Tag: Ransomware

Posted on

Synology Issues Official Statement to Address SynoLocker Ransomware

Synology on SynoLocker

Synology has been sending users email regarding the SynoLocker ransomware, mirroring the statement posted at Synology website from August 5, 2014.

Dear Synology users,

We would like to inform you that a ransomware called “SynoLocker” is currently affecting some Synology NAS users. This ransomware locks down affected servers, encrypts users’ files, and demands a fee to regain access to the encrypted files.

We have confirmed that the ransomware only affects Synology NAS servers running older versions of DiskStation Manager by exploiting a security vulnerability that was fixed and patched in December, 2013.

Affected users may encounter the following symptoms:

  • When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
  • Abnormally high CPU usage or a running process called “synosync” (which can be checked at Main Menu > Resource Monitor).
  • DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.

If you have encountered the above symptoms, please shutdown the system immediately and contact our technical support here: https://myds.synology.com/support/support_form.php

If you have not encountered the above symptoms, we strongly recommend downloading and installing DSM 5.0, or any version below:

  • DSM 4.3-3827 or later
  • DSM 4.2-3243 or later
  • DSM 4.0-2259 or later
  • DSM 3.x or earlier is not affected

You can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update.

If you notice any strange behavior or suspect your Synology NAS server has been affected by the above issue, please contact us at security@synology.com.

We sincerely apologize for any problems or inconvenience this issue has caused our users. We’ll keep you updated with the latest information as we continue to address this issue.

Thank you for your continued patience and support.

Sincerely,
Synology Development Team

As a rule of thumb, Synology users should put their DiskStations behind firewalls and disable port forwarding for now. Make sure the DiskStations are running the latest version of DSM possible. More importantly, backup the content of the DiskStation.

Posted on

Ransomware, Part 2 – The Java Connection

So, I have successfully removed the ransomware/malware form the infected computer.

Booting the computer up to Safe Mode or Safe Mode with Networking would still activate the malware. That’s because it replaces the registry entry for Windows Shell from “Explorer.exe” to something else. So, boot the computer to “Safe Mode with Command Prompt” and type “regedit.exe” at the command prompt.

In registry editor, go to:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

In this particular case it was replaced with:

C:PROGRA~3dsgsdgdsgdsgw.bat

Ransomware Infected Windows Shell

Delete the entry and replace it with:

Explorer.exe

Reboot the computer into “Safe Mode with Networking” and launch a web browser. Download, install and run the following programs if you haven’t already:

There are also other programs to scan and remove the malware.

Combofix detects that userinit.exe s also infected.

Ransomware Combofix userinit

Microsoft Security Essentials also detected presence of Trojan:JS/Reveton.A, which was detected on January 11, 2013.

Ransomware through Java

This computer was infected on Friday January 11, 2013, shortly after news about Java vulnerability was reported. After further investigations, I found that the infection happened through Java vulnerability. The infected computer had both Java 6 and 7 installed. Malwarebytes AntiMalware Free detected and removed the malicious Java module. Similar vulnerability was found back in August 2012.

Let’s take a look at the ransomware/malware.

It takes over Windows User Interface (UI) and replaces windows shell with the threatening message purporting from United States Department of Justice: “YOUR COMPUTER HAS BEEN LOCKED”

Ransomware

The message says that the computer has been locked for one or more violations:

  • Article – 184. Pornography involving children (under 18 years)
  • Article – 171. Copyright
  • Article – 113. The use of unlicensed software

They are pretty much the same language used in other ransomware/malware purporting from FBI, Police Cybercrime Investigation Department, etc. Some people might fall for this.

Ransomware 3 violations

The malware also tries to activate the computer camera, for the purpose of scaring the user. Even though the infected computer doesn’t have any cameras installed, the malware pretends that it is recording video of the user.

Ransomware video recording

The malware demands $300 to be paid in MoneyPak so users can unlock the computer.

Ransomware MoneyPak

So convenient that the malware tells you where to get this MoneyPak.

Anyway, you need to disable Java from your browsers.

If you’re using Mozilla Firefox, follow the instruction here: How to turn off Java applets

If you’re using Google Chrome, go to:

Settings > Privacy > Content Settings > Plug-ins > select “Click to play”

Also go to chrome://plugins/ to manually disable Java if necessary. (type in chrome://plugins/ in the address bar / omnibox)

If you are using Safari, go to:

Preferences > Security > uncheck “Enable Java”

If you are using Internet Explorer, follow the instruction from Sophos.

Posted on

Ransomware, Part 1

I’ve gotten a call earlier today from a friend because his computer has been locked by “The United States Department of Justice”.  In addition to that “The United States Department of Justice” demands computer owner to pay $300 to unlock the computer “avoid other legal consequences”.

First and foremost, The United States Department of Justice does not run such operation.

This is a ransomware. It replaces Windows 7 shell with its own executable file. Booting the computer to plain “Safe Mode” or” Safe Mode with Networking” will load the malicious executable. Instead, boot to “Safe Mode with Command Prompt” and manually remove the malicious software.

I’ll describe what I did in the next post.

Ransomware