Synolocker file decryption

Aspirant

Re: Synolocker file decryption

I think I confused you. The 'software' I'm referring to is the tool released by F-Secure (link in the first reply). I have not received anything from the perpetrators. The software they claim to be developing is not what I was referring to. From what it looks like, F-Secure has developed a tool that allows people with keys to decrypt their files, but the instructions on how to use it are over my head. Hope someone breaks down step by step instructions for novices like me.
Scholar

Re: Synolocker file decryption

I didn't know F-Secure had done that and don't see a link in your post. But that's great news and I'll try to find it and see if I can get it to work. If I get it to work I'll try my best to walk you through it. I don't know how to make a video but hopefully could write a step by step.
Scholar

Re: Synolocker file decryption

Just got all caught up on F-Secure's new tool and am grateful to Artturi and F-Secure for their efforts. I have attempted to try it, but because of my lack of computer skills, I wasn't able to get it to work (surely nothing wrong with the tool - only something wrong with me). So I'm going to get help from a computer programmer and if that's successful, I'll do my best to explain how it went, if someone else hasn't already by then.

 

 

 

Aspirant

Re: Synolocker file decryption

That would be great. So far I have not been able to figure out how to use the tool. A step by step guide would be amazing. Awaiting to hear your reply!

Senior Advisor

Re: Synolocker file decryption

Synolocker file decryption tool here:-

 

https://github.com/F-Secure/Synounlocker

 

Download python here:-

 

https://www.python.org/download

 

https://pypi.python.org/pypi/pycrypto

 

 

http://www.youtube.com/watch?v=FyGwA0UJ7sE

 

http://www.youtube.com/watch?v=L5t5U0XnSew

 

http://www.youtube.com/watch?v=lsflaKpeB7Q

 

http://docs.python-guide.org/en/latest/starting/install/win/

 

https://docs.python.org/2/using/windows.html

 

Ubuntu Linux Live Distro download...

 

http://releases.ubuntu.com/

 

Synounlocker.py

synounlocker.py is a tool for decrypting files encrypted by the SynoLocker family of ransomware.

The tool works by first looking in a file for the magic string "THE_REAL_PWNED_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_1337" that is used by SynoLocker to identify files it has encrypted. Next, it will attempt to decrypt the file. During this process, it will also attempt to check that the encrypted file has not been corrupted. This is possible, because SynoLocker stores a HMAC of the encrypted data as part of the file. If all seems to have gone well, the tool will write the decrypted contents to a new file, with the name of the original file appended with ".dec". The tool will not remove or overwrite the original encrypted file.

More information here.
IMPORTANT

This tool will only work if the decryption key is already known. It will not bruteforce the decryption key and it will not break any encryption. The tool is only meant to be used, if the decryption key is already known. You should never pay online criminals. There is no guarantee it will help you in getting your files back. It will only encourages the criminals to continue their criminal activities.
Requirements

This tool requires the pycrypto -package. It has been tested to work with Python 2.7.8 and pycrypto 2.6.1.
Installation

First, ensure you have Python 2.7.8 and pycrypto 2.6.1 installed. Then simply copy the synounlocker.py -script to a directory of your choosing.
Usage

From the command line: synounlocker.py <path to encrypted file> <path to private key file>
License

Apache License, Version 2.0

 

You need to install python.

 

http://www.cso.com.au/article/553126/synolocker_victims_who_paid_still_couldn_t_unlock_files_get_sec...

 

http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware

 

http://www.bleepingcomputer.com/forums/t/543426/synolocker-ransomware-targets-synology-nas-devices/

 

 

Senior Advisor

Re: Synology Solutions Reports!!!

Hi All,

 

Please check details here for answers or solutions! Click on the links below:-

 

https://www.synology.com/en-global/support/security_SynoLocker

 

https://www.synology.com/en-global/support/security

 

http://forum.synology.com/enu/viewtopic.php?f=3&t=88716

 

Troubleshooting:-

 

https://www.synology.com/en-global/support/tutorials/493#t3

 

https://www.synology.com/en-global/support/download

 

Please click on Kudos button if it solves your problem. Thank you!

 

Scholar

Re: Synolocker file decryption

I have successfully decrypted the first file.

1. installed Python 2.7.8 on Windows 7 64bit to C:\Python27. No issues....
2. added the C:\Python27 directory to the path statement environment variable in windows system properties.
3. Added PyCrypto 2.6 for Python 2.7 64bit module. "Synounlocker" requires PyCrypto and that is a huge issue to install and then compile to the Python installation the way F-Secure suggest because you also need Visual Studio 2008 Express and Microsoft have withdrawn it from download. Thankfully, you can go here and download a pre-compiled pycrypto installer for your version of windows... I ran the PyCrypto 2.6 for Python 2.7 64bit.
3. ran the F-Secure script in a command prompt window as follows, where EXT is the encrypted file's extension, eg: .pdf .doc .xls....whatever:

synounlocker.py X:\PATHtoFILE\EncryptedFile.EXT X:\PATHtoKEY\privatekey.txt

The private key is the entire contents of the window presented to you after purchasing from the criminals. Just paste into a text file and save it.

The encrypted file remains unchanged, but a new file appended with ".dec" is written in the same directory, eg: "EncryptedFile.EXT.dec" per the above example. I renamed the encrypted file manually to ".enc" and removed the ".dec" from the decrypted file name (in my case a PDF file)..... and presto!!! File was decrypted and opened.

Does anyone know any command switches for the F-Secure "synounlocker.py" command? Could be tedious to decrypt everything one by one. Didn't accept wildcards in the basic command line.

Scholar

Re: Synolocker file decryption

If by "upgrade" you mean Synology techs overwrote the installation...then yes...that overwrites the system partition. You can tell if you have to recreate users, permissions...etc.

 

Best way to up grade is power off....remove drives...insert a blank drive....install latest DSM using Disk Assistant...same IP, same NAS name. Shut down...remove new disk and replace original disks.....view NAS through Disk Assistant and it should be marked as "migratable". Select same DSM you used on blank disk and after reboot, system partition is upgraded without deleting the synolock directories where you can proceed to decrypt using the Putty and SSH to run the commands. When decrypted, delete the synolock directories or at least archive them somewhere.

 

If you are missing the directories, then the only tool is the F-Secure tool....google it.Follow these instructions to prepare your machine (Windows) to be able to decrypt files. Unfortunately, I don't know any command line switches yet, but you will know if you have a valid key. I copied all the NAS encrypted files to a disk and then ran the tool against test files there...it worked a treat. You don't need any files from the synolock directory on the NAS.

 

1. installed Python 2.7.8 on Windows 7 64bit to C:\Python27. No issues....
2. added the C:\Python27 directory to the path statement environment variable in windows system properties.
3. Added PyCrypto 2.6 for Python 2.7 64bit module. "Synounlocker" requires PyCrypto and that is a huge issue to install and then compile to the Python installation the way F-Secure suggest because you also need Visual Studio 2008 Express and Microsoft have withdrawn it from download. Thankfully, you can go here and download a pre-compiled pycrypto installer for your version of windows... I ran the PyCrypto 2.6 for Python 2.7 64bit.
3. ran the F-Secure script in a command prompt window as follows, where EXT is the encrypted file's extension, eg: .pdf .doc .xls....whatever:

synounlocker.py X:\PATHtoFILE\EncryptedFile.EXT X:\PATHtoKEY\privatekey.txt

The private key is the entire contents of the window presented to you after purchasing from the criminals. Just paste into a text file and save it.

The encrypted file remains unchanged, but a new file appended with ".dec" is written in the same directory, eg: "EncryptedFile.EXT.dec" per the above example. I renamed the encrypted file manually to ".enc" and removed the ".dec" from the decrypted file name (in my case a PDF file)..... and presto!!! File was decrypted and opened.

Does anyone know any command switches for the F-Secure "synounlocker.py" command? Could be tedious to decrypt everything one by one. Didn't accept wildcards in the basic command line.

Novice

Re: Synolocker file decryption

If you can teach me how to use this tool to resolve this problem.
If you have teaching manual can teach users suffer from this problem, thank you

Senior Advisor

Re: Norton on trojan Synolocker

http://www.symantec.com/security_response/writeup.jsp?docid=2014-080708-1950-99&tabid=2

Discovered:
    August 6, 2014
Updated:
    August 7, 2014 10:14:42 AM
Type:
    Trojan
Infection Length:
    Varies

Trojan.Synolocker runs on Synology network-attached storage (NAS) devices.

When the Trojan is executed, it creates the following files:

    /tmp/.SYNO_SERVER_LOCK
    /tmp/.SYNO_ENCRYPT_LOCK
    /tmp/.SYNO_DECRYPT_LOCK
    /etc/synolock/
    /etc/synolock/.decrypt
    /etc/synolock/.restore
    /etc/synolock/watch.sh
    /etc/synolock/synosync
    /etc/synolock/uninstall.sh
    /etc/synolock/RSA_PUBLIC_KEY
    /etc/synolock/RSA_PRIVATE_KEY
    /usr/syno/synoman/redirect.html
    /usr/syno/synoman/lock.png
    /usr/syno/synoman/style.css
    /usr/syno/synoman/synolockcode.txt
    /usr/syno/synoman/crypted.log
    /usr/syno/synoman/decrypted.log
    /usr/syno/etc.defaults/rc.d/S99boot.sh
    /usr/syno/etc.defaults/rc.d/S99check.sh


It then modifies the following file:
/usr/syno/synoman/index.html

Next, the Trojan searches for and encrypts files with the following extensions on the compromised NAS device:

    .3fr
    .7z
    .accdb
    .ai
    .arw
    .av
    .bay
    .bkf
    .cdr
    .cer
    .cr
    .dbf
    .dcr
    .ddrw
    .der
    .djvu
    .dng
    .do
    .dwg
    .dx
    .eml
    .eps
    .erf
    .gif
    .gpg
    .ico
    .ind
    .jp
    .kd
    .mbx
    .md
    .mef
    .mp
    .mrw
    .nef
    .nrw
    .od
    .orf
    .p12
    .p7b
    .p7c
    .pas
    .pd
    .pe
    .pfx
    .php
    .pmg
    .potx
    .pp
    .ps
    .ptx
    .r3d
    .ra
    .rtf
    .rw
    .sda
    .sfx
    .sld
    .sql
    .sr
    .text
    .wb2
    .wp
    .xl
    .zip
    wallet.


The Trojan then starts an HTTP server on port 80, which replaces the existing HTTP server used for device administration.

If the user attempts to open the administration Web page, the following message is displayed:
Automated Decryption Service. Copy and paste a valid RSA private key in the following form below.

If the correct RSA private key is entered the Trojan decrypts the files and removes itself from the compromised device.
Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
    Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
    Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
    Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
    If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
    Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
    Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
    If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
    For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Masaki Suenaga, Roberto Sponchioni