Synolocker file decryption
Comments
-
Hello @Jasonb ,
I assume you are making reference to this article.
You can always submit samples to our lab in order to assess the infection.
PS:I moved your post to a more relevant board.
-
If you register a SAS account and then log in, you get more options including a "message" field:
https://analysis.f-secure.com/portal/signup.html
"If you need to contact our Response Team, include your question or incident details in the "Message" field. Else, please leave it empty"
-
I attempted to do that, and didn't realize I had to register again and kept trying to use my community password, resulting in my IP being blocked! By the time I realized how to do it, it was too late. I emailed the file and keys, and will attempt to upload it to SAS again tomorrow if my IP is no longer blocked. Sorry for the trouble.
-
I'm the same user who paid the ransom and got public and private keys from the perpetrators, but has no decryption tool to enter the keys into and decrypt files.
I've managed to get my NAS running again by updating the DSM, and with some help from Synology the NAS still has all the encrypted files on it in the original place. After reading a very helpful thread at http://forum.synology.com/enu/viewtopic.php?f=108&t=89185 , I used WinSCP to get into the NAS, and found the "etc" folder where the perpetrators were supposed to have created a "synolock" directory containing files needed to decrypt with the keys. But unfortunately, the "synolock" directory is not there. I presume the DSM update must have wiped it out. Does anyone out there have a copy of this directory? I can see from the other thread that at least some people are having success decrypting manually, but the folder and its contents need to be there in order to accomplish that.
It sure would be a godsend if an expert could provide software enabling you to enter the public and private keys obtained from the perpetrators and decrypt the encrypted files. I realize that is probably asking too much, but it certainly would help a lot of people out there.
Another fantasy would be for some kind person to provide a copy of the "synolock" folder and its contents so that we can try to paste keys in there and see if that works.
-
Hello,
I recently was hit with synolocker like many others. I read on a synology forum that F-Secure had released software for those who paid the ransome and have the private/public keys. I have mine, but am confused on how to use the software. Forgive me, but I'm not extremeley technical with computers. I believe I have successfully installed python and pycrypto, but as to the process to decrypt I am lost. Is there a way to have a beginners guide written or a youtube video posted on the step by step process? The installation/usage instructions are too vague for my ablilty. Below are the steps but I simply do not understand. A quick video would be amazing. It appears there are quite a few people with keys that will use this software, just not sure how many people understand how to use it.
Installation
First, ensure you have Python 2.7.8 and pycrypto 2.6.1 installed. Then simply copy the synounlocker.py-script to a directory of your choosing.
Usage
From the command line: synounlocker.py <path to encrypted file> <path to private key file>
-
I have the keys but haven't received the decryption software that you apparently have. Can you find a way to put the decryption software files somewhere where they can be downloaded? Then I can download the files and try to get it to work using the keys they sent me. And if I get it to work, I would be glad to provide a "tutorial" explaining how I did it.
I noticed the perpetrators have updated their website informing everyone that they're working on two different decryption programs for people like me who were forced to update to DSM5, rending themselves unable to receive the decryption items. Their website says there will be one version for Linux that will be ready earlier, and another version for Windows that will be ready later. But so far, in spite of bitmailing them every day askiing for these, I haven't received either. I wonder if the items you received might be one of them.
-
I think I confused you. The 'software' I'm referring to is the tool released by F-Secure (link in the first reply). I have not received anything from the perpetrators. The software they claim to be developing is not what I was referring to. From what it looks like, F-Secure has developed a tool that allows people with keys to decrypt their files, but the instructions on how to use it are over my head. Hope someone breaks down step by step instructions for novices like me.
-
I didn't know F-Secure had done that and don't see a link in your post. But that's great news and I'll try to find it and see if I can get it to work. If I get it to work I'll try my best to walk you through it. I don't know how to make a video but hopefully could write a step by step.
-
Just got all caught up on F-Secure's new tool and am grateful to Artturi and F-Secure for their efforts. I have attempted to try it, but because of my lack of computer skills, I wasn't able to get it to work (surely nothing wrong with the tool - only something wrong with me). So I'm going to get help from a computer programmer and if that's successful, I'll do my best to explain how it went, if someone else hasn't already by then.
-
-
Synolocker file decryption tool here:-
https://github.com/F-Secure/Synounlocker
Download python here:-
https://www.python.org/download
https://pypi.python.org/pypi/pycrypto
http://www.youtube.com/watch?v=FyGwA0UJ7sE
http://www.youtube.com/watch?v=L5t5U0XnSew
http://www.youtube.com/watch?v=lsflaKpeB7Q
http://docs.python-guide.org/en/latest/starting/install/win/
https://docs.python.org/2/using/windows.html
Ubuntu Linux Live Distro download...
Synounlocker.py
synounlocker.py is a tool for decrypting files encrypted by the SynoLocker family of ransomware.
The tool works by first looking in a file for the magic string "THE_REAL_PWNED_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_1337" that is used by SynoLocker to identify files it has encrypted. Next, it will attempt to decrypt the file. During this process, it will also attempt to check that the encrypted file has not been corrupted. This is possible, because SynoLocker stores a HMAC of the encrypted data as part of the file. If all seems to have gone well, the tool will write the decrypted contents to a new file, with the name of the original file appended with ".dec". The tool will not remove or overwrite the original encrypted file.
More information here.
IMPORTANT
This tool will only work if the decryption key is already known. It will not bruteforce the decryption key and it will not break any encryption. The tool is only meant to be used, if the decryption key is already known. You should never pay online criminals. There is no guarantee it will help you in getting your files back. It will only encourages the criminals to continue their criminal activities.
Requirements
This tool requires the pycrypto -package. It has been tested to work with Python 2.7.8 and pycrypto 2.6.1.
Installation
First, ensure you have Python 2.7.8 and pycrypto 2.6.1 installed. Then simply copy the synounlocker.py -script to a directory of your choosing.
Usage
From the command line: synounlocker.py <path to encrypted file> <path to private key file>
License
Apache License, Version 2.0You need to install python.
http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware
http://www.bleepingcomputer.com/forums/t/543426/synolocker-ransomware-targets-synology-nas-devices/
-
Hi All,
Please check details here for answers or solutions! Click on the links below:-
https://www.synology.com/en-global/support/security_SynoLocker
https://www.synology.com/en-global/support/security
http://forum.synology.com/enu/viewtopic.php?f=3&t=88716
Troubleshooting:-
https://www.synology.com/en-global/support/tutorials/493#t3
https://www.synology.com/en-global/support/download
Please click on Kudos button if it solves your problem. Thank you!
-
I have successfully decrypted the first file.
1. installed Python 2.7.8 on Windows 7 64bit to C:\Python27. No issues....
2. added the C:\Python27 directory to the path statement environment variable in windows system properties.
3. Added PyCrypto 2.6 for Python 2.7 64bit module. "Synounlocker" requires PyCrypto and that is a huge issue to install and then compile to the Python installation the way F-Secure suggest because you also need Visual Studio 2008 Express and Microsoft have withdrawn it from download. Thankfully, you can go here and download a pre-compiled pycrypto installer for your version of windows... I ran the PyCrypto 2.6 for Python 2.7 64bit.
3. ran the F-Secure script in a command prompt window as follows, where EXT is the encrypted file's extension, eg: .pdf .doc .xls....whatever:
synounlocker.py X:\PATHtoFILE\EncryptedFile.EXT X:\PATHtoKEY\privatekey.txt
The private key is the entire contents of the window presented to you after purchasing from the criminals. Just paste into a text file and save it.
The encrypted file remains unchanged, but a new file appended with ".dec" is written in the same directory, eg: "EncryptedFile.EXT.dec" per the above example. I renamed the encrypted file manually to ".enc" and removed the ".dec" from the decrypted file name (in my case a PDF file)..... and presto!!! File was decrypted and opened.
Does anyone know any command switches for the F-Secure "synounlocker.py" command? Could be tedious to decrypt everything one by one. Didn't accept wildcards in the basic command line. -
If by "upgrade" you mean Synology techs overwrote the installation...then yes...that overwrites the system partition. You can tell if you have to recreate users, permissions...etc.
Best way to up grade is power off....remove drives...insert a blank drive....install latest DSM using Disk Assistant...same IP, same NAS name. Shut down...remove new disk and replace original disks.....view NAS through Disk Assistant and it should be marked as "migratable". Select same DSM you used on blank disk and after reboot, system partition is upgraded without deleting the synolock directories where you can proceed to decrypt using the Putty and SSH to run the commands. When decrypted, delete the synolock directories or at least archive them somewhere.
If you are missing the directories, then the only tool is the F-Secure tool....google it.Follow these instructions to prepare your machine (Windows) to be able to decrypt files. Unfortunately, I don't know any command line switches yet, but you will know if you have a valid key. I copied all the NAS encrypted files to a disk and then ran the tool against test files there...it worked a treat. You don't need any files from the synolock directory on the NAS.
1. installed Python 2.7.8 on Windows 7 64bit to C:\Python27. No issues....
2. added the C:\Python27 directory to the path statement environment variable in windows system properties.
3. Added PyCrypto 2.6 for Python 2.7 64bit module. "Synounlocker" requires PyCrypto and that is a huge issue to install and then compile to the Python installation the way F-Secure suggest because you also need Visual Studio 2008 Express and Microsoft have withdrawn it from download. Thankfully, you can go here and download a pre-compiled pycrypto installer for your version of windows... I ran the PyCrypto 2.6 for Python 2.7 64bit.
3. ran the F-Secure script in a command prompt window as follows, where EXT is the encrypted file's extension, eg: .pdf .doc .xls....whatever:
synounlocker.py X:\PATHtoFILE\EncryptedFile.EXT X:\PATHtoKEY\privatekey.txt
The private key is the entire contents of the window presented to you after purchasing from the criminals. Just paste into a text file and save it.
The encrypted file remains unchanged, but a new file appended with ".dec" is written in the same directory, eg: "EncryptedFile.EXT.dec" per the above example. I renamed the encrypted file manually to ".enc" and removed the ".dec" from the decrypted file name (in my case a PDF file)..... and presto!!! File was decrypted and opened.
Does anyone know any command switches for the F-Secure "synounlocker.py" command? Could be tedious to decrypt everything one by one. Didn't accept wildcards in the basic command line. -
-
http://www.symantec.com/security_response/writeup.jsp?docid=2014-080708-1950-99&tabid=2
Discovered:
August 6, 2014
Updated:
August 7, 2014 10:14:42 AM
Type:
Trojan
Infection Length:
Varies
Trojan.Synolocker runs on Synology network-attached storage (NAS) devices.
When the Trojan is executed, it creates the following files:
/tmp/.SYNO_SERVER_LOCK
/tmp/.SYNO_ENCRYPT_LOCK
/tmp/.SYNO_DECRYPT_LOCK
/etc/synolock/
/etc/synolock/.decrypt
/etc/synolock/.restore
/etc/synolock/watch.sh
/etc/synolock/synosync
/etc/synolock/uninstall.sh
/etc/synolock/RSA_PUBLIC_KEY
/etc/synolock/RSA_PRIVATE_KEY
/usr/syno/synoman/redirect.html
/usr/syno/synoman/lock.png
/usr/syno/synoman/style.css
/usr/syno/synoman/synolockcode.txt
/usr/syno/synoman/crypted.log
/usr/syno/synoman/decrypted.log
/usr/syno/etc.defaults/rc.d/S99boot.sh
/usr/syno/etc.defaults/rc.d/S99check.sh
It then modifies the following file:
/usr/syno/synoman/index.html
Next, the Trojan searches for and encrypts files with the following extensions on the compromised NAS device:
.3fr
.7z
.accdb
.ai
.arw
.av
.bay
.bkf
.cdr
.cer
.cr
.dbf
.dcr
.ddrw
.der
.djvu
.dng
.do
.dwg
.dx
.eml
.eps
.erf
.gif
.gpg
.ico
.ind
.jp
.kd
.mbx
.md
.mef
.mp
.mrw
.nef
.nrw
.od
.orf
.p12
.p7b
.p7c
.pas
.pd
.pe
.pfx
.php
.pmg
.potx
.pp
.ps
.ptx
.r3d
.ra
.rtf
.rw
.sda
.sfx
.sld
.sql
.sr
.text
.wb2
.wp
.xl
.zip
wallet.
The Trojan then starts an HTTP server on port 80, which replaces the existing HTTP server used for device administration.
If the user attempts to open the administration Web page, the following message is displayed:
Automated Decryption Service. Copy and paste a valid RSA private key in the following form below.
If the correct RSA private key is entered the Trojan decrypts the files and removes itself from the compromised device.
Recommendations
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Masaki Suenaga, Roberto Sponchioni -
http://www.bleepingcomputer.com/forums/t/543426/synolocker-ransomware-targets-synology-nas-devices/
Did you read what synology says on the link I provided for you???
Go to synology website,support,security advisory and select important information about ransomeware synolocker threat.
Email them to security@synology.com
Or ask their technical support...
https://myds.synology.com/support/support_form.php?lang=enu
I've already given the F-Secure python link.
https://github.com/F-Secure/Synounlocker
Someone have already gives the steps on how to get the decryption key by using the tor.
http://forum.synology.com/enu/viewtopic.php?f=19&t=88737
another link here:-
http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware
I've aleady give 2 Kudos to phinease562 for the steps he already mention.
-
Good grief!! Who are you Rusli? You are bringing nothing here except confusing info for users. It is not a PC infection....copy/pasting corporate blurb here is annoying....really annoying. Your advice thus far has only been bad anyway. Who are you and what is your agenda here?
I wouldn't trust anything this user says.
-
The confusing part is they did not know how to get the decryption key. You never mention the step. That is why the keep asking?
It's already stated here...
http://forum.synology.com/enu/viewtopic.php?f=19&t=88737
or here
http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware
This is the excerpt from synology forum....
--------------------------------------------------------------------------------------------------------------------------
Hello,
I could not find a suitable forum category for this, but my synology diskstation just got hi-jacked and held for ransom.
When trying to access it instead I am taken to a page with this information:
SynoLocker™
Automated Decryption Service
All important files on this NAS have been encrypted using strong cryptography
List of encrypted files available here.
Follow these simple steps if files recovery is needed:
Download and install Tor Browser.
Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
Login with your identification code to get further instructions on how to get a decryption key.
[edit mod: ID code removed]
Follow the instructions on the decryption page once a valid decryption key has been acquired.
Technical details about the encryption process:
A unique RSA-2048 keypair is generated on a remote server and linked to this system.
The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
A random 256-bit key is generated on this system when a new file needs to be encrypted.
This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
The 256-bit key is then encrypted with the RSA-2048 public key.
The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
The encrypted file is renamed to the original filename.
To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.
Note: Without the decryption key, all encrypted files will be lost forever.--------------------------------------------------------------------------------------------------------------------------
Only use the Tor Browser to go to the link....
Do not know where to get the Tor Browser... go to this link....
https://www.torproject.org/projects/torbrowser.html.en
Norton stated the infected directory....
-
You have to redo the steps.
They wanted the step by step ... like 1...2...3 ... steps.
You missed out on how to get the decrypted key...
How are they going to unlock without the decrypted key?????!!!
Do you have to fork out US$350???
-
Still cannot find the synology security support ????
Here is the excerpt from Synology Security Advisory support...
https://www.synology.com/en-global/support/security
Synology Product Security AdvisorySynology is committed to customer safety and the ongoing security of our products. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers.
Report VulnerabilitiesTo report security issues that affect Synology products, please contact: security@synology.com
Please note that this e-mail address is used for monitoring potential product security issues. Generally speaking, we won’t reply to incoming e-mail messages unless further information is required. For technical support for Synology products, please visit our Support & Service section instead.
PGP Key InformationWhen you are reporting a vulnerability via e-mail, you can use Synology's Product Security PGP key to encrypt sensitive information.
Synology Product Security UpdatesTo protect users, Synology does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities shall be announced on Synology's official website.
https://www.synology.com/en-global/support/security/SynoLocker
8/7/2014 Important Information about Ransomware SynoLocker Threat
Description
It is confirmed that Synology NAS servers running older versions of DiskStation Manager are being targeted by a ransomware known as “SynoLocker,” which exploits two vulnerabilities that were fixed in November and December, 2013, respectively. At that time, Synology released security updates and notified users to update via various channels.
Common Symptoms
Affected users may encounter one of the following symptoms:
When attempting to log in to DSM, a screen appears informing users that their data has been encrypted and a fee is required to unlock data.
Abnormally high CPU usage or a running process called “synosync” (which can be checked at Main Menu > Resource Monitor).
DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.
Suggestion
For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support to confirm whether the system is infected. Please note Synology is unable to decrypt files that have already been encrypted.
If you happen to possess a backup copy of your files (or there are no critical files stored on your DiskStation), we recommend following the below steps to reset your DiskStation and re-install DSM. However, resetting the DiskStation removes the information required for decryption, so encrypted files cannot be decrypted afterward.
Follow the steps in this tutorial to reset your DiskStation: http://www.synology.com/support/tutorials/493#t3
The latest version of DSM can be downloaded from our Download Center here: http://www.synology.com/download
Once DSM has been re-installed, log in and restore your backup data.
For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any version below:
DSM 4.3-3827 or later
DSM 4.2-3243 or later
DSM 4.0-2259 or later
DSM 3.x or earlier is not affected
Users can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update -
Here is another excerpt from synology forum.
Go to this link
http://forum.synology.com/enu/viewtopic.php?f=108&t=89557
SynoLocker GUIDE to decrypt files WITH private key
by Ulrik Pedersen » Mon Aug 25, 2014 11:06 pm
I have collected the information from different threads around this forum - and other sites.
I'm not the one to thank - this is just an overview
First download the file http://download.sunnysite.dk/SynoUnlocker.zip containing all the necessary files. (Your browser or antivirus might warn you)
ALWAYS WORK ON A COPY OF YOUR DATA!!!!
Lets asume your encryptet disc holds the letter X:\
1. Run python-2.7.8.msi installer
2. Run pycrypto-2.6.win32-py2.7.exe
3. Copy syno.py to X:\
4. Make a file with your private key (ex. private.key) can be done with notepad
5. Save the private.key file to X:\
6. Start Command Prompt (cmd)
7. Go to X:\
8. Type "python syno.py X:\ private.key" (without "") <<-- Be aware of the space after X:\ !!!
And here you go----------------------------------------------------------------------------------------------------------------
Re: SynoLocker GUIDE to decrypt files WITH private keyby Flanosch » Wed Aug 27, 2014 7:52 pm
Ulrik Pedersen wrote:Maybe you have a permission issue in the documents folder when running the script.
Try to run cmd as administrator - or move the files out of the documents folder.
Btw you don't have to be in the python folder to run python.
YESSSSSSSSSS! It works
Run CMD as admin and save private.key not as a txt-file
Thank you very very much for your efforts!! -
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!