NEWS FROM THE LAB - Wednesday, August 6, 2014

Ransomware Race (part 2): Personal media the next frontier? Posted by Artturi @ 09:36 GMT

It seems malware authors have recently taken a liking to the network-attached storage (NAS) devices manufactured by Synology Inc. First they were hit by Bitcoin mining malware in the beginning of this year and now by file encrypting ransomware similar to CryptoLocker. NAS devices are used by home and business users alike to easily store and share files over a network. Many, like ones manufactured by Synology, also feature remote access. In this case, it would seem hackers were able to abuse the remote access feature, possibly by exploiting a vulnerability in older versions of the Synology DSM -operating system, to gain access to the devices. Once they had access, they proceeded to install a ransomware they have dubbed "SynoLocker".

Once the device has been infected with SynoLocker, the malware will proceed to encrypt files stored on the device. It will search the device for files with extensions matching a hardcoded list (shown below). Extensions are matched such, that only the beginning of the extension needs to match the hardcoded list. This means, for instance, that both .doc and .docx files will be encrypted, since the list contains ".do".

Screenshot of extension list hardcoded inside SynoLocker
Extension list hardcoded inside SynoLocker

Once all files have been encrypted, SynoLocker will present the user with a ransom message. The ransom message instructs the user to first download and install the Tor Browser Bundle. Next, users are to browse to a specific website on the Tor network. On that website, users will be further instructed to make a payment of 0.6 BTC (approximately 260� or 350USD) to a specific Bitcoin wallet. Once payment has been received, the malware author(s) promise to supply the user with a decryption key for recovering their files.

synolocker (98k image)
Screenshot of the SynoLocker page on the Tor network as presented to victims

The ransom message presented by the malware also purports to describe the technical details of the encryption process. The process described is very similar to the process used by the infamous CryptoLocker ransomware family. The process begins with the generation of a unique RSA-2048 keypair on a remote server. Next, the generated public key is passed to the malware. When encrypting files, the malware will generate a separate, random 256-bit key that is used to encrypt the files with the AES-256 CBC symmetric cypher. The key used for this encryption process is next encrypted with the RSA-2048 public key and stored on the device before being removed from the device memory. If implemented correctly, this process ensures, that the only way to restore the encrypted files is by obtaining the RSA-2048 private key and first decrypting the file containing the 256-bit encryption key used.

Based on our analysis of SynoLocker, the malware author(s) have followed through with their threats and have properly implemented the process described. Sadly this means any files stored on the NAS device will have been lost unless the user has kept a separate backup. There have also been reports of users paying the malware author(s) and successfully receiving the RSA-2048 private key and decrypting their files, but we strongly discourage ever paying malware authors. It only encourages them to continue their malicious work.

For users of Synology NAS devices, we highly recommend following Synology's official advice on mitigating or remediating this threat.

Sample hashes:

We detect these as Trojan:Linux/SynoLocker.A

Post by Artturi (@lehtior2)