Synolocker – damage control

August 15, 2014 – 1:37 am

What happened…

I am doing the walk of shame… I have spent my whole career in Linux OSs and yet I was too convenient (read: lazy) to take appropriate measures to protect a Linux based, internet connected storage device accordingly and appropriately caught the Synolocker ransomware onto my Synology DS213j.

A quick call to Synology’s support revealed the obvious … “we advice you to recover from backups”, too bad that I purchased the DS213j as my backup device. Too stupid that I fell for the convenience of enabling more and more features and finally made it internet accessible.

Disclaimer

Everything that I am describing here is documenting what I am doing with my data, assuming the risk of ultimate data loss. I cannot take any responsibility if the steps described below won’t work for you (I am happy to help though) or will lead to data loss on your side. I am writing this blog post as I go through some steps and the final outcome (data loss or not) is not known at this point.

What to do…

First things first… shut it down! If the Synolocker page shows when accessing your device – simply unplug it, now!. The attack is aiming at devices running DSM 4.3-3810 or earlier [1], the most recent version¬†DSM 5.0 is not affected.

Unplugging the device will make sure that further encryption won’t happen. Considering the amount of date one typically stores on such devices (I am running 2TB disks), the slow CPU and the demanding encryption algorithm, it will take a while for all your data to be encrypted. There is a good chance that you can salvage data by powering off the device early.

Next, for mirrored configurations, you want to access your disks to inspect the damage. For me, a trip to Best Buy was at order to buy a eSATA to USB dock (I just took whatever was available, i.e. Thermaltake BlacX, ~40$).

As I am running Ubuntu 14.10, I could easily access the mirrored files on one of the drives via:

olli@minime> sudo mdadm --assemble --scan
olli@minime> sudo vgchange -ay
olli@minime> sudo lvscan

That would show you some output similar to:

ACTIVE '/dev/vg1000/lv' [1.81 TiB] inherit

and as such mounting the device read-only was possible:

olli@minime> sudo mount -oro /dev/vg1000/lv /mnt

[1] http://forum.synology.com/enu/viewtopic.php?t=88770

Pages: 1 2 3

  • Majeed

    very nice job and huge job has been done.
    These guys are really bad but at least there is a solution to restore some of very important data.
    For me, I’m a photographer ( total encrypted files (328K) and I used synology DS 1513+ as backup solution, there is no need at all to connect the device into internet but I kept it in default setting.
    I had no choose other than paying the ransom ” which was $650″ and they supply the key to me and I recovered up to now %64.4 of my photos.

    it is very expensive lesson learned

  • Keith Storm

    Thank you SO MUCH for this post! Using your instructions I’ve been able to access all my home videos (.MOV) files since Synolocker does not encrypt those. I’m copying them off my drive. Thankfully, I had all my images backed up on Amazon Glacier. I’ll have to pay to download those, but much less than paying the ransom. Thanks again! I’m very sorry that you were unable to recover your files.

  • pleurisy

    Thanks for this. I’m also in recovery mode – luckily it looks like little will be permanently lost. One request though:

    I’m up to the point of scanning to see if any files on the whitelist were encrypted anyway. (I suspect one or two more got encrypted after I pulled my copy of crypted.log.) However, my only unix box is the Synology itself, and the Synology base package doesn’t recognize “strings”.

    I am pretty new to Unix; is there some way to rephrase that last command (or do a script) such that the same effect can be obtained using only Synology base commands?