Synology NAS drives have been targeted by a version of the CryptoLocker virus called SynoLocker.
Once infected, the normal interface is replaced by a message warning you that all you files have been replaced by encrypted ones using a 256-bit, RSA-2048 key. It advises you that you need to install the Tor Browser and visit a web site located in the so called "Dark Web" and pay them 0.6 bit coins to retrieve your files.
The virus might have arrived from a variety of sources; P2P networks, torrents, Silverlight updates, fake flash or other video player downloads or by email attachments.
SynoLocker stores its files in the /etc/synolocker folder. The main decrypter program is located in/etc/synolock/synolock, the private decryption key is located in /etc/synolock/RSA_PUBLIC_KEY, and the public key is found in/etc/synolock/RSA_PRIVATE_KEY
It appears not to encrypt Access database files but does affect most other common files types.
Synolocker could also collect sensitive data from your NAS or computer and send it on.
Update the OS to DSM 5 as 5 and above will not be affected by the virus.
Launch DSM, then go to -> Control Panel -> DSM Update -> Download and update.
Or download it manually from Synology's Download Center.
- Antivirus Essential from Synology can be downloaded from the Synology site.
- Decryption fix online: FireEye and Fox-IT are providing free keys to repair your system.
To find more information on how this fix can be implemented visit this site: Graham Cluley
- If you cannot view the NAS GUI interface, having been replaced by a page you can reinstall the DSM with the latest version using the following instructions. However this will not decrypt the data, and you will not lose any data.
1. Shut down the NAS
2. Remove all the hard drives from the NAS
3. Find a spare hard drive that you will not mind wiping and insert it into the NAS
4. Use Synology Assistant to find the NAS and install the latest DSM onto this spare hard drive (use the latest DSM_file.pat from Synology)
5. When the DSM is fully running on this spare hard drive, shut down the NAS from the web management console.
6. Remove the spare drive and insert ALL your original drives.
7. Power up the NAS and wait patiently. If all goes well after about a minute you will hear a long beep and the NAS will come online.
8. Use Synology Assistant to find the NAS. It should now be visible with the status "migratable".
9. From Synology Assistant choose to install DSM to the NAS, use the same file you used in step 4 and specify the same name and IP address as it was before the crash.
10. Because the NAS is recognized as "migratable", the DSM installation will NOT wipe out the data on either the system partition nor the data partition.
11. After a few minutes, the installation will finish and you will be able to log in to your NAS with your original credentials.