Ransomware attack on Synology NAS servers

Ransomware attack on Synology NAS servers

A heads up if you are running a Synology NAS server on your network. It looks like there is a security vulnerability that has been exploited with a Ransomware attach. The attack called SynoLicker locks users out of their data and demands a fee to unlock the it. The issue effects DSM 4.3-3810 and older versions the current version of DSM 5.0 is not effected.

UPDATE:

Chris made a good point in the comments that is worth noting. I would make sure your box is behind a firewall without and port forwarding rules.

Just to add to this – although Synology say in their press release that they haven’t observed DSM 5 being affected – several people in the Synology forums have posted screenshots of the ransomware running on DSM 5,

If you have a Synology NAS you should make sure you have the latest version installed (5.0). Synology don’t say what you can do if your system is compromised other than contract their support team. It just goes to show that no matter what system you have you should always keep it up to date with the latest patches. Below is a statement from Synology:

Hello,

We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php:

·   When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

·   A process called “synosync” is running in Resource Monitor.

·   DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

·   For DSM 4.3, please install DSM 4.3-3827 or later

·   For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later

·   For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.

If users notice any strange behaviour or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at [email protected] where a dedicated team will look into their case.

We sincerely apologise for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.

Thank you.

Synology UK

Thanks to Garry for the info.

Share

2 thoughts on “Ransomware attack on Synology NAS servers

  1. Just to add to this – although Synology say in their press release that they haven’t observed DSM 5 being affected – several people in the Synology forums have posted screenshots of the ransomware running on DSM 5,

Leave a Reply

Your email address will not be published. Required fields are marked *