Tuesday, 05 August 2014 17:02

New Synolocker Ransomware Targets unpatched Synology NAS devices running older versions of DSM

Written by

Reading time is around minutes.

One of the biggest issues in security is not the number of bad guys out there or the number of zero day exploits that exist in the wild. Sadly it is that far too many companies and people do not update their devices and software. Now I know that it is a pain to run updates on every device you own, but in most cases these updates are important. This is the case we find with the recent brouhaha over a version of cryptolocker (SynoLocker) that appears to target Synology NAS devices with an older (and unpatched) version of Disk Station Manager (DSM).

The time line is like this: In the latter half of 2013 Synology was made aware of a flaw in DSM 4.2 and 4.3. (DSM 4.3-3810 or earlier) In December Synology released a patch for this flaw to protect systems that were still running those older versions. At the time of this writing there have been no reported cases of this flaw on DSM version 5 and above. DSM 5 was launched as a stable BETA around CES and as a final release in February. In other words more than 6 months has passed since DSM 5.0 was available and a patch for the flaw in older systems has been around since December of last year.

However, there are still some unpatched systems that are getting hit with this new form of malware. The complaints are showing up in the Synology forums and all seem to indicate that their systems was being held by ransomware. The really interesting thing is that the vector for attack is rather sloppy. A user will get a notification offering a service that will improve the encryption on their NAS box. If this is followed the system will install the TOR web browser and connect to an unlisted server. You would think that most people would be rather concerned about any real service that tries to use TOR to connect to it. Additionally I am not sure if you should trust any unknown entity that claims they can improve the encryption on a device without checking on it first.

Either way Synology has some advice about how to see if your NAS is affected an also how to update your NAS to a patched version.

“For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php:
o    When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
o    A process called “synosync” is running in Resource Monitor.
o    DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.”

Additionally if you are not affected you will want to quickly update your DiskStation (or RackStation) to the latest version of DSM or at least patch it.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:
o    For DSM 4.3, please install DSM 4.3-3827 or later
o    For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
o    For DSM 4.0, please install DSM 4.0-2259 or later
DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download

As we said at the top of this article, often it is not the bad guys that find a new zero day to break it, it is the lack of maintenance and system upkeep that allows for quick and easy entry and exploitation. In this case, the bad guys are using an old and already patched flaw. If the affected people had bothered to keep up with patches they would not be in the situation they are.

Tell us what you think in our Forum

Read 5009 times Last modified on Tuesday, 05 August 2014 17:05

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.