First published: 06th August 2014
Ransomware targeting Synology NAS servers has encrypted personal data of 10,000 patients but patient care has not been affected.
The case is just one incident in the growing number of Synology Diskstations and Rackstations that have been attacked in recent days. The malware, called SynoLocker, gains access to the systems through vulnerabilities, then encrypts the data and displays a ransom message on the administrative interface (DiskStation Manager - DSM):
"All important files on this NAS have been encrypted using strong cryptography"
The message continues with instruction to pay 0.6 bitcoins (about US$350) via an anonymising network for the data to be unlocked.
At the Chinese University Faculty of Medicine, two servers in the Centre for Liver Health and Institute of Digestive Disease at the Prince of Wales Hospital in Sha Tin were affected. The servers contain day-to-day data, research and teaching materials. The servers were immediately disconnected, and the Police are investigating. A Police spokesman revealed that they had received multiple reports from victims of similar attacks since Monday, and IT news sites are reporting cases around the world.
It seems unlikely that the Chinese University was deliberately chosen, the criminals are indiscriminately attacking any Synology device they can find and the relatively low ransom was probably chosen as a level that many victims would see as a small price for their data.
If you are using a Synology NAS it is important to protect the administration interface immediately. Check and close ports 5000 and 5001 on your firewall.
If your Synology NAS displays the ransom message, power off the device immediately to avoid more files being encrypted and contact the Police and Synology support. Synology has additional advice on their Facebook page.
If you are using an NAS from another vendor, do not think that you are safe. There has been a trend towards making NAS boxes more capable and it is likely there are vulnerabilities to be exploited. Review your security policies and plan for defence in depth. A device holding sensitive information should not be exposed on the public internet. If remote access is required, then a VPN should be used. Multiple backups in different locations allows recovery of vital data, if the backups have not also been maliciously encrypted.