Several owners of Synology NAS devices report their files have been encrypted with a variant of the Crypto Locker malware specifically designed to target Synology boxes. A NAS (Network Attached Storage) is a storage device designed to share files over a network. Modern NAS systems can contain several HDDs with thousands of files and run software to e.g. stream video and music and to make backups of connected systems.
The new Synology targeting Crypto Locker variant is called Synolocker and once it has infected the system it warns the user that important files on the NAS are encrypted. The files can be decrypted by paying the ransomware authors a fee. In this case the cyber criminals want users to visit a website on the anonymous Tor network to make a payment of 0.6 Bitcoin (about $350). After the payment the files should be decrypted again.
The ransomware uses a 7 month old vulnerability that was patched by Synology in 2013. Users on Synology's NAS management software DSM running on version 4.1 or 4.2 are advised to upgrade to 4.2-3243 or higher to protect themselves against the vulnerability. Users of DSM 4.0 are advised to upgrade to DSM 4.0-2259 or higher and the company users on its latest version, DSM 5.0, are not vulnerable.
The so far affected Synology devices are the DS211J, DS212J, DS213J and the DS1513.
Looking the the transactions the above Bitcoin address has received, the ransomware developers haven't had much luck, so far they received only 0.0001 Bitcoin, which could be just a test payment.
Update: Synology contacted us telling us that the malware was relegated to non-updated versions of DSM 4.3. As DSM is their OS and used across all of the Synology devices, all Synology NAS systems were affected if the system was not updated. Older versions of DSM 4.3 could be affected. The company stresses that it's important for people to keep their OS up to date, for which they changed the default behavior to auto-update for the latest DSM version, DSM 5.0. While that can be disabled, the company encourages you to not alter that setting, as they frequently release (security) updates.
