back to article Ransomware attack hits Synology's NAS boxen

Synology Diskstations and Rackstations are being hit by malware dubbed Synolocker. The malware is a similar to the infamous Cryptolocker ransomware in that it encrypts all your files and then demands a ransom to unlock them. The vulnerabilities that enable the malware appear to rely on hard-coded passwords to recommended …

  1. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    "Synology email always has the “synology.com” address suffix. "

    Whew! Just as well this is impossible to fake. all hail the Synology security experts.

    1. Anonymous Coward
      Anonymous Coward

      We should all know by now what often comes of exposing Linux based systems to the Internet. Not a good idea...

    2. This post has been deleted by its author

    3. eatdicks
      FAIL

      SPF records + DKIM

  3. Annihilator

    http://forum.synology.com/enu/viewtopic.php?t=88770

    Synology's less than stellar advice so far. "If affected, switch it off and call us".

    1. Trevor_Pott Gold badge

      Actually, I can't really call them on the carpet for that one, mate.

      If affected, you're screwed. Your data's gone and you either pay the ransom or pray for backups. In that case, the fact that the advice is "switch it off and calling Synology" is - to my mind - exactly the right response.

      This means that they will give each user a walk through their options one by one. It also means that if the user chooses to simply nuke out the OS, restore and start fresh by blanking the drives then Synology will help them do so.

      Beyond that, I'm honestly not 100% sure what Synology can do. Offer to pay the ransom for you? I'm pretty sure that's actually illegal.

      If they knew how to crack the thing and get you your files back should they be posting that on the internet for all to see? Or should they walk you through it on the phone where there's at least a chance that the minor obscurity will prevent the bad guys form figuring out that their operating version is done for?

      Honestly, if you've any better advice at all for any of it, ping me and I'll make sure it gets in front of the right people at Synology.

      As regards "how this could be prevented in the future", keep an eye out for a sysadmin blog in a few hours. That one has already been written, and Synology's brass sent a scathing hot piece of my mind besides. I have a face-to-face with these folks in a few weeks, and there will be beating about the ears, I promise you all.

      1. Gotno iShit Wantno iShit

        @Trevor.

        "Honestly, if you've any better advice at all for any of it, ping me and I'll make sure it gets in front of the right people at Synology."

        A minor point in the grand scheme of things but these two seem bass acwards to me:

        B. Update DSM to the latest version

        C. Backup your data as soon as possible

        Don't forget to pack your cluebat for that meeting.

        http://gallery.gosi.at/d/7818-2/cluebat.jpg

        1. Trevor_Pott Gold badge

          Re: @Trevor.

          Okay, I do get the quibble about "backup first, then upgrade the DSM"...sort of. In the many years I've owned Synology Diskstations I've never had a DSM update go sideways on me. To be perfectly honest, I trust hte DSM update process enough, I'm not sure a special "out of band" backup would have even occurred to me. (I do have automated end of night backups, natch.)

          But I'll make sure to pass along your advice all the same, because it is right and proper that they pay attention to the order of that.

          1. JetSetJim

            Re: @Trevor.

            Just curious, is there an "off-grid" way to update DSM? Step 1 seems to be "unplug it from t'internet". :)

            Fingers crossed mine lasts the 8 hours till I get home to check the config, though...

            1. Trevor_Pott Gold badge

              Re: @Trevor.

              Absolutely. Please go to the Synology Download Center and download the update or new version of DSM for your device. You'll be able to log into your Distation or Rackstation locally and then go into "Start --> Control panel --> Update and restore (which is under "system")". Here you'll be able to feed it the file you downloaded.

              I've done the above many times. It's safe and works well.

              1. JetSetJim
                Pint

                Re: @Trevor.

                Ta for that. At some point I really must get round to RTFM for more features of this nice bit of kit I bought

                1. Steven Raith

                  Re: @Trevor.

                  Latest update is that they've killed QuickConnect and Synology DDNS access to devices that are vulnerable - not much they can do about those who have rolled their own access though, other than hope they're paying attention to the tech press, or are actually doing security updates.

                  http://www.synology.com/en-us/company/news/article/470

      2. Annihilator

        "Actually, I can't really call them on the carpet for that one, mate."

        I'm not criticising the advice for when the machine is boned - you're right, they have very little they can add at this stage - I'm criticising the lack of advice for non-infected users. They could at the very least have given the same preventative advice that you've given in the article which so far they seem to have failed to do?

        1. Trevor_Pott Gold badge

          They're putting together a complete PR campaign around this. Their PR guy is horribly overworked, and he has been reaching out to tech journalists around the world on this. My article - and others like it - are the first line of their efforts to reach customers.

          I suspect an e-mail blast is being prepared, though I personally think that should have been done about 10 minutes after learning this was an issue. Still; I do know that they will be issuing most (if not all) of the advice I wrote in this article, probably later today.

          We'll see over time how the response shapes up, and I'll work with their PR guys - and hopefully their brass - to make sure they do better next time. People's files are being encrypted. Who knows how many memories are being lost. It's the least I can do.

      3. Trevor_Pott Gold badge

        The second piece has been published, for those curious.

    2. Paul

      I think a key point here is that the owners could do more harm than good in trying to resolve the problem themselves, probably in a panic, so turning it off until they calm down and get expert help would be a good thing.

  4. Dan S
    Unhappy

    Ok, shutdown... then what?

    I have (sorry, had) more than one Synology server in different locations precisely for the purpose of having redundant backup and high availability. Everything offsite is now powered down. Onsite I've yanked the CAT6 until I sort the ports out.

    There is a lot at stake for Synology as a company in terms of how quickly they a) communicate this to customers (I found out from El Reg, not Synology), and b) how fast they patch DSM 5 and 4.*. They will need to re-gain trust. Ideally an independent audit of their DSM software. But even simple measures like allowing users to easily change standard ports (and by "easily", I mean in the GUI) would be a help right now.

    As I start thinking about how to improve my resilience, buying more Synology kit isn't exactly top of the list. If they'd put half the effort spend on the "pretty" new GUI for DSM5 into improving security then we probably wouldn't have this problem.

    I have USB hard drive backups of most data. The rest are in Amazon Glacier. If I have to pull data out off Glacier because of this then Synology can expect to receive the bill.

    1. sjaddy

      Re: Ok, shutdown... then what?

      Synology actually announced it on Facebook last night - I saw it at about 5pm UK time yesterday.

      You may not like facebook/twitter but it is usually the fastest medium for these companies to get the info out.

      1. Dan S

        Re: Ok, shutdown... then what?

        Good. However, it didn't show in my Facebook news feed. So perhaps more channels of communication wouldn't hurt. It's not like they don't have our addresses. This is urgent. The quicker people know, the more data will be saved.

        BTW I'm not sure why you've inferred I don't like facebook/twitter - I use them both. And indeed have used them this morning to alert more people. They play a part in the dissemination of info, but Synology could go further.

        1. sjaddy

          Re: Ok, shutdown... then what?

          The inferring "you may not like facebook/twitter" was because I don't know you so I don't want to presume that you use either/both.

        2. John Brown (no body) Silver badge
          Thumb Up

          Re: Ok, shutdown... then what?

          "However, it didn't show in my Facebook news feed. "

          You are probably part of the "good news only" research panel.

      2. This post has been deleted by its author

      3. cpg

        Re: Ok, shutdown... then what?

        Great, Awesome.....What? Wait that's a partial fail!

        What about those of us that do not use Facebook or Twitter or other social media?

        I'm in with the call that an email out to all registered users (in the same vein as when an update is released), would have been far more effective for me.

        1. phil dude
          Linux

          Re: Ok, shutdown... then what?

          most competent companies post their OWN facebook/twitter feed on their OWN website. That way since the *actual* place we all check for security information is $COMPANY, if there is a warning everyone will see it.

          Seriously, I don't have one of these NAS's. I rolled my own (HP uServer), but this morning I double checked the backup plan and firewall if for no reason, that this reminded me how precarious data is...

          P.

  5. Bonce

    Advice please

    The admin interface runs on port 5000/5001, so if I edit the firewall rules to remove access the software warns me that doing so would block my own access and reverts the settings. How do I go about blocking external access while maintaining access via LAN?

    Thanks!

    1. frank ly

      Re: Advice please

      Edit the port forwarding settings on your router. I'm assuming that your router is set up to forward 5000,5001 to your Synology box and that you do normally have access to it from the internet.

      1. Bonce

        Re: Advice please

        Thank you! I completely forgot I'd done that. Rule removed :)

        1. frank ly

          Re: Advice please

          It's truly scary, the number of things/settings that I've forgotten I'd done. I only figure them out again after much fault finding and swearing.

    2. Trevor_Pott Gold badge

      Re: Advice please

      Edit the firewall on your router, not your Synology NAS. Your Synology NAS should never be plugged directly into the internet. There should always be a router in between. If you have any questions whatsoever, contact Synology immediately, and they'll walk you through locking this down.

      Edit: others go there first. :)

      1. Steven Raith

        Re: Advice please

        Don't forget the DMZ of your router, in case you threw it in there to try to see how far you could throw the streaming functionality, or whatever it was I....er....someone I know, was trying to do that I...er, he, can't remember now.

        *cough*

        *disables DMZ host, kills ports*

        Mind you I'm running a draytek VPN over fibre, so VPN performance is perfectly good for getting access to files etc. I think I might keep it that way for a while till a confirmed fix is published.

        Steven R

  6. Anonymous Coward
    Anonymous Coward

    Compounding the problem is that Synology routinely issues DSM update notices, but then fails to post the latest updates on their support site. Their Support is reasonable fast and sends links in response to complaints, but Synology's release process seems broken. They *really* need to get their act together.

  7. Anonymous Coward
    Anonymous Coward

    "Do not trust/ignore any email from..." WHICH ONE? TRUST OR IGNORE???

  8. BlartVersenwaldIII

    Seems depressingly common with NAS vendors

    The main reason I gave up on my QNAP and went back to building my own linux boxes was due to a) foot-dragging getting security updates out and b) poor QA on their feature-and-security releases.

    That said, all of this "let's expose the NAS to the outside world" nonsense needs to stop; the official instructions normally just say "either turn on UPnP and get it all done automagically, or just forward ports 22, 80, blah blah" - all a massive security risk that the user needs to be made explicitly aware of. Given that these are just linux distros I've no idea why they don't integrate a simple VPN (e.g. OpenVPN which AFAICT has a VPN client for pretty much every device out there) better into this process.

    I had a friend with the same QNAP as me, opened his meeja-sharin' web pages to the world, vuln in the web server and got his box rooted enough to be banned by the ISP for spamming. But at least it earnt me a crate of beer for extracting his data from the array before we blew away the discs and the DOM. He too was an IT professional but viewed his NAS as an "appliance" with the blinkered view that appliances don't require regular maintenance and diligence like everything else does.

    1. Jay 2

      Re: Seems depressingly common with NAS vendors

      Fortunately I don't require remote access to my NAS, so when I first powered on my new Syno a few weeks back and it asked me if I wanted to connect to t'interwebs I politely declined. OK I probably said something along the lines of "fuck no!".

      Though you hit the nail on the head in that such devices are now seen as appliances and they will quite happily run off and do strange things to your router via UPnP if you let them. We IT pros know this sort of thing, but Joe Public doesn't. It does worry me that with all the hype about The Internet Of Things and a bit of IPv6 then it's only a matter of time before fridges, toasters and the like are subverted...

    2. Annihilator
      Thumb Up

      Re: Seems depressingly common with NAS vendors

      " this "let's expose the NAS to the outside world" nonsense needs to stop; "

      Nail meet hammer

  9. El_Fev

    surely ...

    All they have to do is wait for them to ask for money and then the police just track down to whatever account they try to use!

    1. sjaddy

      Re: surely ...

      think they will ask for it in bitcoins - will be harder to track down

      1. Sandtitz Silver badge
        Coat

        Re: surely ...@sjaddy

        "think they will ask for it in bitcoins - will be harder to track down"

        Nonsense! Per the Bitcoin advocates everything is just fine and crooks refuse to use Bitcoins at all.

        ...Bitcoin works with an unprecedented level of transparency that most people are not used to dealing with. All Bitcoin transactions are public, traceable, and permanently stored in the Bitcoin network...

  10. DesktopGuy

    Been visiting my Synology clients all day - still going...

    Was told about this by a client this morning who heard about it from someone who got owned.

    So far, secured 7 devices today and doing another one tonight. The rest of devices have been powered down until I go over and secure them.

    All told, we are talking about 130+TB of data (3 of the units with large RackStations).

    I manage around 50 devices from a few manufacturers - this is by far the worst issue Iv'e come across in 7 years and managing NAS devices.

    To make matters worse, alot of the distributors in countries were not told by Synology of the issue.

    Al in all, a scary day for my clients. Will need to see how Synology respond before recommending any more kit...

    1. Bod

      Re: Been visiting my Synology clients all day - still going...

      "To make matters worse, alot of the distributors in countries were not told by Synology of the issue."

      Synology aren't even telling their users. You'd only know if you happen to come across a news article, FB/twitter post or browse their forums. Should be an email gone out instantly and with the latest update advice to all users.

  11. Fuh Quit
    Linux

    This is what you get when consumer/simple devices meet the Internet

    I only have one port open to the Internet on mine....OpenVPN. Even then, you cannot use the admin account for anything on that system and the other services running on it are kept to a minimum (even though they're only available to my Class D network).

    But Joe Average finds that too hard and click-click-click too easy. Heck, the NAS will also try to open the ports on the route to provide access directly to the device.

    It's like NoScript - the experts are protected but everyone else is SOL....! Synology is not alone here....make something easy for people who can't do something and it'll eventually go wrong.

  12. buckyball

    Intel FDIV bug

    Reminds of how Intel handled that issue.

    - Timely reporting

    - Ongoing progress disseminated widely.

    - Offered replacement for affected parts.

    Still used as textbook example of how to handle product defect.

  13. This post has been deleted by its author

  14. TuxIsOnFire

    Update

    Updated post on synology's facebook page:

    Synology Continues to Encourage Users to Update

    Thank you for your patience as we continue to investigate the ransomware "SynoLocker" which is currently affecting certain Synology NAS users.

    We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. We HIGHLY encourage our users to update their DSM.

    Furthermore, to prevent spread of the issue we have only enabled QuickConnect and Synology DDNS service to secure versions of DSM.

    Please take a look at our official statement with more information here: http://bit.ly/1oypNfE

    We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we continue to address this issue.

  15. Anonymous Coward
    Anonymous Coward

    so .... if I don't run EZ-Internet ....

    If I don't run any outgoing services - just the Download Station - am I safe ?? If not, what must I do ? (there is a DNS server in there too ...). I am behind several "layers of NAT", (because that's how ISPs do their thing here) and I don't have a fixed IP address ... Thanks in advance and excuse me if I'm missing something ..

    1. Trevor_Pott Gold badge

      Re: so .... if I don't run EZ-Internet ....

      If your Synology doesn't have ports open to the net, you should be safe. But do run updates on the thing anyways. If your computer were ever infected in the future, and your Synology was left unpatched, it could be pwned at that point. Updating now will patch the hole.

      1. Anonymous Coward
        Anonymous Coward

        Re: so .... if I don't run EZ-Internet ....

        Thanks for that .... have an upvote !

  16. razorfishsl

    They are just incompetent.

    Somewhere along the way they 'broke;' the ability to manually download updates and then upload to the disk-stations, these idiots REQUIRE the device to be connected to a router/switch that exposes it to the internet.

    Then they introduced their STUPID update system with partial updates, which again can ONLY be installed by connecting the system to the internet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like