Synology Diskstations and Rackstations are being hit by malware dubbed Synolocker. The malware is a similar to the infamous Cryptolocker ransomware in that it encrypts all your files and then demands a ransom to unlock them.
The vulnerabilities that enable the malware appear to rely on hard-coded passwords to recommended configurations that involve exposing the administration page to the internet.
If you have exposed either or both of your Synology NAS' ports 5000 or 5001 to the internet then stop reading this article right now and go close those ports. These are the default HTTP and HTTPS web server ports for Synology and allow access to the administration page
In addition to allowing access to the administration page, these ports – and thus the same web server instance – are being used to serve up several components of the Synology offering. Services offered on these ports include DS Audio, DS Cam, DS file, DS finder, DS video, DS Download, Video Station, File station and Audiostation.
If you have opened ports for any of these services to the internet then you have also opened the Synology administration page. Be aware that if you use the Synology "EZ-Internet" router configuration utility it will open these vulnerable ports to the internet, so under no circumstances use this tool until the storm has passed, and Synology has worked out some better defaults.
If you need remote access to your Synology, it is highly recommended that you use a VPN to do so. If you are using the VPN provided by Synology, make sure it is up to date, as a known vulnerability exists in older versions.
If you don't have a VPN server, you can use FTP, or even WebDAV, though I strongly recommend using them on non-default ports. The WebDAV server in the Synology units appears to be a different server from the one serving up the administration pages.
There's probably more that will come out over time, and the Synology dev team is still busy trying to figure out exactly which versions of the Synology operating system (called DSM) are vulnerable. Considering the kind of delays that Synology has been experiencing in getting fixes out, it may be a while before a fix arrives.
Once Synology has fixes out we should bear in mind that this is only a band-aid covering a specific vulnerability. The issues that led to first Dogecoin miner malware and now the cryptolocker ransomware indicates that Synology's internal security processes require review.
This means that we, as systems administrators, should be taking extra care with our Synology boxes and making sure we understand the full threat profile they represent before we open any ports on them to the internet. If you have any questions about the risks associated with a particular service being opened to the internet, contact Synology directly and ask.
Synology is still formulating an official response to the Synolocker outbreak. Its unofficial response is as follows:
To prevent your NAS from becoming infected:
- Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
- Update DSM to the latest version
- Backup your data as soon as possible
- Synology will provide further information as soon as it is available.
If your NAS has been infected:
- Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
- Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
- Contact Synology Support as soon as possible, here. ®