM 4.3-3810 versions or earlier are vulnerable and being targeted and exploited via the Internet. Once the device is exploited, you will no longer be able to access the administrative screen and it will be replaced by a ransom screen. This ransom screen states that your files have been encrypted and that you need to pay a ransom of .6 bitcoins, or approximately $350 USD to get your files back.
 

ransom-screen.jpg


In this ransom screen you will be assigned a personal identification code that can be used to login to the SynoLocker payment system located on TOR. The TOR address is hxxp://cypherxffttr7hho.onion. Once you enter your code you will be presented with information on how to pay the ransom and retrieve your files. Once a ransom is paid, you will be shown your decryption key, or private key, that you will need to paste into the ransom screen on the Synology device. Once you enter the decryption key, the infection will allow you to decrypt your files.

The SynoLocker malware files are stored on the Synology device in the /etc/synolocker folder. The main decrypter program is located at /etc/synolock/synolock, the private decryption key is located at /etc/synolock/RSA_PUBLIC_KEY, and the public key is found in /etc/synolock/RSA_PRIVATE_KEY. If anyone has a copy of this folder, I would be interested in examining them.

What is scary and bizarre at the same time, is the professionalism of the decryption site. The english is not broken as typically seen in ransomware and they are actually providing a customer support page where people can get help with paying the ransom and decrypting their files. Below you can see the latest news section of the malware's decryption site:
 

Latest News

08/05/2014
All support tickets are answered has fast as possible. In the case that your ticket is not answered in a timely fashion then submit it again.

08/04/2014
Some users have reported issues with the automated decryption process. All customers keypairs are kept in security and everything will be done to complete the decryption process. After submiting the key it can take several minutes before the page refresh to the decryption progress process bar. Custom binary preloaded with the correct keypair for each identifier are available on demand. More instructions about using custom binary will be posted tomorrow.

Thank you for your patience.
SynoLocker


If you are infected with SynoLocker, you should immediately disconnect your device from the Internet and contact Synology customer support where they will walk you through updating your DSM and regaining access to your device. If you are not affected, you should make sure to upgrade to the latest DSM on your device.


BC AdBot (Login to Remove)

 


m

#2 Keeeetz

Keeeetz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 06 August 2014 - 01:57 PM

Can you use the decryption website to retrieve your data?



#3 kanucomputer

kanucomputer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 06 August 2014 - 02:18 PM

Hello, ( sorry don't speak engish very well )

 

I am infected with synolocker can we expect a solution for decryption as cryptolocker or other? 
 
I can provide anything that will help in the search ... 
 
In advance thank you, needless to say I had 2x4 to in raid mode :(
 
Thanks


#4 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 PM

Posted 06 August 2014 - 02:22 PM

The decryption website can be used to the pay the ransom and retrieve your private key. From some of the identification codes that I have seen, people are being shown as paid on the site and the decryption key is given. So, though I do not have personal knowledge, I do believe paying the ransom will get you the decryption key.

At this point there is no way to crack the encrypted files.

#5 kanucomputer

kanucomputer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 06 August 2014 - 02:27 PM

The decryption website can be used to the pay the ransom and retrieve your private key. From some of the identification codes that I have seen, people are being shown as paid on the site and the decryption key is given. So, though I do not have personal knowledge, I do believe paying the ransom will get you the decryption key.

At this point there is no way to crack the encrypted files.

But as well it is a variant of cryptolocker we can not expect a solution in the future?



#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 PM

Posted 06 August 2014 - 02:35 PM

Noone said its a variant of CryptoLocker. Instead it's the same type of ransomware. A file encrypting one. The media bundle any file encrypting ransomware as a variant of CryptoLocker, which is simply untrue.

#7 kanucomputer

kanucomputer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 06 August 2014 - 02:41 PM

Noone said its a variant of CryptoLocker. Instead it's the same type of ransomware. A file encrypting one. The media bundle any file encrypting ransomware as a variant of CryptoLocker, which is simply untrue.

Hum ok sorry i don't know all of this...

 

I will power on my NAS to try access /etc/synolocker folder with this you can really see if it's possible or not ?



#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 PM

Posted 06 August 2014 - 02:46 PM

No worries..was expressing frustration at the press .. not you :)

I think I have the folder...looking now.

#9 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 PM

Posted 06 August 2014 - 02:54 PM

Still need the folder if anyone has it. Thanks

#10 kanucomputer

kanucomputer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 06 August 2014 - 03:11 PM

No access to syno I tried ftp, winscp, putty my connections are refused :( 
 
Strangely the website Tor


#11 kanucomputer

kanucomputer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 07 August 2014 - 08:59 AM

I can't explain now how is it possible but after white night, research and contact with the guy who make "synolocker" i can decrypt all of my files with a binary that he makes for me.

 

I'm get back here soon for explains et can give the binary for help if someone can change the identification code it's appear that it work for other configuration because when I ask him if he need the private key he said "The software has the keypair linked to the identification code preloaded inside" I suppose that it can help ???

 

+



#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 PM

Posted 07 August 2014 - 09:45 AM

Did you pay the ransom?

#13 Townshend

Townshend

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 07 August 2014 - 10:26 AM

Grinler, I have the files you are looking for I believe.  I'll PM you


Edited by Townshend, 07 August 2014 - 10:26 AM.


#14 kanucomputer

kanucomputer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 08 August 2014 - 10:48 AM

Did you pay the ransom?

No I don't pay the ransom but my system work with Xpenology I don't know how it works but it seems all users of xpenology own the same licence or software version or something like that I don't know I don't understand how all of this work...

But before my system was hacked when I use DScam or online service's syno those service's make problem ( I receive notification for cam of other user for example ) so we're interconnected with de hack version of synology (xpenlogy) I suppose ????

 

When I go to my admin webpage and I clic for paying the ransom it said "allready paid" Ohohoh what a surprise...certainly a user of xpenology paid the ransom.

At this point I have my private key but the website doesn't work for decrypting....

After contact the guy who make the ransomware ( Bitmessage because he offer support O_O ) he ask me to open again port 5000 to access my system for decrypt it in remote...

I don't want this ( fear ) so I explain to him that I disconnect my hard disk and put it in a desktop linux OS so syno cas inaccessible...

 

Surprise...then he ask me he will build a binary for use it offline on linux...

I test it with my encrypt data it work perfectly...I must run lot of commande line in each folder but it work !

 

If it can help the community i can provide all of conversation with this person and the binary file i don't if it contains interesting code or other thinks...

 

So...i'm very lucky i know...

 

+



#15 maxboly

maxboly

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 10 August 2014 - 01:58 PM

 

Did you pay the ransom?

No I don't pay the ransom but my system work with Xpenology I don't know how it works but it seems all users of xpenology own the same licence or software version or something like that I don't know I don't understand how all of this work...

But before my system was hacked when I use DScam or online service's syno those service's make problem ( I receive notification for cam of other user for example ) so we're interconnected with de hack version of synology (xpenlogy) I suppose ????

 

When I go to my admin webpage and I clic for paying the ransom it said "allready paid" Ohohoh what a surprise...certainly a user of xpenology paid the ransom.

At this point I have my private key but the website doesn't work for decrypting....

After contact the guy who make the ransomware ( Bitmessage because he offer support O_O ) he ask me to open again port 5000 to access my system for decrypt it in remote...

I don't want this ( fear ) so I explain to him that I disconnect my hard disk and put it in a desktop linux OS so syno cas inaccessible...

 

Surprise...then he ask me he will build a binary for use it offline on linux...

I test it with my encrypt data it work perfectly...I must run lot of commande line in each folder but it work !

 

If it can help the community i can provide all of conversation with this person and the binary file i don't if it contains interesting code or other thinks...

 

So...i'm very lucky i know...

 

+

 

 

Hello Kanucomputer,

 

Can you please help me with your solution please ?

I have a customer NAS maybe infected by the ransomware, I never see the ransomware message but impossible to access to the nas (was in 4.3) and all data are corrupted.

I update the nas on 5.0 (last version) but data was already corrupted, I don't have backup of this nas and I'm very interrested by your solution.

 

Thanks 

 

Max






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users