Synology is a Taiwanese company that manufactures popular storage devices that allow file access from the local network as well as over the internet.
2 months ago, Dell Secureworks reported that vulnerabilities in these devices had been exploited to silently install and run CPUMiner – an application to mine virtual currencies on the behalf of compromised users.
Last night, owners of Synology devices reported being victim of a new Ransomware named SynoLocker.
Synolocker encrypts the files stored on the NAS, and changes the admin web page to one asking for a ransom, to be paid in Bitcoin to a web site only accessible over the Tor network. It shares interesting similarities with Cryptolocker: the payment system but also the choice of encryption algorithms and their related parameters.
The malware also disables access the system using SSH and Telnet.
Whether the malware exploits a 0day vulnerability in the operating system (DSM) or exploits devices with poor credentials or an outdated system (versions prior to 5.0 have serious known vulnerabilities) is unknown at this time.
This critical vulnerability hasn’t been patched by the vendor yet and might also be the attack vector used by this new ransomware.
For the time being, owners of Synology devices should make sure that they are not directly reachable from the Internet, for example by configuring firewall rules on their router. In particular, the following ports should not be accessible from the Internet: 5000, 5001, 21, 22, 23, 80 and 443.
Also, keeping offline backups is the best, and sometimes the only way, to recover from ransomware.
