Indice Area Generale Annunci & News !!!Ransomware attacca i NAS Synology e sequestra i file!!!
********

!!!Ransomware attacca i NAS Synology e sequestra i file!!!

Tutti gli avvisi e le novità del Forum raccolte in questa sezione!

Moderatore: Moderatori


xenical Avatar utente
Nuovo utente

Messaggi: 43
Fonti:

Il software

Forum Synology Inglese

Mobile01

Questo il testo di quanto appare nell'inquietante messaggio

SynoLocker™
Automated Decryption Service
All important files on this NAS have been encrypted using strong cryptography

List of encrypted files available here.
Follow these simple steps if files recovery is needed:
1. Download and install Tor Browser.
2. Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
3. Login with your identification code to get further instructions on how to get a decryption key.
4. Your identification code is - (also visible here).
5. Follow the instructions on the decryption page once a valid decryption key has been acquired.

Technical details about the encryption process:
• A unique RSA-2048 keypair is generated on a remote server and linked to this system.
• The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
• A random 256-bit key is generated on this system when a new file needs to be encrypted.
• This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
• The 256-bit key is then encrypted with the RSA-2048 public key.
• The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
• The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
• The encrypted file is renamed to the original filename.
• To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
• Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
• When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.
• Note: Without the decryption key, all encrypted files will be lost forever.
Copyright © 2014 SynoLocker™ All Rights Reserved.


Personalmente per non rischiare ho disabilitato TUTTI gli accessi da remoto.

CSO Australia riceve questa mail da Synology
Synology also responded to CSO Australia:

"When trying to access DSM, it displays the following message 'All important files on this NAS have been encrypted using strong cryptography', in addition to instructions for paying a fee to unlock your data.

"What should you do? If you are seeing this message when trying to login to DSM:

"1) Power off the DiskStation immediately to avoid more files being encrypted

"2) Contact our Support team so we can investigate further. If you are in doubt as to whether your DiskStation may be affected, please don't hesitate to contact us at security@synology.com

"We apologise for any issue this has created, we will keep you updated with latest information as we address this issue. Our support team can be reached here."

Fonte


Seguiremo gli sviluppi

Nel frattempo un utente del forum inglese (Mike) ha suggerito questo per poter tornare ad accedere al NAS, anche se i file ovviamente sono ancora criptati.
1. Shut down the NAS
2. Remove all the hard drives from the NAS
3. Find a spare hard drive that you will not mind wiping and insert it into the NAS
4. Use Synology Assistant to find the NAS and install the latest DSM onto this spare hard drive (use the latest DSM_file.pat from Synology)
5. When the DSM is fully running on this spare hard drive, shut down the NAS from the web management console.
6. Remove the spare drive and insert ALL your original drives.
7. Power up the NAS and wait patiently. If all goes well after about a minute you will hear a long beep and the NAS will come online.
8. Use Synology Assistant to find the NAS. It should now be visible with the status "migratable".
9. From Synology Assistant choose to install DSM to the NAS, use the same file you used in step 4 and specify the same name and IP address as it was before the crash.
10. Because the NAS is recognized as "migratable", the DSM installation will NOT wipe out the data on either the system partition nor the data partition.
11. After a few minutes, the installation will finish and you will be able to log in to your NAS with your original credentials.
Immagine
Synology DS214 play - DS213J

xenical Avatar utente
Nuovo utente

Messaggi: 43
In merito alla questione ecco un comunicato di Synology

Fonte

Synology® Continues to Encourage Users to Update
Washington, Bellevue—August 5th, 2014 —We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.
We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. Furthermore, to prevent spread of the issue we have only enabled QuickConnect and Synology DDNS service to secure versions of DSM. At present, we have not observed this vulnerability in DSM 5.0.
For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php
When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
A process called “synosync” is running in Resource Monitor.
DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.
For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:
For DSM 4.3, please install DSM 4.3-3827 or later
For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
For DSM 4.0, please install DSM 4.0-2259 or later
DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.
If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.
We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.



Sembra che Synolocker abbia sfruttato un bug che affligge versioni di DSM inferiori alla 4.3-3810, (problema che Synology aveva fixato a fine 2013).
A synology non è pervenuta nessuna segnalazione per DSM 5

Per arginare il problema si consiglia pertanto di spegnere immediatamente il nas e collegarlo ad un pc per recuperare i dati non ancora criptati; Reinstallare la versione aggiornata di DSM.

Synology raccomanda di aggiornare il DSM a queste versioni:

chi ha DSM 4.3, deve installare DSM 4.3-3827 or successivo
chi ha DSM 4.1 or DSM 4.2, deve installare DSM 4.2-3243 o successivo
chi ha DSM 4.0, deve installare DSM 4.0-2259 o successivo
Immagine
Synology DS214 play - DS213J

xenical Avatar utente
Nuovo utente

Messaggi: 43
Questa è la mail che ho appena ricevuto da Synology

Dear Synology users,

We would like to inform you that a ransomware called "SynoLocker" is currently affecting some Synology NAS users. This ransomware locks down affected servers, encrypts users’ files, and demands a fee to regain access to the encrypted files.
We have confirmed that the ransomware only affects Synology NAS servers running older versions of DiskStation Manager by exploiting a security vulnerability that was fixed and patched in December, 2013.

Affected users may encounter the following symptoms:

When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
Abnormally high CPU usage or a running process called “synosync” (which can be checked at Main Menu > Resource Monitor).
DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.
If you have encountered the above symptoms, please shutdown the system immediately and contact our technical support here: https://myds.synology.com/support/support_form.php

If you have not encountered the above symptoms, we strongly recommend downloading and installing DSM 5.0, or any version below:

DSM 4.3-3827 or later
DSM 4.2-3243 or later
DSM 4.0-2259 or later
DSM 3.x or earlier is not affected
You can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update.
If you notice any strange behavior or suspect your Synology NAS server has been affected by the above issue, please contact us at security@synology.com.

We sincerely apologize for any problems or inconvenience this issue has caused our users. We’ll keep you updated with the latest information as we continue to address this issue.
Thank you for your continued patience and support.

Sincerely,
Synology Development Team


Praticamente ribadisce quanto detto nel post precedente
Immagine
Synology DS214 play - DS213J

Giuseppe Ragozzino Avatar utente
Utente attivo

Messaggi: 97

Buonasera, mi permetto di integrare l'ottimo thread in questione con il comunicato italiano.
Copiaincollo a seguire le info: resta inteso che noi consigliamo SEMPRE di avere il software aggiornato a bordo proprio per evitare la presenza di falle, almeno quelle note e fixate.




Taipei, Taiwan—August 6, 2014— Synology ha indagato e lavorato con utenti colpiti da recenti ransomware chiamatti “Synolocker”. Synology ha confermato che il ransomware colpisce i server NAS che utilizzano versioni più vecchie di DiskStation Manager, grazie ad una vulnerabilità che è stata fermata a dicembre 2013, per la quale a suo tempo Synology ha rilasciato un pacchetto software e notificato agli utenti l’aggiornamento attraverso vari canali.


Gli user colpiti possono incontrare i seguenti sintomi:

•quando eseguono il log a DSM, una schermata appare informando gli utenti che i dati sono stati criptati e un prezzo è richiesto per sbloccare i dati.
•Un utilizzo anomalo/superiore della CPU oppure di un processo chiamato “synosync” può essere verificato nel Menu Principale > Controllo risorse.
•DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 o precedente è installato, ma il Sistema dice che non ci sono aggiornamenti disponibili nel Pannello di controllo -> Aggiornamento DSM



Per gli utenti che hanno incontrato i sintomi di cui sopra, si prega di arrestare il sistema immediatamente per evitare che più file vengano decriptati e contattare il nostro supporto tecnico qui: https://myds.synology.com/support/support_form.php. Ad ogni modo Synology è abile a decriptare i file che sono già stati crittografati.


Per altri utenti che non hanno incontrato i sintomi sopra esposti, Synology raccomanda fortemente di scaricare e installare DSM 5.0, oppure una versione sotto elencata:
•DSM 4.3-3827 o più avanzata
•DSM 4.2-3243 o più avanzata
•DSM 4.0-2259 o più avanzata
•DSM 3.x o version precedent non colpite



Gli utenti possono scaricare manualmente l’ultima versione dal nostro Download Center e installarla dal Pannello di controllo > Aggiornamento DSM > Aggiornamento DSM manuale.


Synology si scusa sinceramente per ogni problema o inconveniente che questo ha causato ai nostri utenti. Dato che il cybercrime prolifera e che sofisticati malware evolvono, Synology continua a predisporre risorse per mitigare le minaccie e si dedica agli utenti per fornire soluzioni valide. Se gli utenti notano un comportamento sospetto della propria DiskStation dopo l’aggiornamento all’ultima versione , sono pregati di contattare security@synology.com.
Founder & CEO --> ForMobileS.info network
Usate il forum per le domande, così è facile per tutti leggere le risposte. E fate sempre una ricerca prima che magari già trovate la risposta!


Torna a Annunci & News