Synolocker file decryption

Scholar

Synolocker file decryption

My Synology NAS was hit by the "Synolocker" ransom virus and all files in it were encrypted. I copied all encrypted files out of the NAS, then paid the ransom and received the public and private keys from the perpetrators. But when I tried to use the decryption page they sent, it didn't work. Then Synology told me to install their updated operating system. Now I can't access the NAS at all. But I have the encrypted files copied in a portable hard drive and I have the keys. I saw F-Secure's expert analysis of this virus and want to ask if someone out there knows how to decrypt the files with the public and private keys.
26 REPLIES 26
F-Secure Product Expert
F-Secure Product Expert

Re: Synolocker file decryption

Hello @Jasonb ,

 

I assume you are making reference to this article.

You can always submit samples to our lab in order to assess the infection.

 

 

PS:I moved your post to a more relevant board.



Best Regards

-Ben

_________________________________

Has somebody helped you? Say thanks by giving likes. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.
Scholar

Re: Synolocker file decryption

Dear Ben,
Thanks ! I'll send that sample to you along with the keys.
Scholar

Re: Synolocker file decryption

I checked and if I upload the file this way, there's no way to leave a message with the keys. Should I email it to sad-support instead?
Advocate

Re: Synolocker file decryption

If you register a SAS account and then log in, you get more options including a "message" field:

https://analysis.f-secure.com/portal/signup.html

 

"If you need to contact our Response Team, include your question or incident details in the "Message" field. Else, please leave it empty"

Scholar

Re: Synolocker file decryption

I attempted to do that, and didn't realize I had to register again and kept trying to use my community password, resulting in my IP being blocked! By the time I realized how to do it, it was too late. I emailed the file and keys, and will attempt to upload it to SAS again tomorrow if my IP is no longer blocked. Sorry for the trouble.
Scholar

Re: Synolocker file decryption

I managed to upload the sample file and keys to SAS today.

Scholar

Re: Synolocker file decryption

I'm the same user who paid the ransom and got public and private keys from the perpetrators, but has no decryption tool to enter the keys into and decrypt files.

 

I've managed to get my NAS running again by updating the DSM, and with some help from Synology the NAS still has all the encrypted files on it in the original place. After reading a very helpful thread at http://forum.synology.com/enu/viewtopic.php?f=108&t=89185 , I used WinSCP to get into the NAS, and found the "etc" folder where the perpetrators were supposed to have created a "synolock" directory containing files needed to decrypt with the keys. But unfortunately, the "synolock" directory is not there. I presume the DSM update must have wiped it out. Does anyone out there have a copy of this directory? I can see from the other thread that at least some people are having success decrypting manually, but the folder and its contents need to be there in order to accomplish that.

 

It sure would be a godsend if an expert could provide software enabling you to enter the public and private keys obtained from the perpetrators and decrypt the encrypted files. I realize that is probably asking too much, but it certainly would help a lot of people out there.

 

Another fantasy would be for some kind person to provide a copy of the "synolock" folder and its contents so that we can try to paste keys in there and see if that works.

Highlighted
Aspirant

Re: Synolocker file decryption

Hello,

 

I recently was hit with synolocker like many others. I read on a synology forum that F-Secure had released software for those who paid the ransome and have the private/public keys. I have mine, but am confused on how to use the software. Forgive me, but I'm not extremeley technical with computers. I believe I have successfully installed python and pycrypto, but as to the process to decrypt I am lost. Is there a way to have a beginners guide written or a youtube video posted on the step by step process? The installation/usage instructions are too vague for my ablilty. Below are the steps but I simply do not understand. A quick video would be amazing. It appears there are quite a few people with keys that will use this software, just not sure how many people understand how to use it. 

 

Installation

First, ensure you have Python 2.7.8 and pycrypto 2.6.1 installed. Then simply copy the synounlocker.py-script to a directory of your choosing.

Usage

From the command line: synounlocker.py <path to encrypted file> <path to private key file>

Tags (1)
Scholar

Re: Synolocker file decryption

I have the keys but haven't received the decryption software that you apparently have. Can you find a way to put the decryption software files somewhere where they can be downloaded? Then I can download the files and try to get it to work using the keys they sent me. And if I get it to work, I would be glad to provide a "tutorial" explaining how I did it.

 

I noticed the perpetrators have updated their website informing everyone that they're working on two different decryption programs for people like me who were forced to update to DSM5, rending themselves unable to receive the decryption items. Their website says there will be one version for Linux that will be ready earlier, and another version for Windows that will be ready later. But so far, in spite of bitmailing them every day askiing for these, I haven't received either. I wonder if the items you received might be one of them.