Home Servers, Network Attached Storage, News

Synology Confirms: No Decryption Help Available for SynoLocker Victims

Further to our earlier story regarding Synology NAS users having their files encrypted through a ransomware exploit known as “SynoLocker”, the company today admitted that they were unable to offer decryption support for affected users.

An update from Synology today reinforced the fact that the security exploit in the company’s DiskStation Manager software was patched in December 2013. While the company recommends users update their NAS devices to the latest version of DSM (or one of a number of earlier releases apparently unaffected by the issue) there is little comfort for users whose files have already been taken hostage by the exploit.

Synology said today, “For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support… However, Synology is unable to decrypt files that have already been encrypted.”

Over the last few months, Synology has released a number of updates to patch security holes in the DiskStation Master software. In February 2014, the company announced a patch for a serious exploit that could allow users to gain unauthorised access to data remotely. Then, just last week, another update was released to prevent denial of service attacks on Synology NAS devices.

Whether Synology’s software is less secure than other NAS vendors is unknown, however. It may be that the company is simply the first NAS vendor to be attacked with such an exploit at scale. Certainly, you’d like to think that all of the NAS manufacturers are reviewing their code urgently in the light of this development.

If you have concerns about the vulnerability of the data on your NAS, then you may wish to switch off remote access to your device for the time being – or at the very least, ensure you have the latest version of your NAS device’s operating system on board.

Here’s the latest update from Synology in full:


Synology has confirmed the ransomware affects Synology NAS servers running older versions of DiskStation Manager, by exploiting a vulnerability that was fixed in December, 2013, at which time Synology released patched software and notified users to update via various channels. Affected users may encounter the following symptoms:

  • When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
  • Abnormally high CPU usage or a running process called “synosync” (which can be checked at Main Menu Resource Monitor).
  • DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel >DSM Update.

For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support here:https://myds.synology.com/support/support_form.php. However, Synology is unable to decrypt files that have already been encrypted. For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any  version below:

  • DSM 4.3-3827 or later
  • DSM 4.2-3243 or later
  • DSM 4.0-2259 or later
  • DSM 3.x or earlier is not affected

Users can manually download the latest version from our Download Center and install it at Control Panel DSM Update Manual DSM Update.

Synology sincerely apologises for any problems or inconvenience this issue has caused our users. As cybercrime proliferates and increasingly sophisticated malware evolves, Synology continues to devote resources to mitigate threats and is dedicated to providing users with reliable solutions. If users notice their DiskStation behaving suspiciously even after being upgraded to the latest DSM version, please contact security@synology.com

For the technical details on how the SynoLocker exploit works, check out this article from F-Secure.

Previous ArticleNext Article
Terry Walsh is the founder of We Got Served. He started the community in February 2007 with a mission to help families, tech enthusiasts everywhere figure out the technology needed to run the modern home and small business. He's the author of a number of guides to Windows, Windows Server and OS X Server and runs his own successful publishing business. Born and raised in Liverpool, England, Terry has been awarded Microsoft's prestigious Most Valuable Professional Award each year since 2008 for his work on We Got Served.
  • BigChaps

    Maybe this new site may help – https://www.decryptcryptolocker.com/

  • SysAdmin

    CryptoLocker != Synolocker, different encryption, different malware.

  • Cimballi

    I guess we have to pay…

  • lwarner4q

    I guess at this point Synology is taking the easy way out… If they knew of this then they should have sent out emails to all registered user and everyone who ever contacted them for support. I don’t think this is much of an effort on their part to help those of use who have been affected. At least reach out to the guys who cracked CryptoLocker and see if they can assist…. just a big sorry , your on your own… at lease I know who my next NAS will be from..

    • Johan

      At least reach out to the guys who cracked CryptoLocker and see if they can assist…

      It’s no use. CryptoLocker could only be decrypted because the decyption keys were intercepted. Obviously, SynoLocker uses different encryption keys which Fox IT / FireEye don’t have.

      Also, whether it’s your Windows PC or your Synology NAS: if you’re not installing updates you’re almost asking to get hacked. You weren’t expecting Microsoft to help you clean up your hacked computer either, were you?

Like it? Share it.

Share this post with your friends and followers.
Subscribe to We Got Served

Get the latest news and reviews from We Got Served in your inbox. Simply add your name and email address below. You can unsubscribe at any time.


Send this to friend