SynoLocker demands 0.6 Bitcoin to decrypt Synology NAS devices

  • Liam Tung (CSO Online)
  • 04 August, 2014 09:53

Synology network attached storage (NAS) devices, capable of storing terabytes of data, have been targeted by ransomware that encrypts victims’ files.

Owners of Synology's NAS devices might want to unplug their storage boxes now to avoid being affected by ransomware that uses strong encryption to lock files on the brand’s machines and demands US$350 for the decryption key.

The new attack on Synology kit comes within a year of Synology NAS devices being struck by fraudulent Bitcoin mining operators, with several owners on Sunday reporting that they had found a message from the “SynoLocker Automated Decryption Service” — when accessing the main page of the Web-server for their NAS device — stating that “all important files on this NAS have been encrypted using strong cryptography”.

As one victim on Synology’s English user forum commented, the SynoLocker “service” asks for 0.6 Bitcoins to unlock the encrypted files, which at today’s exchange rate is around USD$350. According to the user, there’s a small window of opportunity to minimise the damage. That is, if you can backup files faster than the program encrypts them.

“My Diskstation got hacked last night. When I open the main page on the webserver i get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked. It will cost 0.6 BitCoins. It encrypts file by files. Therefore I started to copy my most important files to another disk while encryption was in progress on other files. After the most important files was copied I turned of my disk.”

It’s not clear yet how SynoLocker’s operators installed the malware, for example, if they had exploited a vulnerability in Synology devices. CSO Australia has asked Synology for comment and will update the story if it receives one.

According to the victim, Synology’s support team are interested in hearing from victims who have not reinstalled its Linux-based DiskStation Manager NAS operating system.

Synology’s NAS devices were hit late last year by scammers looking to use their compute power to mine several cryptocurrencies, including Bitcoin.

The ransomware gang has set up a website hiding behind The Onion Router (Tor) to handle the payments and the decryption key exchange.

A German speaking victim on Synology’s German user forum posted the full message, which is written in English and details the Tor website that victims need to visit to acquire the key:

Automated Decryption Service

All important files on this NAS have been encrypted using strong cryptography.

List of encrypted files available here.

Follow these simple steps if files recovery is needed:

  1. Download and install Tor Browser.
  2. Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
  3. Login with your identification code to get further instructions on how to get a decryption key.
  4. Your identification code is - (also visible here).
  5. Follow the instructions on the decryption page once a valid decryption key has been acquired.

Technical details about the encryption process:

  • A unique RSA-2048 keypair is generated on a remote server and linked to this system.
  • The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
  • A random 256-bit key is generated on this system when a new file needs to be encrypted.
  • This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
  • The 256-bit key is then encrypted with the RSA-2048 public key.
  • The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
  • The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
  • The encrypted file is renamed to the original filename.
  • To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
  • Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
  • When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.

Note: Without the decryption key, all encrypted files will be lost forever.
Copyright © 2014 SynoLocker™ All Rights Reserved.

Synology also responded to CSO Australia:

"When trying to access DSM, it displays the following message 'All important files on this NAS have been encrypted using strong cryptography', in addition to instructions for paying a fee to unlock your data.

"What should you do? If you are seeing this message when trying to login to DSM:

"1) Power off the DiskStation immediately to avoid more files being encrypted

"2) Contact our Support team so we can investigate further. If you are in doubt as to whether your DiskStation may be affected, please don't hesitate to contact us at

"We apologise for any issue this has created, we will keep you updated with latest information as we address this issue. Our support team can be reached here."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.