Types header

Name Synolocker
Type Crypto Ransomware
Encryption Type Similar to CryptoLocker
Short Description Synolocker is a Trojan specially developed to target the storage device network manufactured by synology.
Symptoms Those with the port 5000 and 5001 open on the internet falls pray to this ransomware attack. The ransomware scans for the two ports, overwrites all the files with some encryption algorithm which could only be decrypted by paying ransom.
Distribution Method This attack spreads via exploits and sits inside the victim’s device and encrypts every file in the system. The files are found to be less than 100mb due to the delay in encryption for bigger file size. Mostly the files are found to be images and documents.
Image  Synolocker
More Details

A new ransomware that completely targets the Synology network attached storage devices (NAS) called Synlocker. This particular ransomware does not affect the system rather it exploits the vulnerabilities based on the versions of Synology Disk Station Manager (DSM) OS. Any device with Version DSM 4.3-3810 or before are subjected to this attack through the internet.

After the infection the device displays a ransomware note making all other administrative options inaccessible. The ransomware note informs that the user files have been encrypted and could be decrypted by paying a ransom of .6 bitcoins or $350 USD.

The Ransom note holds Personal identification code which is used to login to the Synlocker payment system accessible via Tor “hxxp://cypherxffttr7hho.onion” to maintain the anonymity.

After the payment, the decryption key is provided to decrypt all the encrypted files.
Usually the SynoLocker files are stored in the following path in the Synology device : /etc/synolocker folder