Stiffed by Synolocker ransomware crims? Try F-Secure's python tool
Unlock key doesn't always fit, says security biz
By Simon Sharwood, 23 Aug 2014
Security firm F-Secure has released a tool to decrypt data scrambled by the Synolocker malware – assuming you've obtained the decryption key from the crooks.
Synolocker is ransomware that attacks NAS devices made by Synology. Those infected by the software find their data is encrypted, and receive an invitation to purchase a decryption key.
F-Secure today writes: “We believe you should never pay a ransom to online criminals." Yet, it has released a tool that puts the crims' Synolocker decryption keys to work to rescue enciphered files.
Why the seeming contradiction? Well, F-Secure's post says “the criminals behind SynoLocker make a false promise” and that “in many of the cases we have observed, the decryption process didn't actually work or the decryption key provided by the criminals was incorrect.” So, paying out is a risk, as well as encouraging this criminality, if you absolutely must get a key – and manage to do so – the new tool can help make it all work.
“Another use case for our decryption tool is a situation where a user has paid the ransom but can't use the decryption key as they have removed the SynoLocker malware from the infected device,” the company's Artturi Lehtiö writes. “Instead of reinfecting your device with the malware (which is a bad idea), you can use the key together with our script to decrypt your files.”
Those two grounds mean F-Secure feels it is worthwhile extending a helping hand to the afflicted, even though it frowns on the idea of paying ransoms.
Synolocker victims may not want to get excited about the free tool, however, as it's a python script, something the average Joe or Josephine may not find immediately usable. If that's you, here's a guide to installing Python for noobs, and the pycrypto toolkit you'll need to put F-Secure's code to work. ®
Implementing global e-invoicing with guaranteed legal certainty
F-Secure Synlocker Python download here:-
Download python here:-
Ubuntu Linux Live Distros download here....
synounlocker.py is a tool for decrypting files encrypted by the SynoLocker family of ransomware.
The tool works by first looking in a file for the magic string "THE_REAL_PWNED_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_1337" that is used by SynoLocker to identify files it has encrypted. Next, it will attempt to decrypt the file. During this process, it will also attempt to check that the encrypted file has not been corrupted. This is possible, because SynoLocker stores a HMAC of the encrypted data as part of the file. If all seems to have gone well, the tool will write the decrypted contents to a new file, with the name of the original file appended with ".dec". The tool will not remove or overwrite the original encrypted file.
More information here.
This tool will only work if the decryption key is already known. It will not bruteforce the decryption key and it will not break any encryption. The tool is only meant to be used, if the decryption key is already known. You should never pay online criminals. There is no guarantee it will help you in getting your files back. It will only encourages the criminals to continue their criminal activities.
This tool requires the pycrypto -package. It has been tested to work with Python 2.7.8 and pycrypto 2.6.1.
First, ensure you have Python 2.7.8 and pycrypto 2.6.1 installed. Then simply copy the synounlocker.py -script to a directory of your choosing.
From the command line: synounlocker.py <path to encrypted file> <path to private key file>
Apache License, Version 2.0
Base on reference:-
Note: please check details on this links for solutions!
Discovered: August 6, 2014 Updated: August 7, 2014 10:14:42 AM Type: Trojan Infection Length: Varies
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Did you read what synology says on the link I provided for you???
Go to synology website,support,security advisory and select important information about ransomeware synolocker threat.
Email them to firstname.lastname@example.org
Or ask their technical support...
I've already given the F-Secure python link.
This is how you get the decryption key....
As state the synology forum.
Excerpt in synology forum...
I could not find a suitable forum category for this, but my synology diskstation just got hi-jacked and held for ransom.
When trying to access it instead I am taken to a page with this information:
Automated Decryption Service
All important files on this NAS have been encrypted using strong cryptography
List of encrypted files available here.
Follow these simple steps if files recovery is needed:
Download and install Tor Browser.
Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
Login with your identification code to get further instructions on how to get a decryption key.
[edit mod: ID code removed]
Follow the instructions on the decryption page once a valid decryption key has been acquired.
Technical details about the encryption process:
A unique RSA-2048 keypair is generated on a remote server and linked to this system.
The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
A random 256-bit key is generated on this system when a new file needs to be encrypted.
This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
The 256-bit key is then encrypted with the RSA-2048 public key.
The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
The encrypted file is renamed to the original filename.
To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.
Note: Without the decryption key, all encrypted files will be lost forever.
** TAKE NOTE:- Do not use your own browser... you need to download and use the Tor Browser instead...
check this link by bleeping computer:-
Contact synology email at email@example.com
or synology tech support ...
Here is the excerpts from Synology Security Advisory Support page....
Synology is committed to customer safety and the ongoing security of our products. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers.
To report security issues that affect Synology products, please contact: firstname.lastname@example.org
Please note that this e-mail address is used for monitoring potential product security issues. Generally speaking, we won’t reply to incoming e-mail messages unless further information is required. For technical support for Synology products, please visit our Support & Service section instead.PGP Key Information
When you are reporting a vulnerability via e-mail, you can use Synology's Product Security PGP key to encrypt sensitive information.Synology Product Security Updates
To protect users, Synology does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities shall be announced on Synology's official website.
8/7/2014 Important Information about Ransomware SynoLocker Threat
It is confirmed that Synology NAS servers running older versions of DiskStation Manager are being targeted by a ransomware known as “SynoLocker,” which exploits two vulnerabilities that were fixed in November and December, 2013, respectively. At that time, Synology released security updates and notified users to update via various channels.
Affected users may encounter one of the following symptoms:
When attempting to log in to DSM, a screen appears informing users that their data has been encrypted and a fee is required to unlock data.
Abnormally high CPU usage or a running process called “synosync” (which can be checked at Main Menu > Resource Monitor).
DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.
For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support to confirm whether the system is infected. Please note Synology is unable to decrypt files that have already been encrypted.
If you happen to possess a backup copy of your files (or there are no critical files stored on your DiskStation), we recommend following the below steps to reset your DiskStation and re-install DSM. However, resetting the DiskStation removes the information required for decryption, so encrypted files cannot be decrypted afterward.
Follow the steps in this tutorial to reset your DiskStation: http://www.synology.com/support/tutorials/493#t3
The latest version of DSM can be downloaded from our Download Center here: http://www.synology.com/download
Once DSM has been re-installed, log in and restore your backup data.
For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any version below:
DSM 4.3-3827 or later
DSM 4.2-3243 or later
DSM 4.0-2259 or later
DSM 3.x or earlier is not affected
Users can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update
This topic has been closed due to inactivity. If you would like to discuss this topic further, please start a new post.
You can reference this topic in your post by adding this link:
Visit the Community
Check our Forums or How-to & FAQs for advice or answers
View User Guides
Refer to our getting started guides and product manuals
Talk to our Support agents and get answers to your questions