I am doing the walk of shame… I have spent my whole career in Linux OSs and yet I was too convenient (read: lazy) to take appropriate measures to protect a Linux based, internet connected storage device accordingly and appropriately caught the Synolocker ransomware onto my Synology DS213j.
A quick call to Synology’s support revealed the obvious … “we advice you to recover from backups”, too bad that I purchased the DS213j as my backup device. Too stupid that I fell for the convenience of enabling more and more features and finally made it internet accessible.
Everything that I am describing here is documenting what I am doing with my data, assuming the risk of ultimate data loss. I cannot take any responsibility if the steps described below won’t work for you (I am happy to help though) or will lead to data loss on your side. I am writing this blog post as I go through some steps and the final outcome (data loss or not) is not known at this point.
What to do…
First things first… shut it down! If the Synolocker page shows when accessing your device – simply unplug it, now!. The attack is aiming at devices running DSM 4.3-3810 or earlier , the most recent version DSM 5.0 is not affected.
Unplugging the device will make sure that further encryption won’t happen. Considering the amount of date one typically stores on such devices (I am running 2TB disks), the slow CPU and the demanding encryption algorithm, it will take a while for all your data to be encrypted. There is a good chance that you can salvage data by powering off the device early.
Next, for mirrored configurations, you want to access your disks to inspect the damage. For me, a trip to Best Buy was at order to buy a eSATA to USB dock (I just took whatever was available, i.e. Thermaltake BlacX, ~40$).
As I am running Ubuntu 14.10, I could easily access the mirrored files on one of the drives via:
olli@minime> sudo mdadm --assemble --scan olli@minime> sudo vgchange -ay olli@minime> sudo lvscan
That would show you some output similar to:
ACTIVE '/dev/vg1000/lv' [1.81 TiB] inherit
and as such mounting the device read-only was possible:
olli@minime> sudo mount -oro /dev/vg1000/lv /mnt