Synolocker: Why OFFLINE Backups are important
One current threat causing a lot of sleepless nights to victims is "Cryptolocker" like malware. Various variations of this type of malware are still haunting small businesses and home users by encrypting files and asking for ransom to obtain the decryption key. Your best defense against this type of malware is a good backup. Shadow volume copies may help, but aren't always available and complete.
In particular for small businesses, various simple NAS systems have become popular over the recent years. Different manufacturers offer a set of Linux based devices that are essentially "plug and play" and offer high performance RAID protected storage that is easily shared on the network. One of these vendors, Synology, has recently been somewhat in the cross hairs of many attacks we have seen. In particular vulnerabilities int he web based admin interface of the device have led to numerous exploits we have discussed before.
The most recent manifestation of this is "Synolocker", malware that infects Synology disk storage devices and encrypts all files, similar to the original cryptolocker. Submissions to the Synology support forum describe some of the results [1].
The malware will also replace the admin console index web page with a ransom message, notifying the user of the exploit. It appears however that this is done before the encryption finishes. Some users where lucky to notice the message in time and were able to save some files from encryption.
It appears that the best way to deal with this malware if found is to immediatly shut down the system and remove all drives. Then reinstall the latest firmware (may require a sacrificial drive to be inserted into the system) before re-inserting the partially encrypted drives.
To protect your disk station from infection, your best bet is:
- Do not expose it to the internet, in particular the web admin interface on port 5000
- use strong passwords for the admin functions
- keep your system up to date
- keep offline backups. this could be accomplished with a second disk station that is only turned on to receive the backups. Maybe best to have two disk stations from different manufacturers.
It is important to note that while Synology has been hit the hardest with these exploits, other devices from other manufacturers had vulnerabilities as well and the same security advice applies (but typically, they listen on ports other then 5000).
[1] http://forum.synology.com/enu/viewtopic.php?f=3&t=88716
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
I have been running a variant of this system since 2000, and using hot-swap SATA drives since 2007. I have a complete history of every file on evey device for the pat 7 years.
Anonymous
Aug 6th 2014
1 decade ago
Anonymous
Aug 6th 2014
1 decade ago
For SQL servers and Microsoft Exchange mailbox databases it does not.
One day's worth of changes to the database alone is likely about 80 to 100 gigabytes,
and a spare SATA HDD will be used in no time.
To do a recovery, you need a point in time consistent copy of the database file and all the transaction logs between that time consistent point and the time operation ceased before recovery.
Rsync does not provide a "point in time"-consistent copy. It will capture the new version of some files and the old version of other files on the filesystem.
For large enough rapidly changing files, it doesn't even manage to get a clean copy of the file.
Anonymous
Aug 6th 2014
1 decade ago
JH
Anonymous
Aug 6th 2014
1 decade ago