Synolocker On Synology

19/09/14

Dan shows you how to deal with the CryptoLocker ransomware virus on your NAS

Synology NAS drives have been targeted by a version of the CryptoLocker virus called SynoLocker.

Once infected, the normal interface is replaced by a message warning you that all you files have been replaced by encrypted ones using a 256-bit, RSA-2048 key. It advises you that you need to install the Tor Browser and visit a web site located in the so called "Dark Web" and pay them 0.6 bit coins to retrieve your files.

The virus might have arrived from a variety of sources; P2P networks, torrents, Silverlight updates, fake flash or other video player downloads or by email attachments.

SynoLocker stores its files in the /etc/synolocker folder. The main decrypter program is located in/etc/synolock/synolock, the private decryption key is located in /etc/synolock/RSA_PUBLIC_KEY, and the public key is found in/etc/synolock/RSA_PRIVATE_KEY

It appears not to encrypt Access database files but does affect most other common files types.

Synolocker could also collect sensitive data from your NAS or computer and send it on.

Prevention:

Update the OS to DSM 5 as 5 and above will not be affected by the virus.

Launch DSM, then go to -> Control Panel -> DSM Update -> Download and update.

Or download it manually from Synology's Download Center.

Cure:

To find more information on how this fix can be implemented visit this site: Graham Cluley

1. Shut down the NAS

2. Remove all the hard drives from the NAS

3. Find a spare hard drive that you will not mind wiping and insert it into the NAS

4. Use Synology Assistant to find the NAS and install the latest DSM onto this spare hard drive (use the latest DSM_file.pat from Synology)

5. When the DSM is fully running on this spare hard drive, shut down the NAS from the web management console.

6. Remove the spare drive and insert ALL your original drives.

7. Power up the NAS and wait patiently. If all goes well after about a minute you will hear a long beep and the NAS will come online.

8. Use Synology Assistant to find the NAS. It should now be visible with the status "migratable".

9. From Synology Assistant choose to install DSM to the NAS, use the same file you used in step 4 and specify the same name and IP address as it was before the crash. 10. Because the NAS is recognized as "migratable", the DSM installation will NOT wipe out the data on either the system partition nor the data partition. 11. After a few minutes, the installation will finish and you will be able to log in to your NAS with your original credentials.

(source: https://forum.synology.com/enu/viewtopic.php?f=3&t=88716)

let's start the ball rolling

Fill in the form or use the contact details below and we’ll get our expert team to put together a package that’s personal to your business.

hello@resolve.co.uk
Sales: 0114 213 4555
Support: 0114 299 4050