Synlocker Ransomeware - Try F-Secure python tool

Rusli
Rusli Posts: 1,012 Influencer

http://www.theregister.co.uk/2014/08/23/f_secure_synolocker_fix/

 

Stiffed by Synolocker ransomware crims? Try F-Secure's python tool
Unlock key doesn't always fit, says security biz
By Simon Sharwood, 23 Aug 2014

Security firm F-Secure has released a tool to decrypt data scrambled by the Synolocker malware – assuming you've obtained the decryption key from the crooks.

Synolocker is ransomware that attacks NAS devices made by Synology. Those infected by the software find their data is encrypted, and receive an invitation to purchase a decryption key.

F-Secure today writes: “We believe you should never pay a ransom to online criminals." Yet, it has released a tool that puts the crims' Synolocker decryption keys to work to rescue enciphered files.

Why the seeming contradiction? Well, F-Secure's post says “the criminals behind SynoLocker make a false promise” and that “in many of the cases we have observed, the decryption process didn't actually work or the decryption key provided by the criminals was incorrect.” So, paying out is a risk, as well as encouraging this criminality, if you absolutely must get a key – and manage to do so – the new tool can help make it all work.

“Another use case for our decryption tool is a situation where a user has paid the ransom but can't use the decryption key as they have removed the SynoLocker malware from the infected device,” the company's Artturi Lehtiö writes. “Instead of reinfecting your device with the malware (which is a bad idea), you can use the key together with our script to decrypt your files.”

Those two grounds mean F-Secure feels it is worthwhile extending a helping hand to the afflicted, even though it frowns on the idea of paying ransoms.

Synolocker victims may not want to get excited about the free tool, however, as it's a python script, something the average Joe or Josephine may not find immediately usable. If that's you, here's a guide to installing Python for noobs, and the pycrypto toolkit you'll need to put F-Secure's code to work. ®

Implementing global e-invoicing with guaranteed legal certainty

 

Comments

  • Rusli
    Rusli Posts: 1,012 Influencer

    F-Secure Synlocker Python  download here:-

     

    https://github.com/F-Secure/Synounlocker

     

    Download python here:-

     

    https://www.python.org/download

     

    https://pypi.python.org/pypi/pycrypto

     

     

    http://www.youtube.com/watch?v=FyGwA0UJ7sE

     

    http://www.youtube.com/watch?v=L5t5U0XnSew

     

    http://www.youtube.com/watch?v=lsflaKpeB7Q

     

    http://docs.python-guide.org/en/latest/starting/install/win/

     

    https://docs.python.org/2/using/windows.html

     

    Ubuntu Linux Live Distros download here....

     

    http://releases.ubuntu.com/

    Synounlocker.py

    synounlocker.py is a tool for decrypting files encrypted by the SynoLocker family of ransomware.

    The tool works by first looking in a file for the magic string "THE_REAL_PWNED_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_1337" that is used by SynoLocker to identify files it has encrypted. Next, it will attempt to decrypt the file. During this process, it will also attempt to check that the encrypted file has not been corrupted. This is possible, because SynoLocker stores a HMAC of the encrypted data as part of the file. If all seems to have gone well, the tool will write the decrypted contents to a new file, with the name of the original file appended with ".dec". The tool will not remove or overwrite the original encrypted file.

    More information here.
    IMPORTANT

    This tool will only work if the decryption key is already known. It will not bruteforce the decryption key and it will not break any encryption. The tool is only meant to be used, if the decryption key is already known. You should never pay online criminals. There is no guarantee it will help you in getting your files back. It will only encourages the criminals to continue their criminal activities.
    Requirements

    This tool requires the pycrypto -package. It has been tested to work with Python 2.7.8 and pycrypto 2.6.1.
    Installation

    First, ensure you have Python 2.7.8 and pycrypto 2.6.1 installed. Then simply copy the synounlocker.py -script to a directory of your choosing.
    Usage

    From the command line: synounlocker.py <path to encrypted file> <path to private key file>
    License

    Apache License, Version 2.0

     

    Base on reference:-

     

    http://www.f-secure.com/weblog/archives/00002737.html

     

    http://www.bleepingcomputer.com/forums/t/543426/synolocker-ransomware-targets-synology-nas-devices/

     

    http://www.cso.com.au/article/553126/synolocker_victims_who_paid_still_couldn_t_unlock_files_get_second_crack/?utm_medium=rss&utm_source=taxonomyfeed

     

    http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware

  • Rusli
    Rusli Posts: 1,012 Influencer

    http://www.symantec.com/security_response/writeup.jsp?docid=2014-080708-1950-99&tabid=2

     

    Discovered: August 6, 2014 Updated: August 7, 2014 10:14:42 AM Type: Trojan Infection Length: Varies

    Trojan.Synolocker runs on Synology network-attached storage (NAS) devices.

    When the Trojan is executed, it creates the following files:
    • /tmp/.SYNO_SERVER_LOCK
    • /tmp/.SYNO_ENCRYPT_LOCK
    • /tmp/.SYNO_DECRYPT_LOCK
    • /etc/synolock/
    • /etc/synolock/.decrypt
    • /etc/synolock/.restore
    • /etc/synolock/watch.sh
    • /etc/synolock/synosync
    • /etc/synolock/uninstall.sh
    • /etc/synolock/RSA_PUBLIC_KEY
    • /etc/synolock/RSA_PRIVATE_KEY
    • /usr/syno/synoman/redirect.html
    • /usr/syno/synoman/lock.png
    • /usr/syno/synoman/style.css
    • /usr/syno/synoman/synolockcode.txt
    • /usr/syno/synoman/crypted.log
    • /usr/syno/synoman/decrypted.log
    • /usr/syno/etc.defaults/rc.d/S99boot.sh
    • /usr/syno/etc.defaults/rc.d/S99check.sh

    It then modifies the following file:
    /usr/syno/synoman/index.html

    Next, the Trojan searches for and encrypts files with the following extensions on the compromised NAS device:
    • .3fr
    • .7z
    • .accdb
    • .ai
    • .arw
    • .av
    • .bay
    • .bkf
    • .cdr
    • .cer
    • .cr
    • .dbf
    • .dcr
    • .ddrw
    • .der
    • .djvu
    • .dng
    • .do
    • .dwg
    • .dx
    • .eml
    • .eps
    • .erf
    • .gif
    • .gpg
    • .ico
    • .ind
    • .jp
    • .kd
    • .mbx
    • .md
    • .mef
    • .mp
    • .mrw
    • .nef
    • .nrw
    • .od
    • .orf
    • .p12
    • .p7b
    • .p7c
    • .pas
    • .pd
    • .pe
    • .pfx
    • .php
    • .pmg
    • .potx
    • .pp
    • .ps
    • .ptx
    • .r3d
    • .ra
    • .rtf
    • .rw
    • .sda
    • .sfx
    • .sld
    • .sql
    • .sr
    • .text
    • .wb2
    • .wp
    • .xl
    • .zip
    • wallet.

    The Trojan then starts an HTTP server on port 80, which replaces the existing HTTP server used for device administration.

    If the user attempts to open the administration Web page, the following message is displayed:
    Automated Decryption Service. Copy and paste a valid RSA private key in the following form below.

    If the correct RSA private key is entered the Trojan decrypts the files and removes itself from the compromised device.

    Recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
    • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
    • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
    • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
    • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
    • For further information on the terms used in this document, please refer to the Security Response glossary.
    Writeup By: Masaki Suenaga, Roberto Sponchioni
  • Rusli
    Rusli Posts: 1,012 Influencer

    Did you read what synology says on the link I provided for you???

     

    Go to synology website,support,security advisory and select important information about ransomeware synolocker threat.

     

    Email them to security@synology.com

     

    Or ask their technical support...

     

    https://myds.synology.com/support/support_form.php?lang=enu

     

    I've already given the F-Secure python link.

     

    https://github.com/F-Secure/Synounlocker

     

    This is how you get the decryption key....

     

    As state the synology forum.

     

    http://forum.synology.com/enu/viewtopic.php?f=19&t=88737

     

    or here

     

    http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware

     

    Excerpt in synology forum...

     

    -------------------------------------------------------------------------------------------------------------------------

    Hello,
    I could not find a suitable forum category for this, but my synology diskstation just got hi-jacked and held for ransom.
    When trying to access it instead I am taken to a page with this information:
    SynoLocker™
    Automated Decryption Service

    All important files on this NAS have been encrypted using strong cryptography

    List of encrypted files available here.

    Follow these simple steps if files recovery is needed:

    Download and install Tor Browser.
    Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
    Login with your identification code to get further instructions on how to get a decryption key.
    [edit mod: ID code removed]
    Follow the instructions on the decryption page once a valid decryption key has been acquired.

    Technical details about the encryption process:

    A unique RSA-2048 keypair is generated on a remote server and linked to this system.
    The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
    A random 256-bit key is generated on this system when a new file needs to be encrypted.
    This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
    The 256-bit key is then encrypted with the RSA-2048 public key.
    The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
    The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
    The encrypted file is renamed to the original filename.
    To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
    Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
    When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.
    Note: Without the decryption key, all encrypted files will be lost forever.

    ---------------------------------------------------------------------------------------------------------------------------

     

    ** TAKE NOTE:- Do not use your own browser... you need to download and use the Tor Browser instead...

     

    https://www.torproject.org/projects/torbrowser.html.en

     

     

  • Rusli
    Rusli Posts: 1,012 Influencer

    Contact synology email at security@synology.com

     

    or synology tech support ...

     

    https://myds.synology.com/support/support_form.php

     

     

    http://www.youtube.com/watch?v=xbKUMTXK4gY

  • Rusli
    Rusli Posts: 1,012 Influencer

    Here is the excerpts from Synology Security Advisory Support page....

     

    https://www.synology.com/en-global/support/security

     

    Synology Product Security Advisory

    Synology is committed to customer safety and the ongoing security of our products. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers.

    Report Vulnerabilities

    To report security issues that affect Synology products, please contact: security@synology.com

    Please note that this e-mail address is used for monitoring potential product security issues. Generally speaking, we won’t reply to incoming e-mail messages unless further information is required. For technical support for Synology products, please visit our Support & Service section instead.

    PGP Key Information

    When you are reporting a vulnerability via e-mail, you can use Synology's Product Security PGP key to encrypt sensitive information.

    Synology Product Security Updates

    To protect users, Synology does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities shall be announced on Synology's official website.

     

    https://www.synology.com/en-global/support/security/SynoLocker

     

    8/7/2014     Important Information about Ransomware SynoLocker Threat
    Description

    It is confirmed that Synology NAS servers running older versions of DiskStation Manager are being targeted by a ransomware known as “SynoLocker,” which exploits two vulnerabilities that were fixed in November and December, 2013, respectively. At that time, Synology released security updates and notified users to update via various channels.
    Common Symptoms

    Affected users may encounter one of the following symptoms:

        When attempting to log in to DSM, a screen appears informing users that their data has been encrypted and a fee is required to unlock data.
        Abnormally high CPU usage or a running process called “synosync” (which can be checked at Main Menu > Resource Monitor).
        DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.

    Suggestion

    For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support to confirm whether the system is infected. Please note Synology is unable to decrypt files that have already been encrypted.

    If you happen to possess a backup copy of your files (or there are no critical files stored on your DiskStation), we recommend following the below steps to reset your DiskStation and re-install DSM. However, resetting the DiskStation removes the information required for decryption, so encrypted files cannot be decrypted afterward.

        Follow the steps in this tutorial to reset your DiskStation: http://www.synology.com/support/tutorials/493#t3
        The latest version of DSM can be downloaded from our Download Center here: http://www.synology.com/download
        Once DSM has been re-installed, log in and restore your backup data.

    For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any version below:

        DSM 4.3-3827 or later
        DSM 4.2-3243 or later
        DSM 4.0-2259 or later
        DSM 3.x or earlier is not affected

    Users can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update

     

     

  • Rusli
    Rusli Posts: 1,012 Influencer

    Here is another link from synology forum page.

     

    Go to this link to view.

     

    http://forum.synology.com/enu/viewtopic.php?f=108&t=89557

  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    In order to avoid the need to double post the info on Synolocker, please refer to this thread for more info.

This discussion has been closed.
Pricing & Product Info