Users of Synology’s market-leading DiskStation NAS drives are being urged to update their drive’s management software immediately after what appears to be an unprecedented targeted attack by CryptoLocker-like ransom malware.
Currently, the only descriptions of the attack are on the firm’s user forums, which over the weekend started to fill up with complaints that trying to open the DiskStation web console was throwing up a message from something called ‘SynoLocker’ demanding a ransom of 0.6 Bitcoins (worth about $350).
“When I open the main page on the webserver i get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked,” read the first complaint on Synology’s online forum.
From the descriptions, the mysterious malware seem to be triggered when users access the drive’s interface which suggests that an infection on the workstation is exploiting a known vulnerability to attack the drives at that moment.
Needless to say, SynoLocker is completely new and it is unlikely that any workstation antivirus products will detect it.
The malware starts encrypting files, telling users that this process is under way. This implies that unencrypted files can still be copied at that point although how many will depend on the number of files on the affected drive. The best course of action remains to turn off the drive immediately and take advice.
An official Synology statement said that the issue seemed to be affecting DiskStations running Disk Station Manager 4.3-3810 or earlier.
“Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM, by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.”
The flaw being exploited appears to be connected to CVE-2013-6955, which would allow an attacker (running on the PC) to gain root privileges, in effect taking over the system.
Users should update to the latest version as soon as possible by going to Control Panel > DSM Update or manually by visiting their support site, the firm said.
“If users notice any strange behaviour or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at [email protected] where a dedicated team will look into their case,” the statement added.
Synology users might also want to think about how the malware reached their NAS in the first place. The method remains unconfirmed but an attack from a local workstation is highly likely and so that will need to be traced too.
For attackers to target NAS workstations in this way is brand new for a form of malware that has cut a swathe through hard drives on PCs in the last year. It is also logical; ransom malware such as CryptoLocker and Cryptowall were always targeted primarily at SMEs whose data is valuable. Because a lot of this sits on NAS drives, attacking them is an obvious ploy if a way can be found to beat any security in place.