Synolocker file decryption

Senior Advisor

Re: Synology

http://www.bleepingcomputer.com/forums/t/543426/synolocker-ransomware-targets-synology-nas-devices/

 

Did you read what synology says on the link I provided for you???

 

Go to synology website,support,security advisory and select important information about ransomeware synolocker threat.

 

Email them to security@synology.com

 

Or ask their technical support...

 

https://myds.synology.com/support/support_form.php?lang=enu

 

I've already given the F-Secure python link.

 

https://github.com/F-Secure/Synounlocker

 

Someone have already gives the steps on how to get the decryption key by using the tor.

 

http://forum.synology.com/enu/viewtopic.php?f=19&t=88737

 

another link here:-

 

http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware

 

I've aleady give 2 Kudos to phinease562 for the steps he already mention.

Scholar

Re: spyware.com Synolocker

Good grief!! Who are you Rusli? You are bringing nothing here except confusing info for users. It is not a PC infection....copy/pasting corporate blurb here is annoying....really annoying. Your advice thus far has only been bad anyway. Who are you and what is your agenda here?

 

I wouldn't trust anything this user says.

Senior Advisor

Re: Use Tor Browser to get the decrypted key

The confusing part is they did not know how to get the decryption key. You never mention the step. That is why the keep asking?

 

It's already stated here...

 

http://forum.synology.com/enu/viewtopic.php?f=19&t=88737

 

or here

 

http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware

 

This is the excerpt from synology forum....

--------------------------------------------------------------------------------------------------------------------------

Hello,
I could not find a suitable forum category for this, but my synology diskstation just got hi-jacked and held for ransom.
When trying to access it instead I am taken to a page with this information:
SynoLocker™
Automated Decryption Service

All important files on this NAS have been encrypted using strong cryptography

List of encrypted files available here.

Follow these simple steps if files recovery is needed:

Download and install Tor Browser.
Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
Login with your identification code to get further instructions on how to get a decryption key.
[edit mod: ID code removed]
Follow the instructions on the decryption page once a valid decryption key has been acquired.

Technical details about the encryption process:

A unique RSA-2048 keypair is generated on a remote server and linked to this system.
The RSA-2048 public key is sent to this system while the private key stays in the remote server database.
A random 256-bit key is generated on this system when a new file needs to be encrypted.
This 256-bit key is then used to encrypt the file with AES-256 CBC symmetric cipher.
The 256-bit key is then encrypted with the RSA-2048 public key.
The resulting encrypted 256-bit key is then stored in the encrypted file and purged from system memory.
The original unencrypted file is then overwrited with random bits before being deleted from the hard drive.
The encrypted file is renamed to the original filename.
To decrypt the file, the software needs the RSA-2048 private key attributed to this system from the remote server.
Once a valid decryption key is provided, the software search each files for a specific string stored in all encrypted files.
When the string is found, the software extracts and decrypts the unique 256-bit AES key needed to restore that file.
Note: Without the decryption key, all encrypted files will be lost forever.

--------------------------------------------------------------------------------------------------------------------------

 

 

Only use the Tor Browser to go to the link....

 

Do not know where to get the Tor Browser... go to this link....

 

https://www.torproject.org/projects/torbrowser.html.en

 

Norton stated the infected directory....

Senior Advisor

Re: @phineas562, you missed out on how to get the decrypted key!

@phineas562,

 

You have to redo the steps.

 

They wanted the step by step ... like 1...2...3 ... steps.

 

You missed out on how to get the decrypted key...

 

How are they going to unlock without the decrypted key?????!!!

 

Do you have to fork out US$350???

 

 

Senior Advisor

Re: Synology Security Advisory Support

Still cannot find the synology security support ????

 

Here is the excerpt from Synology Security Advisory support...

 

https://www.synology.com/en-global/support/security

 

Synology Product Security Advisory

Synology is committed to customer safety and the ongoing security of our products. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers.

Report Vulnerabilities

To report security issues that affect Synology products, please contact: security@synology.com

Please note that this e-mail address is used for monitoring potential product security issues. Generally speaking, we won’t reply to incoming e-mail messages unless further information is required. For technical support for Synology products, please visit our Support & Service section instead.

PGP Key Information

When you are reporting a vulnerability via e-mail, you can use Synology's Product Security PGP key to encrypt sensitive information.

Synology Product Security Updates

To protect users, Synology does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities shall be announced on Synology's official website.

 

https://www.synology.com/en-global/support/security/SynoLocker

 

8/7/2014     Important Information about Ransomware SynoLocker Threat
Description

It is confirmed that Synology NAS servers running older versions of DiskStation Manager are being targeted by a ransomware known as “SynoLocker,” which exploits two vulnerabilities that were fixed in November and December, 2013, respectively. At that time, Synology released security updates and notified users to update via various channels.
Common Symptoms

Affected users may encounter one of the following symptoms:

    When attempting to log in to DSM, a screen appears informing users that their data has been encrypted and a fee is required to unlock data.
    Abnormally high CPU usage or a running process called “synosync” (which can be checked at Main Menu > Resource Monitor).
    DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.

Suggestion

For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support to confirm whether the system is infected. Please note Synology is unable to decrypt files that have already been encrypted.

If you happen to possess a backup copy of your files (or there are no critical files stored on your DiskStation), we recommend following the below steps to reset your DiskStation and re-install DSM. However, resetting the DiskStation removes the information required for decryption, so encrypted files cannot be decrypted afterward.

    Follow the steps in this tutorial to reset your DiskStation: http://www.synology.com/support/tutorials/493#t3
    The latest version of DSM can be downloaded from our Download Center here: http://www.synology.com/download
    Once DSM has been re-installed, log in and restore your backup data.

For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any version below:

    DSM 4.3-3827 or later
    DSM 4.2-3243 or later
    DSM 4.0-2259 or later
    DSM 3.x or earlier is not affected

Users can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update

Senior Advisor

Re: Synology Forum

Here is another excerpt from synology forum.

 

Go to this link

 

http://forum.synology.com/enu/viewtopic.php?f=108&t=89557

 

SynoLocker GUIDE to decrypt files WITH private key

Postby Ulrik Pedersen » Mon Aug 25, 2014 11:06 pm



I have collected the information from different threads around this forum - and other sites.

I'm not the one to thank - this is just an overview 8)


First download the file http://download.sunnysite.dk/SynoUnlocker.zip containing all the necessary files. (Your browser or antivirus might warn you)


ALWAYS WORK ON A COPY OF YOUR DATA!!!!



Lets asume your encryptet disc holds the letter X:\


1. Run python-2.7.8.msi installer

2. Run pycrypto-2.6.win32-py2.7.exe

3. Copy syno.py to X:\

4. Make a file with your private key (ex. private.key) can be done with notepad

5. Save the private.key file to X:\

6. Start Command Prompt (cmd)

7. Go to X:\

8. Type "python syno.py X:\ private.key" (without "") <<-- Be aware of the space after X:\ !!!



And here you go

 

----------------------------------------------------------------------------------------------------------------

Re: SynoLocker GUIDE to decrypt files WITH private key

Postby Flanosch » Wed Aug 27, 2014 7:52 pm

Ulrik Pedersen wrote:Maybe you have a permission issue in the documents folder when running the script.

Try to run cmd as administrator - or move the files out of the documents folder.

Btw you don't have to be in the python folder to run python.



YESSSSSSSSSS! It works :D :D :D :D :D
Run CMD as admin and save private.key not as a txt-file

Thank you very very much for your efforts!!

 

 

Senior Advisor